• Table of Contents
    {"ID":78539,"post_author":"9203512","post_date":"2019-01-04 17:51:53","post_date_gmt":"0000-00-00 00:00:00","post_content":"","post_title":"Web Application Security: A Comprehensive Overview","post_excerpt":"","post_status":"draft","comment_status":"closed","ping_status":"closed","post_password":"","post_name":"","to_ping":"","pinged":"","post_modified":"2019-01-04 17:51:53","post_modified_gmt":"2019-01-04 22:51:53","post_content_filtered":"","post_parent":0,"guid":"https:\/\/www.limsforum.com\/?post_type=ebook&#038;p=78539","menu_order":0,"post_type":"ebook","post_mime_type":"","comment_count":"0","filter":"","_ebook_metadata":{"enabled":"on","private":"0","guid":"A36D99A7-526E-4EC1-B236-230AE1004474","title":"Web Application Security: A Comprehensive Overview","subtitle":"","cover_theme":"nico_20","cover_image":"https:\/\/www.limsforum.com\/wp-content\/plugins\/rdp-ebook-builder\/pl\/cover.php?cover_style=nico_20&subtitle=&editor=Shawn+Douglas&title=Web+Application+Security%3A+A+Comprehensive+Overview&title_image=https%3A%2F%2Fwww.limsforum.com%2Fwp-content%2Fuploads%2FWebAppSec.png&publisher=LabLynx+Press","editor":"Shawn Douglas","publisher":"LabLynx Press","author_id":"26","image_url":"","items":{"d70283bb6c626678369e40b227bfe029_type":"article","d70283bb6c626678369e40b227bfe029_title":"Authors","d70283bb6c626678369e40b227bfe029_url":"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Authors","d70283bb6c626678369e40b227bfe029_plaintext":"\n\n\t\t\n\t\t\t\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t\n\n\t\t\t\tLII:Web Application Security Guide\/Authors\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t\tFrom LIMSWiki\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\tJump to: navigation, search\n\n\t\t\t\t\t\n\t\t\t\t\t\n\n Contents\n\n1 Notes \n\n\n\n\nThe initial version of the Web Application Security Guide was written in 2011 by Jan Schejbal.\nThe main contributors to the current version are:\n\n Jan Schejbal\nOther contributors who can be seen on the version tab of each page have helped to improve this guide.\n\nNotes \nThe original source for this page is the associated Wikibooks article and is shared here under the CC BY-SA 3.0 license.\n\n\n\n\n\n\nSource: <a rel=\"external_link\" class=\"external\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Authors\">https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Authors<\/a>\n\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\n\t\t\n\t\t\tNavigation menu\n\t\t\t\t\t\n\t\t\tViews\n\n\t\t\t\n\t\t\t\t\n\t\t\t\tLII\n\t\t\t\tDiscussion\n\t\t\t\tView source\n\t\t\t\tHistory\n\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\n\t\t\t\t\n\t\t\t\tPersonal tools\n\n\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\t\t\tLog in\n\t\t\t\t\t\t\t\t\t\t\t\t\tRequest account\n\t\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\t\t\n\t\tNavigation\n\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tMain page\n\t\t\t\t\t\t\t\t\t\t\tRecent changes\n\t\t\t\t\t\t\t\t\t\t\tRandom page\n\t\t\t\t\t\t\t\t\t\t\tHelp\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\n\t\t\t\n\t\t\tSearch\n\n\t\t\t\n\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t&#160;\n\t\t\t\t\t\t\n\t\t\t\t\n\n\t\t\t\t\t\t\t\n\t\t\n\t\t\t\n\t\t\tTools\n\n\t\t\t\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tWhat links here\n\t\t\t\t\t\t\t\t\t\t\tRelated changes\n\t\t\t\t\t\t\t\t\t\t\tSpecial pages\n\t\t\t\t\t\t\t\t\t\t\tPermanent link\n\t\t\t\t\t\t\t\t\t\t\tPage information\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\n\t\t\n\t\tPrint\/export\n\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tCreate a book\n\t\t\t\t\t\t\t\t\t\t\tDownload as PDF\n\t\t\t\t\t\t\t\t\t\t\tDownload as Plain text\n\t\t\t\t\t\t\t\t\t\t\tPrintable version\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\n\t\t\n\t\tSponsors\n\t\t\n\t\t\t \r\n\n\t\r\n\n\t\r\n\n\t\r\n\n\t\n\t\r\n\n \r\n\n\t\n\t\r\n\n \r\n\n\t\n\t\r\n\n\t\n\t\r\n\n\t\r\n\n\t\r\n\n\t\r\n\t\t\n\t\t\n\t\t\t\n\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t This page was last modified on 10 August 2016, at 21:48.\n\t\t\t\t\t\t\t\t\tThis page has been accessed 220 times.\n\t\t\t\t\t\t\t\t\tContent is available under a Creative Commons Attribution-ShareAlike 4.0 International License unless otherwise noted.\n\t\t\t\t\t\t\t\t\tPrivacy policy\n\t\t\t\t\t\t\t\t\tAbout LIMSWiki\n\t\t\t\t\t\t\t\t\tDisclaimers\n\t\t\t\t\t\t\t\n\t\t\n\t\t\n\t\t\n\n","d70283bb6c626678369e40b227bfe029_html":"<body class=\"mediawiki ltr sitedir-ltr ns-202 ns-subject page-LII_Web_Application_Security_Guide_Authors skin-monobook action-view\">\n<div id=\"rdp-ebb-globalWrapper\">\n\t\t<div id=\"rdp-ebb-column-content\">\n\t\t\t<div id=\"rdp-ebb-content\" class=\"mw-body\" role=\"main\">\n\t\t\t\t<a id=\"rdp-ebb-top\"><\/a>\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t<h1 id=\"rdp-ebb-firstHeading\" class=\"firstHeading\" lang=\"en\">LII:Web Application Security Guide\/Authors<\/h1>\n\t\t\t\t\n\t\t\t\t<div id=\"rdp-ebb-bodyContent\" class=\"mw-body-content\">\n\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\n\n\t\t\t\t\t<!-- start content -->\n\t\t\t\t\t<div id=\"rdp-ebb-mw-content-text\" lang=\"en\" dir=\"ltr\" class=\"mw-content-ltr\"><table cellspacing=\"0\" cellpadding=\"0\" style=\"clear: right; margin-bottom: .5em; float: right; padding: .5em 0 .8em 1.4em; background: none; width: auto;\">\n<tr>\n<td> \n\n<\/td><\/tr><\/table>\n<p>The initial version of the Web Application Security Guide was written in 2011 by Jan Schejbal.\n<\/p><p>The main contributors to the current version are:\n<\/p>\n<ul><li> <a href=\"https:\/\/en.wikibooks.org\/wiki\/User:Janschejbal\" class=\"extiw\" title=\"wikibooks:User:Janschejbal\" rel=\"external_link\" target=\"_blank\">Jan Schejbal<\/a><\/li><\/ul>\n<p>Other contributors who can be seen on the version tab of each page have helped to improve this guide.\n<\/p>\n<h2><span class=\"mw-headline\" id=\"Notes\">Notes<\/span><\/h2>\n<p>The original source for this page is <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/en.wikibooks.org\/wiki\/Web_Application_Security_Guide\/Authors\" target=\"_blank\">the associated Wikibooks article<\/a> and is shared here under the <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/creativecommons.org\/licenses\/by-sa\/3.0\/\" target=\"_blank\">CC BY-SA 3.0<\/a> license.\n<\/p>\n<!-- \nNewPP limit report\nCached time: 20190104225202\nCache expiry: 86400\nDynamic content: false\nCPU time usage: 0.009 seconds\nReal time usage: 0.013 seconds\nPreprocessor visited node count: 11\/1000000\nPreprocessor generated node count: 70\/1000000\nPost\u2010expand include size: 165\/2097152 bytes\nTemplate argument size: 0\/2097152 bytes\nHighest expansion depth: 3\/40\nExpensive parser function count: 0\/100\n-->\n\n<!-- \nTransclusion expansion time report (%,ms,calls,template)\n100.00% 3.098 1 - Template:TOC_right\n100.00% 3.098 1 - -total\n-->\n\n<!-- Saved in parser cache with key limswiki:pcache:idhash:9038-0!*!*!*!en!*!* and timestamp 20190104225202 and revision id 26894\n -->\n<\/div><div class=\"printfooter\">Source: <a rel=\"external_link\" class=\"external\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Authors\">https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Authors<\/a><\/div>\n\t\t\t\t\t\t\t\t\t\t<!-- end content -->\n\t\t\t\t\t\t\t\t\t\t<div class=\"visualClear\"><\/div>\n\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/div>\n\t\t<!-- end of the left (by default at least) column -->\n\t\t<div class=\"visualClear\"><\/div>\n\t\t\t\t\t\n\t\t<\/div>\n\t\t\n\n<\/body>","d70283bb6c626678369e40b227bfe029_images":[],"d70283bb6c626678369e40b227bfe029_timestamp":1546642322,"c34366918b1a832cc21cb64bb832bdbf_type":"article","c34366918b1a832cc21cb64bb832bdbf_title":"Further reading","c34366918b1a832cc21cb64bb832bdbf_url":"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Further_reading","c34366918b1a832cc21cb64bb832bdbf_plaintext":"\n\n\t\t\n\t\t\t\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t\n\n\t\t\t\tLII:Web Application Security Guide\/Further reading\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t\tFrom LIMSWiki\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\tJump to: navigation, search\n\n\t\t\t\t\t\n\t\t\t\t\t\n\n Contents\n\n1 Notes \n\n\n\n\nA similar guide can be found at https:\/\/wiki.mozilla.org\/WebAppSec\/Secure_Coding_Guidelines.\nOWASP provides good information about many web application security issues, with a large list of vulnerabilities to learn about and avoid.\n\nNotes \nThe original source for this page is the associated Wikibooks article and is shared here under the CC BY-SA 3.0 license.\n\n\n\n\n\n\nSource: <a rel=\"external_link\" class=\"external\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Further_reading\">https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Further_reading<\/a>\n\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\n\t\t\n\t\t\tNavigation menu\n\t\t\t\t\t\n\t\t\tViews\n\n\t\t\t\n\t\t\t\t\n\t\t\t\tLII\n\t\t\t\tDiscussion\n\t\t\t\tView source\n\t\t\t\tHistory\n\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\n\t\t\t\t\n\t\t\t\tPersonal tools\n\n\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\t\t\tLog in\n\t\t\t\t\t\t\t\t\t\t\t\t\tRequest account\n\t\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\t\t\n\t\tNavigation\n\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tMain page\n\t\t\t\t\t\t\t\t\t\t\tRecent changes\n\t\t\t\t\t\t\t\t\t\t\tRandom page\n\t\t\t\t\t\t\t\t\t\t\tHelp\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\n\t\t\t\n\t\t\tSearch\n\n\t\t\t\n\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t&#160;\n\t\t\t\t\t\t\n\t\t\t\t\n\n\t\t\t\t\t\t\t\n\t\t\n\t\t\t\n\t\t\tTools\n\n\t\t\t\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tWhat links here\n\t\t\t\t\t\t\t\t\t\t\tRelated changes\n\t\t\t\t\t\t\t\t\t\t\tSpecial pages\n\t\t\t\t\t\t\t\t\t\t\tPermanent link\n\t\t\t\t\t\t\t\t\t\t\tPage information\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\n\t\t\n\t\tPrint\/export\n\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tCreate a book\n\t\t\t\t\t\t\t\t\t\t\tDownload as PDF\n\t\t\t\t\t\t\t\t\t\t\tDownload as Plain text\n\t\t\t\t\t\t\t\t\t\t\tPrintable version\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\n\t\t\n\t\tSponsors\n\t\t\n\t\t\t \r\n\n\t\r\n\n\t\r\n\n\t\r\n\n\t\n\t\r\n\n \r\n\n\t\n\t\r\n\n \r\n\n\t\n\t\r\n\n\t\n\t\r\n\n\t\r\n\n\t\r\n\n\t\r\n\t\t\n\t\t\n\t\t\t\n\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t This page was last modified on 10 August 2016, at 21:46.\n\t\t\t\t\t\t\t\t\tThis page has been accessed 273 times.\n\t\t\t\t\t\t\t\t\tContent is available under a Creative Commons Attribution-ShareAlike 4.0 International License unless otherwise noted.\n\t\t\t\t\t\t\t\t\tPrivacy policy\n\t\t\t\t\t\t\t\t\tAbout LIMSWiki\n\t\t\t\t\t\t\t\t\tDisclaimers\n\t\t\t\t\t\t\t\n\t\t\n\t\t\n\t\t\n\n","c34366918b1a832cc21cb64bb832bdbf_html":"<body class=\"mediawiki ltr sitedir-ltr ns-202 ns-subject page-LII_Web_Application_Security_Guide_Further_reading skin-monobook action-view\">\n<div id=\"rdp-ebb-globalWrapper\">\n\t\t<div id=\"rdp-ebb-column-content\">\n\t\t\t<div id=\"rdp-ebb-content\" class=\"mw-body\" role=\"main\">\n\t\t\t\t<a id=\"rdp-ebb-top\"><\/a>\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t<h1 id=\"rdp-ebb-firstHeading\" class=\"firstHeading\" lang=\"en\">LII:Web Application Security Guide\/Further reading<\/h1>\n\t\t\t\t\n\t\t\t\t<div id=\"rdp-ebb-bodyContent\" class=\"mw-body-content\">\n\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\n\n\t\t\t\t\t<!-- start content -->\n\t\t\t\t\t<div id=\"rdp-ebb-mw-content-text\" lang=\"en\" dir=\"ltr\" class=\"mw-content-ltr\"><table cellspacing=\"0\" cellpadding=\"0\" style=\"clear: right; margin-bottom: .5em; float: right; padding: .5em 0 .8em 1.4em; background: none; width: auto;\">\n<tr>\n<td> \n\n<\/td><\/tr><\/table>\n<p>A similar guide can be found at <a rel=\"external_link\" class=\"external free\" href=\"https:\/\/wiki.mozilla.org\/WebAppSec\/Secure_Coding_Guidelines\" target=\"_blank\">https:\/\/wiki.mozilla.org\/WebAppSec\/Secure_Coding_Guidelines<\/a>.\n<\/p><p><a rel=\"external_link\" class=\"external text\" href=\"https:\/\/www.owasp.org\/index.php\/Main_Page\" target=\"_blank\">OWASP<\/a> provides good information about many web application security issues, with a large list of <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/www.owasp.org\/index.php\/Category:Vulnerability\" target=\"_blank\">vulnerabilities<\/a> to learn about and avoid.\n<\/p>\n<h2><span class=\"mw-headline\" id=\"Notes\">Notes<\/span><\/h2>\n<p>The original source for this page is <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/en.wikibooks.org\/wiki\/Web_Application_Security_Guide\/Further_reading\" target=\"_blank\">the associated Wikibooks article<\/a> and is shared here under the <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/creativecommons.org\/licenses\/by-sa\/3.0\/\" target=\"_blank\">CC BY-SA 3.0<\/a> license.\n<\/p>\n<!-- \nNewPP limit report\nCached time: 20190104225202\nCache expiry: 86400\nDynamic content: false\nCPU time usage: 0.009 seconds\nReal time usage: 0.013 seconds\nPreprocessor visited node count: 11\/1000000\nPreprocessor generated node count: 70\/1000000\nPost\u2010expand include size: 165\/2097152 bytes\nTemplate argument size: 0\/2097152 bytes\nHighest expansion depth: 3\/40\nExpensive parser function count: 0\/100\n-->\n\n<!-- \nTransclusion expansion time report (%,ms,calls,template)\n100.00% 3.389 1 - Template:TOC_right\n100.00% 3.389 1 - -total\n-->\n\n<!-- Saved in parser cache with key limswiki:pcache:idhash:9037-0!*!*!*!en!*!* and timestamp 20190104225202 and revision id 26893\n -->\n<\/div><div class=\"printfooter\">Source: <a rel=\"external_link\" class=\"external\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Further_reading\">https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Further_reading<\/a><\/div>\n\t\t\t\t\t\t\t\t\t\t<!-- end content -->\n\t\t\t\t\t\t\t\t\t\t<div class=\"visualClear\"><\/div>\n\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/div>\n\t\t<!-- end of the left (by default at least) column -->\n\t\t<div class=\"visualClear\"><\/div>\n\t\t\t\t\t\n\t\t<\/div>\n\t\t\n\n<\/body>","c34366918b1a832cc21cb64bb832bdbf_images":[],"c34366918b1a832cc21cb64bb832bdbf_timestamp":1546642322,"bd543e49b7f540654591e0ff292b60c8_type":"article","bd543e49b7f540654591e0ff292b60c8_title":"SSL, TLS and HTTPS basics","bd543e49b7f540654591e0ff292b60c8_url":"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/SSL,_TLS_and_HTTPS_basics","bd543e49b7f540654591e0ff292b60c8_plaintext":"\n\n\t\t\n\t\t\t\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t\n\n\t\t\t\tLII:Web Application Security Guide\/SSL, TLS and HTTPS basics\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t\tFrom LIMSWiki\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\tJump to: navigation, search\n\n\t\t\t\t\t\n\t\t\t\t\t\n\n Contents\n\n1 SSL, TLS and HTTPS basics \n\n1.1 For maximum security \n1.2 Rationale \n\n\n2 Further reading \n3 Notes \n\n\n\n\nSSL, TLS and HTTPS basics \nSSL\/TLS provide encryption and authentication for HTTPS.\n\nFor maximum security \n Follow SSLLabs best practices including:\n Ensure SSLv2 is disabled.\n Generate private keys for certificates yourself, do not let your CA do it.\n Use an appropriate key length (usually 2048 bit in 2013).\n If possible, disable client-initiated renegotiation.\n Consider manually limiting\/setting cipher suites.\nRationale \nSSL is easy to do and hard to do right. SSLLabs provide good guidelines that are updated when new attacks are discovered.\nThe CA has no need-to-know for your private key. Depending on the cipher suite used, the private key can allow adversaries to decrypt passively eavesdropped communications. Thus, even if you trust the CA, it is better to avoid any risk. Generate a key and a CSR and provide only the CSR to the CA.\nIncreasing key length increases security, but also significantly increases the CPU load for connection establishment. 1024 bit keys will not be accepted by Mozilla Firefox anymore for certificates that expire after the year 2013. 2048 bit keys should be enough for all applications for quite a few years \u2013 using larger key sizes seems to be overkill. (All information based on 2013.) Note: The large CPU overhead of connection establishment can be used by (D)DoS attackers. Such DDoS attacks are harder to detect and defend against when client-initiated renegotiation is supported.\nSSL\/TLS supports a large set of \u201ccipher suites\u201d, each defining a set of cryptographic mechanisms used to secure the connection. Some of them do provide perfect forward secrecy, some do not. (Perfect forward secrecy means that if the private key becomes available to an attacker, he cannot decrypt data that was eavesdropped before he got the key). Usually, the client (browser) and server choose a cipher suite by first exchanging which suites are mutually supported, and the client\u2019s preferred suite is then chosen. Depending on setup, the server may choose the cipher suite, ignoring the client\u2019s preference. Most defaults are reasonably sane, but for either high-speed or high-security applications, you may want to consider restricting the supported\/preferred suites to fast or high-security suites. If you want to exclude clients that do not support sufficient security (e.g. ancient \u201cexport control\u201d limited clients), make sure to disable those cipher suites. When configuring cipher suites, carefully check the setup to make sure you do not allow \u201cADH\u201d suites that do not authenticate the server! If you are unsure, keep the default, and always verify the effects of your settings!\n\nFurther reading \n SSL and TLS security\n Transport Layer Security\nNotes \nThe original source for this page is the associated Wikibooks article and is shared here under the CC BY-SA 3.0 license.\n\n\n\n\n\n\nSource: <a rel=\"external_link\" class=\"external\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/SSL,_TLS_and_HTTPS_basics\">https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/SSL,_TLS_and_HTTPS_basics<\/a>\n\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\n\t\t\n\t\t\tNavigation menu\n\t\t\t\t\t\n\t\t\tViews\n\n\t\t\t\n\t\t\t\t\n\t\t\t\tLII\n\t\t\t\tDiscussion\n\t\t\t\tView source\n\t\t\t\tHistory\n\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\n\t\t\t\t\n\t\t\t\tPersonal tools\n\n\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\t\t\tLog in\n\t\t\t\t\t\t\t\t\t\t\t\t\tRequest account\n\t\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\t\t\n\t\tNavigation\n\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tMain page\n\t\t\t\t\t\t\t\t\t\t\tRecent changes\n\t\t\t\t\t\t\t\t\t\t\tRandom page\n\t\t\t\t\t\t\t\t\t\t\tHelp\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\n\t\t\t\n\t\t\tSearch\n\n\t\t\t\n\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t&#160;\n\t\t\t\t\t\t\n\t\t\t\t\n\n\t\t\t\t\t\t\t\n\t\t\n\t\t\t\n\t\t\tTools\n\n\t\t\t\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tWhat links here\n\t\t\t\t\t\t\t\t\t\t\tRelated changes\n\t\t\t\t\t\t\t\t\t\t\tSpecial pages\n\t\t\t\t\t\t\t\t\t\t\tPermanent link\n\t\t\t\t\t\t\t\t\t\t\tPage information\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\n\t\t\n\t\tPrint\/export\n\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tCreate a book\n\t\t\t\t\t\t\t\t\t\t\tDownload as PDF\n\t\t\t\t\t\t\t\t\t\t\tDownload as Plain text\n\t\t\t\t\t\t\t\t\t\t\tPrintable version\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\n\t\t\n\t\tSponsors\n\t\t\n\t\t\t \r\n\n\t\r\n\n\t\r\n\n\t\r\n\n\t\n\t\r\n\n \r\n\n\t\n\t\r\n\n \r\n\n\t\n\t\r\n\n\t\n\t\r\n\n\t\r\n\n\t\r\n\n\t\r\n\t\t\n\t\t\n\t\t\t\n\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t This page was last modified on 10 August 2016, at 23:01.\n\t\t\t\t\t\t\t\t\tThis page has been accessed 304 times.\n\t\t\t\t\t\t\t\t\tContent is available under a Creative Commons Attribution-ShareAlike 4.0 International License unless otherwise noted.\n\t\t\t\t\t\t\t\t\tPrivacy policy\n\t\t\t\t\t\t\t\t\tAbout LIMSWiki\n\t\t\t\t\t\t\t\t\tDisclaimers\n\t\t\t\t\t\t\t\n\t\t\n\t\t\n\t\t\n\n","bd543e49b7f540654591e0ff292b60c8_html":"<body class=\"mediawiki ltr sitedir-ltr ns-202 ns-subject page-LII_Web_Application_Security_Guide_SSL_TLS_and_HTTPS_basics skin-monobook action-view\">\n<div id=\"rdp-ebb-globalWrapper\">\n\t\t<div id=\"rdp-ebb-column-content\">\n\t\t\t<div id=\"rdp-ebb-content\" class=\"mw-body\" role=\"main\">\n\t\t\t\t<a id=\"rdp-ebb-top\"><\/a>\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t<h1 id=\"rdp-ebb-firstHeading\" class=\"firstHeading\" lang=\"en\">LII:Web Application Security Guide\/SSL, TLS and HTTPS basics<\/h1>\n\t\t\t\t\n\t\t\t\t<div id=\"rdp-ebb-bodyContent\" class=\"mw-body-content\">\n\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\n\n\t\t\t\t\t<!-- start content -->\n\t\t\t\t\t<div id=\"rdp-ebb-mw-content-text\" lang=\"en\" dir=\"ltr\" class=\"mw-content-ltr\"><table cellspacing=\"0\" cellpadding=\"0\" style=\"clear: right; margin-bottom: .5em; float: right; padding: .5em 0 .8em 1.4em; background: none; width: auto;\">\n<tr>\n<td> \n\n<\/td><\/tr><\/table>\n<h2><span class=\"mw-headline\" id=\"SSL.2C_TLS_and_HTTPS_basics\">SSL, TLS and HTTPS basics<\/span><\/h2>\n<p>SSL\/TLS provide encryption and authentication for HTTPS.\n<\/p>\n<h3><span class=\"mw-headline\" id=\"For_maximum_security\">For maximum security<\/span><\/h3>\n<ul><li> <b>Follow <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/www.ssllabs.com\/projects\/best-practices\/\" target=\"_blank\">SSLLabs best practices<\/a><\/b> including:\n<ul><li> Ensure SSLv2 is disabled.<\/li>\n<li> Generate private keys for certificates yourself, do not let your CA do it.<\/li>\n<li> Use an appropriate key length (usually 2048 bit in 2013).<\/li>\n<li> If possible, disable client-initiated renegotiation.<\/li>\n<li> Consider manually limiting\/setting cipher suites.<\/li><\/ul><\/li><\/ul>\n<h3><span class=\"mw-headline\" id=\"Rationale\">Rationale<\/span><\/h3>\n<p>SSL is easy to do and hard to do right. SSLLabs provide good guidelines that are updated when new attacks are discovered.\n<\/p><p>The CA has no need-to-know for your private key. Depending on the cipher suite used, the private key can allow adversaries to decrypt passively eavesdropped communications. Thus, even if you trust the CA, it is better to avoid any risk. Generate a key and a CSR and provide only the CSR to the CA.\n<\/p><p>Increasing key length increases security, but also significantly increases the CPU load for connection establishment. 1024 bit keys will not be accepted by Mozilla Firefox anymore for certificates that expire after the year 2013. 2048 bit keys should be enough for all applications for quite a few years \u2013 using larger key sizes seems to be overkill. (All information based on 2013.) Note: The large CPU overhead of connection establishment can be used by (D)DoS attackers. Such DDoS attacks are harder to detect and defend against when client-initiated renegotiation is supported.\n<\/p><p>SSL\/TLS supports a large set of \u201ccipher suites\u201d, each defining a set of cryptographic mechanisms used to secure the connection. Some of them do provide perfect forward secrecy, some do not. (Perfect forward secrecy means that if the private key becomes available to an attacker, he cannot decrypt data that was eavesdropped before he got the key). Usually, the client (browser) and server choose a cipher suite by first exchanging which suites are mutually supported, and the client\u2019s preferred suite is then chosen. Depending on setup, the server may choose the cipher suite, ignoring the client\u2019s preference. Most defaults are reasonably sane, but for either high-speed or high-security applications, you may want to consider restricting the supported\/preferred suites to fast or high-security suites. If you want to exclude clients that do not support sufficient security (e.g. ancient \u201cexport control\u201d limited clients), make sure to disable those cipher suites. When configuring cipher suites, carefully check the setup to make sure you do not allow \u201cADH\u201d suites that do not authenticate the server! If you are unsure, keep the default, and always verify the effects of your settings!\n<\/p>\n<h2><span class=\"mw-headline\" id=\"Further_reading\">Further reading<\/span><\/h2>\n<ul><li> <a href=\"https:\/\/en.wikipedia.org\/wiki\/Transport_Layer_Security#Security\" class=\"extiw\" title=\"wikipedia:Transport Layer Security\" rel=\"external_link\" target=\"_blank\">SSL and TLS security<\/a><\/li>\n<li> <a href=\"https:\/\/en.wikipedia.org\/wiki\/Transport_Layer_Security\" class=\"extiw\" title=\"wikipedia:Transport Layer Security\" rel=\"external_link\" target=\"_blank\">Transport Layer Security<\/a><\/li><\/ul>\n<h2><span class=\"mw-headline\" id=\"Notes\">Notes<\/span><\/h2>\n<p>The original source for this page is <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/en.wikibooks.org\/wiki\/Web_Application_Security_Guide\/SSL,_TLS_and_HTTPS_basics\" target=\"_blank\">the associated Wikibooks article<\/a> and is shared here under the <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/creativecommons.org\/licenses\/by-sa\/3.0\/\" target=\"_blank\">CC BY-SA 3.0<\/a> license.\n<\/p>\n<!-- \nNewPP limit report\nCached time: 20190104225202\nCache expiry: 86400\nDynamic content: false\nCPU time usage: 0.011 seconds\nReal time usage: 0.014 seconds\nPreprocessor visited node count: 27\/1000000\nPreprocessor generated node count: 86\/1000000\nPost\u2010expand include size: 165\/2097152 bytes\nTemplate argument size: 0\/2097152 bytes\nHighest expansion depth: 3\/40\nExpensive parser function count: 0\/100\n-->\n\n<!-- \nTransclusion expansion time report (%,ms,calls,template)\n100.00% 3.272 1 - Template:TOC_right\n100.00% 3.272 1 - -total\n-->\n\n<!-- Saved in parser cache with key limswiki:pcache:idhash:9036-0!*!*!!en!*!* and timestamp 20190104225202 and revision id 26919\n -->\n<\/div><div class=\"printfooter\">Source: <a rel=\"external_link\" class=\"external\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/SSL,_TLS_and_HTTPS_basics\">https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/SSL,_TLS_and_HTTPS_basics<\/a><\/div>\n\t\t\t\t\t\t\t\t\t\t<!-- end content -->\n\t\t\t\t\t\t\t\t\t\t<div class=\"visualClear\"><\/div>\n\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/div>\n\t\t<!-- end of the left (by default at least) column -->\n\t\t<div class=\"visualClear\"><\/div>\n\t\t\t\t\t\n\t\t<\/div>\n\t\t\n\n<\/body>","bd543e49b7f540654591e0ff292b60c8_images":[],"bd543e49b7f540654591e0ff292b60c8_timestamp":1546642322,"403c661fad4d263579d34b8abfd41efd_type":"article","403c661fad4d263579d34b8abfd41efd_title":"Special files","403c661fad4d263579d34b8abfd41efd_url":"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Special_files","403c661fad4d263579d34b8abfd41efd_plaintext":"\n\n\t\t\n\t\t\t\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t\n\n\t\t\t\tLII:Web Application Security Guide\/Special files\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t\tFrom LIMSWiki\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\tJump to: navigation, search\n\n\t\t\t\t\t\n\t\t\t\t\t\n\n Contents\n\n1 Special files \n\n1.1 To prevent this type of attack \n1.2 Rationale \n\n\n2 Further reading \n3 Notes \n\n\n\n\nSpecial files \nSpecial files like .htaccess, robots.txt, crossdomain.xml and clientaccesspolicy.xml have special meanings which has to be considered before deploying such files.\n\nTo prevent this type of attack \n Know the meaning of these files.\n Ensure robots.txt does not disclose \"secret\" paths.\n Ensure crossdomain.xml and clientaccesspolicy.xml do not exist unless needed.\n If used, ensure crossdomain.xml and clientaccesspolicy.xml allow access from trusted domains only.\n Prevent users from uploading\/changing special files (see file upload vulnerabilities section).\nRationale \nSpecial files like .htaccess, robots.txt, crossdomain.xml and clientaccesspolicy.xml define security relevant settings and rules. Knowing their meaning is necessary to use them securely.\n.htaccess influences the behaviour and security relevant settings of the web server (e.g. access rights, executable file types, ...).\nrobots.txt can be ignored by malicious or badly written robots. As this file is publicly available, an attacker can gain valuable information about \"interesting\" paths (like administration interfaces) if they are mentioned in the robots.txt file. Attackers do check this file for such content.\ncrossdomain.xml and clientaccesspolicy.xml can disable the same-origin policy in some plug-ins. Incorrect configuration leaves the site open for cross-site scripting\/cross-site request forgery attacks using plugins. Note that crossdomain.xml files are also valid if they appear in subdirectories.\n\nFurther reading \n .htaccess\n Cross-site request forgery\n robots.txt\nNotes \nThe original source for this page is the associated Wikibooks article and is shared here under the CC BY-SA 3.0 license.\n\n\n\n\n\n\nSource: <a rel=\"external_link\" class=\"external\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Special_files\">https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Special_files<\/a>\n\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\n\t\t\n\t\t\tNavigation menu\n\t\t\t\t\t\n\t\t\tViews\n\n\t\t\t\n\t\t\t\t\n\t\t\t\tLII\n\t\t\t\tDiscussion\n\t\t\t\tView source\n\t\t\t\tHistory\n\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\n\t\t\t\t\n\t\t\t\tPersonal tools\n\n\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\t\t\tLog in\n\t\t\t\t\t\t\t\t\t\t\t\t\tRequest account\n\t\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\t\t\n\t\tNavigation\n\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tMain page\n\t\t\t\t\t\t\t\t\t\t\tRecent changes\n\t\t\t\t\t\t\t\t\t\t\tRandom page\n\t\t\t\t\t\t\t\t\t\t\tHelp\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\n\t\t\t\n\t\t\tSearch\n\n\t\t\t\n\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t&#160;\n\t\t\t\t\t\t\n\t\t\t\t\n\n\t\t\t\t\t\t\t\n\t\t\n\t\t\t\n\t\t\tTools\n\n\t\t\t\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tWhat links here\n\t\t\t\t\t\t\t\t\t\t\tRelated changes\n\t\t\t\t\t\t\t\t\t\t\tSpecial pages\n\t\t\t\t\t\t\t\t\t\t\tPermanent link\n\t\t\t\t\t\t\t\t\t\t\tPage information\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\n\t\t\n\t\tPrint\/export\n\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tCreate a book\n\t\t\t\t\t\t\t\t\t\t\tDownload as PDF\n\t\t\t\t\t\t\t\t\t\t\tDownload as Plain text\n\t\t\t\t\t\t\t\t\t\t\tPrintable version\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\n\t\t\n\t\tSponsors\n\t\t\n\t\t\t \r\n\n\t\r\n\n\t\r\n\n\t\r\n\n\t\n\t\r\n\n \r\n\n\t\n\t\r\n\n \r\n\n\t\n\t\r\n\n\t\n\t\r\n\n\t\r\n\n\t\r\n\n\t\r\n\t\t\n\t\t\n\t\t\t\n\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t This page was last modified on 10 August 2016, at 22:57.\n\t\t\t\t\t\t\t\t\tThis page has been accessed 296 times.\n\t\t\t\t\t\t\t\t\tContent is available under a Creative Commons Attribution-ShareAlike 4.0 International License unless otherwise noted.\n\t\t\t\t\t\t\t\t\tPrivacy policy\n\t\t\t\t\t\t\t\t\tAbout LIMSWiki\n\t\t\t\t\t\t\t\t\tDisclaimers\n\t\t\t\t\t\t\t\n\t\t\n\t\t\n\t\t\n\n","403c661fad4d263579d34b8abfd41efd_html":"<body class=\"mediawiki ltr sitedir-ltr ns-202 ns-subject page-LII_Web_Application_Security_Guide_Special_files skin-monobook action-view\">\n<div id=\"rdp-ebb-globalWrapper\">\n\t\t<div id=\"rdp-ebb-column-content\">\n\t\t\t<div id=\"rdp-ebb-content\" class=\"mw-body\" role=\"main\">\n\t\t\t\t<a id=\"rdp-ebb-top\"><\/a>\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t<h1 id=\"rdp-ebb-firstHeading\" class=\"firstHeading\" lang=\"en\">LII:Web Application Security Guide\/Special files<\/h1>\n\t\t\t\t\n\t\t\t\t<div id=\"rdp-ebb-bodyContent\" class=\"mw-body-content\">\n\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\n\n\t\t\t\t\t<!-- start content -->\n\t\t\t\t\t<div id=\"rdp-ebb-mw-content-text\" lang=\"en\" dir=\"ltr\" class=\"mw-content-ltr\"><table cellspacing=\"0\" cellpadding=\"0\" style=\"clear: right; margin-bottom: .5em; float: right; padding: .5em 0 .8em 1.4em; background: none; width: auto;\">\n<tr>\n<td> \n\n<\/td><\/tr><\/table>\n<h2><span class=\"mw-headline\" id=\"Special_files\">Special files<\/span><\/h2>\n<p>Special files like .htaccess, robots.txt, crossdomain.xml and clientaccesspolicy.xml have special meanings which has to be considered before deploying such files.\n<\/p>\n<h3><span class=\"mw-headline\" id=\"To_prevent_this_type_of_attack\">To prevent this type of attack<\/span><\/h3>\n<ul><li> Know the meaning of these files.<\/li>\n<li> Ensure robots.txt does not disclose \"secret\" paths.<\/li>\n<li> Ensure crossdomain.xml and clientaccesspolicy.xml do not exist unless needed.<\/li>\n<li> If used, ensure crossdomain.xml and clientaccesspolicy.xml allow access from trusted domains only.<\/li>\n<li> Prevent users from uploading\/changing special files (see <a href=\"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/File_upload_vulnerabilities\" title=\"LII:Web Application Security Guide\/File upload vulnerabilities\" target=\"_blank\" class=\"wiki-link\" data-key=\"8b3708600c87ff3258de11ce293bf1a6\">file upload vulnerabilities section<\/a>).<\/li><\/ul>\n<h3><span class=\"mw-headline\" id=\"Rationale\">Rationale<\/span><\/h3>\n<p>Special files like .htaccess, robots.txt, crossdomain.xml and clientaccesspolicy.xml define security relevant settings and rules. Knowing their meaning is necessary to use them securely.\n<\/p><p>.htaccess influences the behaviour and security relevant settings of the web server (e.g. access rights, executable file types, ...).\n<\/p><p>robots.txt can be ignored by malicious or badly written robots. As this file is publicly available, an attacker can gain valuable information about \"interesting\" paths (like administration interfaces) if they are mentioned in the robots.txt file. Attackers <b>do<\/b> check this file for such content.\n<\/p><p>crossdomain.xml and clientaccesspolicy.xml can disable the same-origin policy in some plug-ins. Incorrect configuration leaves the site open for cross-site scripting\/cross-site request forgery attacks using plugins. Note that crossdomain.xml files are also valid if they appear in subdirectories.\n<\/p>\n<h2><span class=\"mw-headline\" id=\"Further_reading\">Further reading<\/span><\/h2>\n<ul><li> <a href=\"https:\/\/en.wikipedia.org\/wiki\/.htaccess\" class=\"extiw\" title=\"wikipedia:.htaccess\" rel=\"external_link\" target=\"_blank\">.htaccess<\/a><\/li>\n<li> <a href=\"https:\/\/en.wikipedia.org\/wiki\/Cross-site_request_forgery\" class=\"extiw\" title=\"wikipedia:Cross-site request forgery\" rel=\"external_link\" target=\"_blank\">Cross-site request forgery<\/a><\/li>\n<li> <a href=\"https:\/\/en.wikipedia.org\/wiki\/Robots.txt\" class=\"extiw\" title=\"wikipedia:Robots.txt\" rel=\"external_link\" target=\"_blank\">robots.txt<\/a><\/li><\/ul>\n<h2><span class=\"mw-headline\" id=\"Notes\">Notes<\/span><\/h2>\n<p>The original source for this page is <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/en.wikibooks.org\/wiki\/Web_Application_Security_Guide\/Special_files\" target=\"_blank\">the associated Wikibooks article<\/a> and is shared here under the <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/creativecommons.org\/licenses\/by-sa\/3.0\/\" target=\"_blank\">CC BY-SA 3.0<\/a> license.\n<\/p>\n<!-- \nNewPP limit report\nCached time: 20190104225202\nCache expiry: 86400\nDynamic content: false\nCPU time usage: 0.011 seconds\nReal time usage: 0.017 seconds\nPreprocessor visited node count: 27\/1000000\nPreprocessor generated node count: 86\/1000000\nPost\u2010expand include size: 165\/2097152 bytes\nTemplate argument size: 0\/2097152 bytes\nHighest expansion depth: 3\/40\nExpensive parser function count: 0\/100\n-->\n\n<!-- \nTransclusion expansion time report (%,ms,calls,template)\n100.00% 3.353 1 - Template:TOC_right\n100.00% 3.353 1 - -total\n-->\n\n<!-- Saved in parser cache with key limswiki:pcache:idhash:9035-0!*!0!!en!*!* and timestamp 20190104225202 and revision id 26918\n -->\n<\/div><div class=\"printfooter\">Source: <a rel=\"external_link\" class=\"external\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Special_files\">https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Special_files<\/a><\/div>\n\t\t\t\t\t\t\t\t\t\t<!-- end content -->\n\t\t\t\t\t\t\t\t\t\t<div class=\"visualClear\"><\/div>\n\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/div>\n\t\t<!-- end of the left (by default at least) column -->\n\t\t<div class=\"visualClear\"><\/div>\n\t\t\t\t\t\n\t\t<\/div>\n\t\t\n\n<\/body>","403c661fad4d263579d34b8abfd41efd_images":[],"403c661fad4d263579d34b8abfd41efd_timestamp":1546642321,"b8012faef03edbe61efc3d62e8c99377_type":"article","b8012faef03edbe61efc3d62e8c99377_title":"Prefetching and spiders","b8012faef03edbe61efc3d62e8c99377_url":"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Prefetching_and_spiders","b8012faef03edbe61efc3d62e8c99377_plaintext":"\n\n\t\t\n\t\t\t\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t\n\n\t\t\t\tLII:Web Application Security Guide\/Prefetching and spiders\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t\tFrom LIMSWiki\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\tJump to: navigation, search\n\n\t\t\t\t\t\n\t\t\t\t\t\n\n Contents\n\n1 Prefetching and spiders \n\n1.1 To prevent this \n1.2 Rationale \n\n\n2 Further reading \n3 Notes \n\n\n\n\nPrefetching and spiders \nGET requests are not supposed\/expected to trigger actions\/changes and are happily followed by various browser mechanisms like Prefetching or Session Restore and by crawlers. This can cause unwanted actions to be triggered completely without user interaction and without the need for an attack.\n\nTo prevent this \n Use POST requests instead of GETs for anything that triggers an action.\nRationale \nGET requests can be automatically and unintentionally triggered, for example by crawlers. For example in cases of \u201cdelete\u201d buttons, this can cause a single user with aggressive Prefetching to accidentally delete everything just by opening a listing page. POST requests are expected to trigger actions and are handled accordingly by browsers.\n\nFurther reading \n GET\n Instruction prefetch\n POST\n Web crawler\nNotes \nThe original source for this page is the associated Wikibooks article and is shared here under the CC BY-SA 3.0 license.\n\n\n\n\n\n\nSource: <a rel=\"external_link\" class=\"external\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Prefetching_and_spiders\">https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Prefetching_and_spiders<\/a>\n\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\n\t\t\n\t\t\tNavigation menu\n\t\t\t\t\t\n\t\t\tViews\n\n\t\t\t\n\t\t\t\t\n\t\t\t\tLII\n\t\t\t\tDiscussion\n\t\t\t\tView source\n\t\t\t\tHistory\n\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\n\t\t\t\t\n\t\t\t\tPersonal tools\n\n\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\t\t\tLog in\n\t\t\t\t\t\t\t\t\t\t\t\t\tRequest account\n\t\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\t\t\n\t\tNavigation\n\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tMain page\n\t\t\t\t\t\t\t\t\t\t\tRecent changes\n\t\t\t\t\t\t\t\t\t\t\tRandom page\n\t\t\t\t\t\t\t\t\t\t\tHelp\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\n\t\t\t\n\t\t\tSearch\n\n\t\t\t\n\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t&#160;\n\t\t\t\t\t\t\n\t\t\t\t\n\n\t\t\t\t\t\t\t\n\t\t\n\t\t\t\n\t\t\tTools\n\n\t\t\t\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tWhat links here\n\t\t\t\t\t\t\t\t\t\t\tRelated changes\n\t\t\t\t\t\t\t\t\t\t\tSpecial pages\n\t\t\t\t\t\t\t\t\t\t\tPermanent link\n\t\t\t\t\t\t\t\t\t\t\tPage information\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\n\t\t\n\t\tPrint\/export\n\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tCreate a book\n\t\t\t\t\t\t\t\t\t\t\tDownload as PDF\n\t\t\t\t\t\t\t\t\t\t\tDownload as Plain text\n\t\t\t\t\t\t\t\t\t\t\tPrintable version\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\n\t\t\n\t\tSponsors\n\t\t\n\t\t\t \r\n\n\t\r\n\n\t\r\n\n\t\r\n\n\t\n\t\r\n\n \r\n\n\t\n\t\r\n\n \r\n\n\t\n\t\r\n\n\t\n\t\r\n\n\t\r\n\n\t\r\n\n\t\r\n\t\t\n\t\t\n\t\t\t\n\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t This page was last modified on 10 August 2016, at 22:54.\n\t\t\t\t\t\t\t\t\tThis page has been accessed 287 times.\n\t\t\t\t\t\t\t\t\tContent is available under a Creative Commons Attribution-ShareAlike 4.0 International License unless otherwise noted.\n\t\t\t\t\t\t\t\t\tPrivacy policy\n\t\t\t\t\t\t\t\t\tAbout LIMSWiki\n\t\t\t\t\t\t\t\t\tDisclaimers\n\t\t\t\t\t\t\t\n\t\t\n\t\t\n\t\t\n\n","b8012faef03edbe61efc3d62e8c99377_html":"<body class=\"mediawiki ltr sitedir-ltr ns-202 ns-subject page-LII_Web_Application_Security_Guide_Prefetching_and_spiders skin-monobook action-view\">\n<div id=\"rdp-ebb-globalWrapper\">\n\t\t<div id=\"rdp-ebb-column-content\">\n\t\t\t<div id=\"rdp-ebb-content\" class=\"mw-body\" role=\"main\">\n\t\t\t\t<a id=\"rdp-ebb-top\"><\/a>\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t<h1 id=\"rdp-ebb-firstHeading\" class=\"firstHeading\" lang=\"en\">LII:Web Application Security Guide\/Prefetching and spiders<\/h1>\n\t\t\t\t\n\t\t\t\t<div id=\"rdp-ebb-bodyContent\" class=\"mw-body-content\">\n\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\n\n\t\t\t\t\t<!-- start content -->\n\t\t\t\t\t<div id=\"rdp-ebb-mw-content-text\" lang=\"en\" dir=\"ltr\" class=\"mw-content-ltr\"><table cellspacing=\"0\" cellpadding=\"0\" style=\"clear: right; margin-bottom: .5em; float: right; padding: .5em 0 .8em 1.4em; background: none; width: auto;\">\n<tr>\n<td> \n\n<\/td><\/tr><\/table>\n<h2><span class=\"mw-headline\" id=\"Prefetching_and_spiders\">Prefetching and spiders<\/span><\/h2>\n<p>GET requests are not supposed\/expected to trigger actions\/changes and are happily followed by various browser mechanisms like Prefetching or Session Restore and by crawlers. This can cause unwanted actions to be triggered completely without user interaction and without the need for an attack.\n<\/p>\n<h3><span class=\"mw-headline\" id=\"To_prevent_this\">To prevent this<\/span><\/h3>\n<ul><li> Use POST requests instead of GETs for anything that triggers an action.<\/li><\/ul>\n<h3><span class=\"mw-headline\" id=\"Rationale\">Rationale<\/span><\/h3>\n<p>GET requests can be automatically and unintentionally triggered, for example by crawlers. For example in cases of \u201cdelete\u201d buttons, this can cause a single user with aggressive Prefetching to accidentally delete everything just by opening a listing page. POST requests are expected to trigger actions and are handled accordingly by browsers.\n<\/p>\n<h2><span class=\"mw-headline\" id=\"Further_reading\">Further reading<\/span><\/h2>\n<ul><li> <a href=\"https:\/\/en.wikipedia.org\/wiki\/GET_(HTTP)\" class=\"extiw\" title=\"wikipedia:GET (HTTP)\" rel=\"external_link\" target=\"_blank\">GET<\/a><\/li>\n<li> <a href=\"https:\/\/en.wikipedia.org\/wiki\/Instruction_prefetch\" class=\"extiw\" title=\"wikipedia:Instruction prefetch\" rel=\"external_link\" target=\"_blank\">Instruction prefetch<\/a><\/li>\n<li> <a href=\"https:\/\/en.wikipedia.org\/wiki\/POST_(HTTP)\" class=\"extiw\" title=\"wikipedia:POST (HTTP)\" rel=\"external_link\" target=\"_blank\">POST<\/a><\/li>\n<li> <a href=\"https:\/\/en.wikipedia.org\/wiki\/Web_crawler\" class=\"extiw\" title=\"wikipedia:Web crawler\" rel=\"external_link\" target=\"_blank\">Web crawler<\/a><\/li><\/ul>\n<h2><span class=\"mw-headline\" id=\"Notes\">Notes<\/span><\/h2>\n<p>The original source for this page is <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/en.wikibooks.org\/wiki\/Web_Application_Security_Guide\/Prefetching_and_Spiders\" target=\"_blank\">the associated Wikibooks article<\/a> and is shared here under the <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/creativecommons.org\/licenses\/by-sa\/3.0\/\" target=\"_blank\">CC BY-SA 3.0<\/a> license.\n<\/p>\n<!-- \nNewPP limit report\nCached time: 20190104225201\nCache expiry: 86400\nDynamic content: false\nCPU time usage: 0.010 seconds\nReal time usage: 0.014 seconds\nPreprocessor visited node count: 27\/1000000\nPreprocessor generated node count: 86\/1000000\nPost\u2010expand include size: 165\/2097152 bytes\nTemplate argument size: 0\/2097152 bytes\nHighest expansion depth: 3\/40\nExpensive parser function count: 0\/100\n-->\n\n<!-- \nTransclusion expansion time report (%,ms,calls,template)\n100.00% 3.123 1 - Template:TOC_right\n100.00% 3.123 1 - -total\n-->\n\n<!-- Saved in parser cache with key limswiki:pcache:idhash:9034-0!*!*!!en!*!* and timestamp 20190104225201 and revision id 26917\n -->\n<\/div><div class=\"printfooter\">Source: <a rel=\"external_link\" class=\"external\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Prefetching_and_spiders\">https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Prefetching_and_spiders<\/a><\/div>\n\t\t\t\t\t\t\t\t\t\t<!-- end content -->\n\t\t\t\t\t\t\t\t\t\t<div class=\"visualClear\"><\/div>\n\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/div>\n\t\t<!-- end of the left (by default at least) column -->\n\t\t<div class=\"visualClear\"><\/div>\n\t\t\t\t\t\n\t\t<\/div>\n\t\t\n\n<\/body>","b8012faef03edbe61efc3d62e8c99377_images":[],"b8012faef03edbe61efc3d62e8c99377_timestamp":1546642321,"818e02e81d1025e23a43f28126eb1791_type":"article","818e02e81d1025e23a43f28126eb1791_title":"PHP-specific issues","818e02e81d1025e23a43f28126eb1791_url":"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/PHP-specific_issues","818e02e81d1025e23a43f28126eb1791_plaintext":"\n\n\t\t\n\t\t\t\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t\n\n\t\t\t\tLII:Web Application Security Guide\/PHP-specific issues\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t\tFrom LIMSWiki\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\tJump to: navigation, search\n\n\t\t\t\t\t\n\t\t\t\t\t\n\n Contents\n\n1 PHP-specific issues \n\n1.1 When using PHP... \n1.2 Rationale \n\n\n2 Further reading \n3 Notes \n\n\n\n\nPHP-specific issues \nWhen using the PHP language, several issues need to be considered.\n\nWhen using PHP... \n Do not use the short form \u201c&lt;?\u201d, always use the full form \u201c&lt;?php\u201d. \n When using the nginx web server, make sure to correctly follow the official installation instructions and pay attention to the \"Pitfalls\" page. Beware of tutorials that often contain working but insecure configuration examples.\n preg_replace can act as eval() in certain cases. Avoid passing user input to it. If you must, correctly filter and escape it.\n Use the Suhosin (including the patch, if possible) and configure it with strict rules.\n Enable suhosin.executor.disable_emodifier.\n Enable suhosin.executor.disable_eval if possible.\n Set suhosin.mail.protect to 2 if possible.\n When updating PHP to PHP 5.4 from an older version, ensure legacy applications do not rely on magic quotes for security.\nRationale \nPHP can support shortened PHP code start tags. If the option is enabled, both \"&lt;?php\" and \"&lt;?\" alone can start a PHP code block. However, if the option is disabled, \"&lt;?\" will not be detected and the code will be delivered to the browser instead. This can lead to code disclosure. Using the full form ensures that the code will work correctly and won\u2019t disclose the code if the server does not support short tags.\nWhen using the nginx server, it is very easy to make critical configuration mistakes that allow users to pass image files to the PHP interpreter. See the \"Pitfalls\" page for mor information. It also provides valuable tips that will probably save you some time hunting down phantom issues, so you should read it if you use nginx.\npreg_replace evaluates the replacement text as PHP code if the non-standard \"e\" modifier is given in the search RegExp. If an attacker can influence the RegExp to add this modifier and provide a custom replacement text, preg_replace allows arbitrary code execution. Be extremely careful when using this function, use preg_quote with a correctly set delimiter parameter for escaping when possible. If you must accept RegExp code from the user, ensure it cannot contain the delimiter (also consider attacks using malformed UTF-8, null bytes etc.) - but if possible, avoid it completely.\nSuhosin can prevent certain attacks on web applications and disable insecure functions. The patch also protects internal memory structures against certain memory corruption attacks. (Also see the feature list for a complete list of features and the official explanation why Suhosin is useful.) Suhosin improves your security, but like Web Application Firewalls, it does not magically make all applications secure.\nDisabling the e modifier prevents the above-mentioned vulnerabilities in preg_replace from being used by an attacker even if an application is vulnerable. The e modifier should never be used, an application that does not work with the e modifier disabled is broken. Banning eval may break legitimate applications. Consider running Suhosin in simulation mode first to discover (badly coded) applications that use it. Setting suhosin.mail.protect can prevent attacks that use your mail forms to send spam. (Again, use simulation mode first to determine if your applications are compatible with it.)\nMagic quotes have been removed in PHP 5.4. An appliction that relies on them for security will become vulnerable if the update is installed. Note that this does not mean you should not update; instead, you should fix (i.e. rewrite or delete) the application. Magic quotes are not a suitable way to escape input and in most cases will not protect against all attack vectors. An application that relies on magic quotes is probably ancient and\/or written without security in mind. Simply adding code that will emulate magic quotes is a bad idea.\n\nFurther reading \n PHP\n PHP security\nNotes \nThe original source for this page is the associated Wikibooks article and is shared here under the CC BY-SA 3.0 license.\n\n\n\n\n\n\nSource: <a rel=\"external_link\" class=\"external\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/PHP-specific_issues\">https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/PHP-specific_issues<\/a>\n\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\n\t\t\n\t\t\tNavigation menu\n\t\t\t\t\t\n\t\t\tViews\n\n\t\t\t\n\t\t\t\t\n\t\t\t\tLII\n\t\t\t\tDiscussion\n\t\t\t\tView source\n\t\t\t\tHistory\n\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\n\t\t\t\t\n\t\t\t\tPersonal tools\n\n\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\t\t\tLog in\n\t\t\t\t\t\t\t\t\t\t\t\t\tRequest account\n\t\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\t\t\n\t\tNavigation\n\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tMain page\n\t\t\t\t\t\t\t\t\t\t\tRecent changes\n\t\t\t\t\t\t\t\t\t\t\tRandom page\n\t\t\t\t\t\t\t\t\t\t\tHelp\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\n\t\t\t\n\t\t\tSearch\n\n\t\t\t\n\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t&#160;\n\t\t\t\t\t\t\n\t\t\t\t\n\n\t\t\t\t\t\t\t\n\t\t\n\t\t\t\n\t\t\tTools\n\n\t\t\t\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tWhat links here\n\t\t\t\t\t\t\t\t\t\t\tRelated changes\n\t\t\t\t\t\t\t\t\t\t\tSpecial pages\n\t\t\t\t\t\t\t\t\t\t\tPermanent link\n\t\t\t\t\t\t\t\t\t\t\tPage information\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\n\t\t\n\t\tPrint\/export\n\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tCreate a book\n\t\t\t\t\t\t\t\t\t\t\tDownload as PDF\n\t\t\t\t\t\t\t\t\t\t\tDownload as Plain text\n\t\t\t\t\t\t\t\t\t\t\tPrintable version\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\n\t\t\n\t\tSponsors\n\t\t\n\t\t\t \r\n\n\t\r\n\n\t\r\n\n\t\r\n\n\t\n\t\r\n\n \r\n\n\t\n\t\r\n\n \r\n\n\t\n\t\r\n\n\t\n\t\r\n\n\t\r\n\n\t\r\n\n\t\r\n\t\t\n\t\t\n\t\t\t\n\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t This page was last modified on 10 August 2016, at 22:48.\n\t\t\t\t\t\t\t\t\tThis page has been accessed 344 times.\n\t\t\t\t\t\t\t\t\tContent is available under a Creative Commons Attribution-ShareAlike 4.0 International License unless otherwise noted.\n\t\t\t\t\t\t\t\t\tPrivacy policy\n\t\t\t\t\t\t\t\t\tAbout LIMSWiki\n\t\t\t\t\t\t\t\t\tDisclaimers\n\t\t\t\t\t\t\t\n\t\t\n\t\t\n\t\t\n\n","818e02e81d1025e23a43f28126eb1791_html":"<body class=\"mediawiki ltr sitedir-ltr ns-202 ns-subject page-LII_Web_Application_Security_Guide_PHP-specific_issues skin-monobook action-view\">\n<div id=\"rdp-ebb-globalWrapper\">\n\t\t<div id=\"rdp-ebb-column-content\">\n\t\t\t<div id=\"rdp-ebb-content\" class=\"mw-body\" role=\"main\">\n\t\t\t\t<a id=\"rdp-ebb-top\"><\/a>\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t<h1 id=\"rdp-ebb-firstHeading\" class=\"firstHeading\" lang=\"en\">LII:Web Application Security Guide\/PHP-specific issues<\/h1>\n\t\t\t\t\n\t\t\t\t<div id=\"rdp-ebb-bodyContent\" class=\"mw-body-content\">\n\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\n\n\t\t\t\t\t<!-- start content -->\n\t\t\t\t\t<div id=\"rdp-ebb-mw-content-text\" lang=\"en\" dir=\"ltr\" class=\"mw-content-ltr\"><table cellspacing=\"0\" cellpadding=\"0\" style=\"clear: right; margin-bottom: .5em; float: right; padding: .5em 0 .8em 1.4em; background: none; width: auto;\">\n<tr>\n<td> \n\n<\/td><\/tr><\/table>\n<h2><span class=\"mw-headline\" id=\"PHP-specific_issues\">PHP-specific issues<\/span><\/h2>\n<p>When using the PHP language, several issues need to be considered.\n<\/p>\n<h3><span class=\"mw-headline\" id=\"When_using_PHP...\">When using PHP...<\/span><\/h3>\n<ul><li> Do not use the short form \u201c<code>&lt;?<\/code>\u201d, always use the full form \u201c<code>&lt;?php<\/code>\u201d. <\/li>\n<li> When using the nginx web server, make sure to correctly follow the <b>official<\/b> installation instructions and pay attention to the <a rel=\"external_link\" class=\"external text\" href=\"http:\/\/wiki.nginx.org\/Pitfalls#Passing_Uncontrolled_Requests_to_PHP\" target=\"_blank\">\"Pitfalls\" page<\/a>. Beware of tutorials that often contain working but insecure configuration examples.<\/li>\n<li> <code>preg_replace<\/code> can act as <code>eval()<\/code> in certain cases. Avoid passing user input to it. If you must, correctly filter and escape it.<\/li>\n<li> Use the <a rel=\"external_link\" class=\"external text\" href=\"http:\/\/www.hardened-php.net\/suhosin\/\" target=\"_blank\">Suhosin<\/a> (including the patch, if possible) and configure it with strict rules.\n<ul><li> Enable <code>suhosin.executor.disable_emodifier<\/code>.<\/li>\n<li> Enable <code>suhosin.executor.disable_eval<\/code> if possible.<\/li>\n<li> Set <code>suhosin.mail.protect<\/code> to 2 if possible.<\/li><\/ul><\/li>\n<li> When updating PHP to PHP 5.4 from an older version, ensure legacy applications do not rely on magic quotes for security.<\/li><\/ul>\n<h3><span class=\"mw-headline\" id=\"Rationale\">Rationale<\/span><\/h3>\n<p>PHP can support shortened PHP code start tags. If the option is enabled, both \"<code>&lt;?php<\/code>\" and \"<code>&lt;?<\/code>\" alone can start a PHP code block. However, if the option is disabled, \"<code>&lt;?<\/code>\" will not be detected and the code will be delivered to the browser instead. This can lead to code disclosure. Using the full form ensures that the code will work correctly and won\u2019t disclose the code if the server does not support short tags.\n<\/p><p>When using the nginx server, it is very easy to make critical configuration mistakes that allow users to pass image files to the PHP interpreter. See the <a rel=\"external_link\" class=\"external text\" href=\"http:\/\/wiki.nginx.org\/Pitfalls#Passing_Uncontrolled_Requests_to_PHP\" target=\"_blank\">\"Pitfalls\" page<\/a> for mor information. It also provides valuable tips that will probably save you some time hunting down phantom issues, so you should read it if you use nginx.\n<\/p><p><code>preg_replace<\/code> evaluates the replacement text as PHP code if the non-standard \"e\" modifier is given in the search RegExp. If an attacker can influence the RegExp to add this modifier and provide a custom replacement text, <code>preg_replace<\/code> allows arbitrary code execution. Be extremely careful when using this function, use <code>preg_quote<\/code> <i>with a correctly set delimiter parameter<\/i> for escaping when possible. If you must accept RegExp code from the user, ensure it cannot contain the delimiter (also consider attacks using malformed UTF-8, null bytes etc.) - but if possible, avoid it completely.\n<\/p><p><a rel=\"external_link\" class=\"external text\" href=\"http:\/\/www.hardened-php.net\/suhosin\/\" target=\"_blank\">Suhosin<\/a> can prevent certain attacks on web applications and disable insecure functions. The patch also protects internal memory structures against certain memory corruption attacks. (Also see the <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/suhosin.org\/stories\/feature-list.html\" target=\"_blank\">feature list<\/a> for a complete list of features and the <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/suhosin.org\/stories\/index.html\" target=\"_blank\">official explanation why Suhosin is useful<\/a>.) <b>Suhosin improves your security, but like Web Application Firewalls, it does not magically make all applications secure.<\/b>\n<\/p><p>Disabling the e modifier prevents the above-mentioned vulnerabilities in preg_replace from being used by an attacker even if an application is vulnerable. The e modifier should never be used, an application that does not work with the e modifier disabled is broken. Banning eval may break legitimate applications. Consider running Suhosin in <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/suhosin.org\/stories\/configuration.html#suhosin-simulation\" target=\"_blank\">simulation mode<\/a> first to discover (badly coded) applications that use it. Setting <code>suhosin.mail.protect<\/code> can prevent attacks that use your mail forms to send spam. (Again, use <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/suhosin.org\/stories\/configuration.html#suhosin-simulation\" target=\"_blank\">simulation mode<\/a> first to determine if your applications are compatible with it.)\n<\/p><p>Magic quotes have been removed in PHP 5.4. An appliction that relies on them for security will become vulnerable if the update is installed. Note that this does not mean you should not update; instead, you should fix (i.e. rewrite or delete) the application. Magic quotes are not a suitable way to escape input and in most cases will not protect against all attack vectors. An application that relies on magic quotes is probably ancient and\/or written without security in mind. Simply adding code that will emulate magic quotes is a bad idea.\n<\/p>\n<h2><span class=\"mw-headline\" id=\"Further_reading\">Further reading<\/span><\/h2>\n<ul><li> <a href=\"https:\/\/en.wikipedia.org\/wiki\/PHP\" class=\"extiw\" title=\"wikipedia:PHP\" rel=\"external_link\" target=\"_blank\">PHP<\/a><\/li>\n<li> <a href=\"https:\/\/en.wikipedia.org\/wiki\/PHP#Security\" class=\"extiw\" title=\"wikipedia:PHP\" rel=\"external_link\" target=\"_blank\">PHP security<\/a><\/li><\/ul>\n<h2><span class=\"mw-headline\" id=\"Notes\">Notes<\/span><\/h2>\n<p>The original source for this page is <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/en.wikibooks.org\/wiki\/Web_Application_Security_Guide\/PHP-specific_issues\" target=\"_blank\">the associated Wikibooks article<\/a> and is shared here under the <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/creativecommons.org\/licenses\/by-sa\/3.0\/\" target=\"_blank\">CC BY-SA 3.0<\/a> license.\n<\/p>\n<!-- \nNewPP limit report\nCached time: 20190104225201\nCache expiry: 86400\nDynamic content: false\nCPU time usage: 0.015 seconds\nReal time usage: 0.019 seconds\nPreprocessor visited node count: 153\/1000000\nPreprocessor generated node count: 366\/1000000\nPost\u2010expand include size: 165\/2097152 bytes\nTemplate argument size: 0\/2097152 bytes\nHighest expansion depth: 3\/40\nExpensive parser function count: 0\/100\n-->\n\n<!-- \nTransclusion expansion time report (%,ms,calls,template)\n100.00% 3.181 1 - Template:TOC_right\n100.00% 3.181 1 - -total\n-->\n\n<!-- Saved in parser cache with key limswiki:pcache:idhash:9033-0!*!*!!en!*!* and timestamp 20190104225201 and revision id 26916\n -->\n<\/div><div class=\"printfooter\">Source: <a rel=\"external_link\" class=\"external\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/PHP-specific_issues\">https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/PHP-specific_issues<\/a><\/div>\n\t\t\t\t\t\t\t\t\t\t<!-- end content -->\n\t\t\t\t\t\t\t\t\t\t<div class=\"visualClear\"><\/div>\n\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/div>\n\t\t<!-- end of the left (by default at least) column -->\n\t\t<div class=\"visualClear\"><\/div>\n\t\t\t\t\t\n\t\t<\/div>\n\t\t\n\n<\/body>","818e02e81d1025e23a43f28126eb1791_images":[],"818e02e81d1025e23a43f28126eb1791_timestamp":1546642321,"b4dba0a711c78dba0dbb84de5df9ccb2_type":"article","b4dba0a711c78dba0dbb84de5df9ccb2_title":"Comparison issues","b4dba0a711c78dba0dbb84de5df9ccb2_url":"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Comparison_issues","b4dba0a711c78dba0dbb84de5df9ccb2_plaintext":"\n\n\t\t\n\t\t\t\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t\n\n\t\t\t\tLII:Web Application Security Guide\/Comparison issues\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t\tFrom LIMSWiki\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\tJump to: navigation, search\n\n\t\t\t\t\t\n\t\t\t\t\t\n\n Contents\n\n1 Comparison issues \n\n1.1 To prevent comparison issues \n1.2 Rationale \n\n\n2 Further reading \n3 Notes \n\n\n\n\nComparison issues \nWhen comparing values, know the behavior of your programming language. For example in PHP, \"==\" is a loose comparison that ignores the type and may give you unexpected behaviour. \"===\" is used for exact comparison. Using the wrong type of comparison can lead to security issues.\n\nTo prevent comparison issues \n Know comparison types in your programming language and use the correct one.\n When in doubt (especially with PHP), use a strict comparison (PHP: \"===\").\n When comparing strings for equality, make sure you actually check that the strings are equal and not that one string contains the other.\nRationale \nUsing a too loose comparison can easily cause security issues. For example, in PHP, the following will evaluate to TRUE:\n\n &quot;a97e8342f0&quot; == 0\n\nThe hex string, which could be a token or hash, is automatically parsed as an integer, and as it starts with a letter and thus cannot be parsed, the result is 0.\nAccidentally checking for strings being contained instead of checking for strings being equal can allow attackers to bypass e.g. whitelist checks.\n\nFurther reading \n Comparison (computer programming)\nNotes \nThe original source for this page is the associated Wikibooks article and is shared here under the CC BY-SA 3.0 license.\n\n\n\n\n\n\nSource: <a rel=\"external_link\" class=\"external\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Comparison_issues\">https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Comparison_issues<\/a>\n\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\n\t\t\n\t\t\tNavigation menu\n\t\t\t\t\t\n\t\t\tViews\n\n\t\t\t\n\t\t\t\t\n\t\t\t\tLII\n\t\t\t\tDiscussion\n\t\t\t\tView source\n\t\t\t\tHistory\n\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\n\t\t\t\t\n\t\t\t\tPersonal tools\n\n\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\t\t\tLog in\n\t\t\t\t\t\t\t\t\t\t\t\t\tRequest account\n\t\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\t\t\n\t\tNavigation\n\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tMain page\n\t\t\t\t\t\t\t\t\t\t\tRecent changes\n\t\t\t\t\t\t\t\t\t\t\tRandom page\n\t\t\t\t\t\t\t\t\t\t\tHelp\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\n\t\t\t\n\t\t\tSearch\n\n\t\t\t\n\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t&#160;\n\t\t\t\t\t\t\n\t\t\t\t\n\n\t\t\t\t\t\t\t\n\t\t\n\t\t\t\n\t\t\tTools\n\n\t\t\t\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tWhat links here\n\t\t\t\t\t\t\t\t\t\t\tRelated changes\n\t\t\t\t\t\t\t\t\t\t\tSpecial pages\n\t\t\t\t\t\t\t\t\t\t\tPermanent link\n\t\t\t\t\t\t\t\t\t\t\tPage information\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\n\t\t\n\t\tPrint\/export\n\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tCreate a book\n\t\t\t\t\t\t\t\t\t\t\tDownload as PDF\n\t\t\t\t\t\t\t\t\t\t\tDownload as Plain text\n\t\t\t\t\t\t\t\t\t\t\tPrintable version\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\n\t\t\n\t\tSponsors\n\t\t\n\t\t\t \r\n\n\t\r\n\n\t\r\n\n\t\r\n\n\t\n\t\r\n\n \r\n\n\t\n\t\r\n\n \r\n\n\t\n\t\r\n\n\t\n\t\r\n\n\t\r\n\n\t\r\n\n\t\r\n\t\t\n\t\t\n\t\t\t\n\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t This page was last modified on 10 August 2016, at 22:46.\n\t\t\t\t\t\t\t\t\tThis page has been accessed 288 times.\n\t\t\t\t\t\t\t\t\tContent is available under a Creative Commons Attribution-ShareAlike 4.0 International License unless otherwise noted.\n\t\t\t\t\t\t\t\t\tPrivacy policy\n\t\t\t\t\t\t\t\t\tAbout LIMSWiki\n\t\t\t\t\t\t\t\t\tDisclaimers\n\t\t\t\t\t\t\t\n\t\t\n\t\t\n\t\t\n\n","b4dba0a711c78dba0dbb84de5df9ccb2_html":"<body class=\"mediawiki ltr sitedir-ltr ns-202 ns-subject page-LII_Web_Application_Security_Guide_Comparison_issues skin-monobook action-view\">\n<div id=\"rdp-ebb-globalWrapper\">\n\t\t<div id=\"rdp-ebb-column-content\">\n\t\t\t<div id=\"rdp-ebb-content\" class=\"mw-body\" role=\"main\">\n\t\t\t\t<a id=\"rdp-ebb-top\"><\/a>\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t<h1 id=\"rdp-ebb-firstHeading\" class=\"firstHeading\" lang=\"en\">LII:Web Application Security Guide\/Comparison issues<\/h1>\n\t\t\t\t\n\t\t\t\t<div id=\"rdp-ebb-bodyContent\" class=\"mw-body-content\">\n\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\n\n\t\t\t\t\t<!-- start content -->\n\t\t\t\t\t<div id=\"rdp-ebb-mw-content-text\" lang=\"en\" dir=\"ltr\" class=\"mw-content-ltr\"><table cellspacing=\"0\" cellpadding=\"0\" style=\"clear: right; margin-bottom: .5em; float: right; padding: .5em 0 .8em 1.4em; background: none; width: auto;\">\n<tr>\n<td> \n\n<\/td><\/tr><\/table>\n<h2><span class=\"mw-headline\" id=\"Comparison_issues\">Comparison issues<\/span><\/h2>\n<p>When comparing values, know the behavior of your programming language. For example in PHP, \"<code>==<\/code>\" is a loose comparison that ignores the type and may give you unexpected behaviour. \"<code>===<\/code>\" is used for exact comparison. Using the wrong type of comparison can lead to security issues.\n<\/p>\n<h3><span class=\"mw-headline\" id=\"To_prevent_comparison_issues\">To prevent comparison issues<\/span><\/h3>\n<ul><li> Know comparison types in your programming language and use the correct one.<\/li>\n<li> When in doubt (especially with PHP), use a strict comparison (PHP: \"<code>===<\/code>\").<\/li>\n<li> When comparing strings for equality, make sure you actually check that the strings are equal and not that one string contains the other.<\/li><\/ul>\n<h3><span class=\"mw-headline\" id=\"Rationale\">Rationale<\/span><\/h3>\n<p>Using a too loose comparison can easily cause security issues. For example, in PHP, the following will evaluate to <code>TRUE<\/code>:\n<\/p>\n<pre> <code>&quot;a97e8342f0&quot; == 0<\/code>\n<\/pre>\n<p>The hex string, which could be a token or hash, is automatically parsed as an integer, and as it starts with a letter and thus cannot be parsed, the result is 0.\n<\/p><p>Accidentally checking for strings being contained instead of checking for strings being equal can allow attackers to bypass e.g. whitelist checks.\n<\/p>\n<h2><span class=\"mw-headline\" id=\"Further_reading\">Further reading<\/span><\/h2>\n<ul><li> <a href=\"https:\/\/en.wikipedia.org\/wiki\/Relational_operator\" class=\"extiw\" title=\"wikipedia:Relational operator\" rel=\"external_link\" target=\"_blank\">Comparison (computer programming)<\/a><\/li><\/ul>\n<h2><span class=\"mw-headline\" id=\"Notes\">Notes<\/span><\/h2>\n<p>The original source for this page is <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/en.wikibooks.org\/wiki\/Web_Application_Security_Guide\/Comparison_issues\" target=\"_blank\">the associated Wikibooks article<\/a> and is shared here under the <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/creativecommons.org\/licenses\/by-sa\/3.0\/\" target=\"_blank\">CC BY-SA 3.0<\/a> license.\n<\/p>\n<!-- \nNewPP limit report\nCached time: 20190104225201\nCache expiry: 86400\nDynamic content: false\nCPU time usage: 0.012 seconds\nReal time usage: 0.021 seconds\nPreprocessor visited node count: 63\/1000000\nPreprocessor generated node count: 166\/1000000\nPost\u2010expand include size: 165\/2097152 bytes\nTemplate argument size: 0\/2097152 bytes\nHighest expansion depth: 3\/40\nExpensive parser function count: 0\/100\n-->\n\n<!-- \nTransclusion expansion time report (%,ms,calls,template)\n100.00% 4.064 1 - Template:TOC_right\n100.00% 4.064 1 - -total\n-->\n\n<!-- Saved in parser cache with key limswiki:pcache:idhash:9032-0!*!*!!en!*!* and timestamp 20190104225201 and revision id 26915\n -->\n<\/div><div class=\"printfooter\">Source: <a rel=\"external_link\" class=\"external\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Comparison_issues\">https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Comparison_issues<\/a><\/div>\n\t\t\t\t\t\t\t\t\t\t<!-- end content -->\n\t\t\t\t\t\t\t\t\t\t<div class=\"visualClear\"><\/div>\n\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/div>\n\t\t<!-- end of the left (by default at least) column -->\n\t\t<div class=\"visualClear\"><\/div>\n\t\t\t\t\t\n\t\t<\/div>\n\t\t\n\n<\/body>","b4dba0a711c78dba0dbb84de5df9ccb2_images":[],"b4dba0a711c78dba0dbb84de5df9ccb2_timestamp":1546642321,"c41630a44a94b431fbb84b36260b3bbe_type":"article","c41630a44a94b431fbb84b36260b3bbe_title":"Password security","c41630a44a94b431fbb84b36260b3bbe_url":"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Password_security","c41630a44a94b431fbb84b36260b3bbe_plaintext":"\n\n\t\t\n\t\t\t\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t\n\n\t\t\t\tLII:Web Application Security Guide\/Password security\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t\tFrom LIMSWiki\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\tJump to: navigation, search\n\n\t\t\t\t\t\n\t\t\t\t\t\n\n Contents\n\n1 Password security \n\n1.1 To keep password-based login mechanisms secure \n1.2 Rationale \n\n\n2 Further reading \n3 References \n4 Notes \n\n\n\n\nPassword security \nMost web applications use username\/password combinations to manage access.\n\nTo keep password-based login mechanisms secure \n Do not store plain-text passwords; store only hashes.\n Use scrypt, bcrypt, or some other hashing algorithm specifically designed for secure password \"storage\".[1][2]\n Use a secure hashing algorithm (e.g. SHA-256 as of 2011).\n Use per-user salts.\n Use strengthening (i.e. multi-iteration hashing to slow down brute force attempts).\n Limit login attempts per IP (not per user account).\n Enforce reasonable, but not too strict, password policies.\n If a password reset process is implemented, make sure it has adequate security. Questions like \u201cmother\u2019s maiden name\u201d can often be guessed by attackers and are not sufficient.\nRationale \nUsers re-use passwords for multiple services. If an attacker gains access to one server and can gain a list of passwords, he may be able to use this password to attack other services. Therefore, only password hashes may be stored. Secure hashing algorithms are easy to use in most languages and ensure the original password cannot be easily recovered and that wrong passwords are not falsely accepted.\nAdding salts to the password hashes prevents the use of rainbow tables and significantly slows down brute-force attempts. Strengthening slows both off-line brute-force attacks against stolen hashes and on-line brute-force in case the rate limiting fails. However, it increases CPU load on the server and would open a vector for DDoS attacks if not prevented with log in attempt limiting. A good strengthening can slow down off-line brute-force attacks down by a factor of 10000 or more.\nLimiting log in attempts is necessary to prevent on-line brute-force attacks and DoS via the CPU usage of the password strengthening procedure. Without a limit, an attacker can try a very large number of passwords directly against the server. Assuming 100 attempts per second, which is reasonable for a normal web server, no significant strengthening and an attacker working with multiple threads, this would result in 259,200,000 passwords tried in a single month!\nNot enforcing any password policies will lead to too many users choosing \u201c123456\u201d, \u201cqwerty\u201d or \u201cpassword\u201d as their password, opening the system up for attack. Enforcing too strict password policies will force users to save passwords or write them down, generally annoy them and foster re-using the same password for all services. Furthermore, users using secure passwords not matching the policies may be forced to use passwords which are harder to remember, but not necessarily secure. A password consisting of 5 concatenated, randomly (!) chosen lowercase dictionary words is significantly more secure than an eight-character password consisting of mixed case letters, numbers and punctuation. Take this into account if you do not get a password policy to implement, but have to design your own.\nIf an attacker cannot obtain the password, he may try to reset it. Often, answers to password reset questions are easy to find or guess. Questions alone are no sufficient protection. Consider using a question together with e-mail verification by sending a new temporary password, for example.\n\nFurther reading \n Password policy\n Password strength\nReferences \n\n\u2191 Nielsen, P.M.&#32;(06 June 2012).&#32;\"Storing Passwords Securely\".&#32;Patrick on.&#32;https:\/\/patrickmn.com\/security\/storing-passwords-securely\/ .&#32;Retrieved 10 August 2016 . &#160; \n\n\u2191 \"Cryptography\/Secure Passwords\".&#32;Cryptography.&#32;WikiBooks.&#32;23 September 2015.&#32;https:\/\/en.wikibooks.org\/wiki\/Cryptography\/Secure_Passwords .&#32;Retrieved 10 August 2016 . &#160; \n\n\nNotes \nThe original source for this page is the associated Wikibooks article and is shared here under the CC BY-SA 3.0 license.\n\n\n\n\n\n\nSource: <a rel=\"external_link\" class=\"external\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Password_security\">https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Password_security<\/a>\n\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\n\t\t\n\t\t\tNavigation menu\n\t\t\t\t\t\n\t\t\tViews\n\n\t\t\t\n\t\t\t\t\n\t\t\t\tLII\n\t\t\t\tDiscussion\n\t\t\t\tView source\n\t\t\t\tHistory\n\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\n\t\t\t\t\n\t\t\t\tPersonal tools\n\n\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\t\t\tLog in\n\t\t\t\t\t\t\t\t\t\t\t\t\tRequest account\n\t\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\t\t\n\t\tNavigation\n\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tMain page\n\t\t\t\t\t\t\t\t\t\t\tRecent changes\n\t\t\t\t\t\t\t\t\t\t\tRandom page\n\t\t\t\t\t\t\t\t\t\t\tHelp\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\n\t\t\t\n\t\t\tSearch\n\n\t\t\t\n\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t&#160;\n\t\t\t\t\t\t\n\t\t\t\t\n\n\t\t\t\t\t\t\t\n\t\t\n\t\t\t\n\t\t\tTools\n\n\t\t\t\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tWhat links here\n\t\t\t\t\t\t\t\t\t\t\tRelated changes\n\t\t\t\t\t\t\t\t\t\t\tSpecial pages\n\t\t\t\t\t\t\t\t\t\t\tPermanent link\n\t\t\t\t\t\t\t\t\t\t\tPage information\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\n\t\t\n\t\tPrint\/export\n\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tCreate a book\n\t\t\t\t\t\t\t\t\t\t\tDownload as PDF\n\t\t\t\t\t\t\t\t\t\t\tDownload as Plain text\n\t\t\t\t\t\t\t\t\t\t\tPrintable version\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\n\t\t\n\t\tSponsors\n\t\t\n\t\t\t \r\n\n\t\r\n\n\t\r\n\n\t\r\n\n\t\n\t\r\n\n \r\n\n\t\n\t\r\n\n \r\n\n\t\n\t\r\n\n\t\n\t\r\n\n\t\r\n\n\t\r\n\n\t\r\n\t\t\n\t\t\n\t\t\t\n\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t This page was last modified on 10 August 2016, at 22:44.\n\t\t\t\t\t\t\t\t\tThis page has been accessed 258 times.\n\t\t\t\t\t\t\t\t\tContent is available under a Creative Commons Attribution-ShareAlike 4.0 International License unless otherwise noted.\n\t\t\t\t\t\t\t\t\tPrivacy policy\n\t\t\t\t\t\t\t\t\tAbout LIMSWiki\n\t\t\t\t\t\t\t\t\tDisclaimers\n\t\t\t\t\t\t\t\n\t\t\n\t\t\n\t\t\n\n","c41630a44a94b431fbb84b36260b3bbe_html":"<body class=\"mediawiki ltr sitedir-ltr ns-202 ns-subject page-LII_Web_Application_Security_Guide_Password_security skin-monobook action-view\">\n<div id=\"rdp-ebb-globalWrapper\">\n\t\t<div id=\"rdp-ebb-column-content\">\n\t\t\t<div id=\"rdp-ebb-content\" class=\"mw-body\" role=\"main\">\n\t\t\t\t<a id=\"rdp-ebb-top\"><\/a>\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t<h1 id=\"rdp-ebb-firstHeading\" class=\"firstHeading\" lang=\"en\">LII:Web Application Security Guide\/Password security<\/h1>\n\t\t\t\t\n\t\t\t\t<div id=\"rdp-ebb-bodyContent\" class=\"mw-body-content\">\n\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\n\n\t\t\t\t\t<!-- start content -->\n\t\t\t\t\t<div id=\"rdp-ebb-mw-content-text\" lang=\"en\" dir=\"ltr\" class=\"mw-content-ltr\"><table cellspacing=\"0\" cellpadding=\"0\" style=\"clear: right; margin-bottom: .5em; float: right; padding: .5em 0 .8em 1.4em; background: none; width: auto;\">\n<tr>\n<td> \n\n<\/td><\/tr><\/table>\n<h2><span class=\"mw-headline\" id=\"Password_security\">Password security<\/span><\/h2>\n<p>Most web applications use username\/password combinations to manage access.\n<\/p>\n<h3><span class=\"mw-headline\" id=\"To_keep_password-based_login_mechanisms_secure\">To keep password-based login mechanisms secure<\/span><\/h3>\n<ul><li> Do not store plain-text passwords; store only hashes.<\/li>\n<li> Use scrypt, bcrypt, or some other hashing algorithm specifically designed for secure password \"storage\".<sup id=\"rdp-ebb-cite_ref-NielsenStoring12_1-0\" class=\"reference\"><a href=\"#cite_note-NielsenStoring12-1\" rel=\"external_link\">[1]<\/a><\/sup><sup id=\"rdp-ebb-cite_ref-CryptWB_2-0\" class=\"reference\"><a href=\"#cite_note-CryptWB-2\" rel=\"external_link\">[2]<\/a><\/sup><\/li>\n<li> Use a secure hashing algorithm (e.g. <a href=\"https:\/\/en.wikipedia.org\/wiki\/SHA-256\" class=\"extiw\" title=\"wikipedia:SHA-256\" rel=\"external_link\" target=\"_blank\">SHA-256<\/a> as of 2011).<\/li>\n<li> Use per-user salts.<\/li>\n<li> Use strengthening (i.e. multi-iteration hashing to slow down brute force attempts).<\/li>\n<li> Limit login attempts per IP (not per user account).<\/li>\n<li> Enforce reasonable, but not too strict, password policies.<\/li>\n<li> If a password reset process is implemented, make sure it has adequate security. Questions like \u201cmother\u2019s maiden name\u201d can often be guessed by attackers and are not sufficient.<\/li><\/ul>\n<h3><span class=\"mw-headline\" id=\"Rationale\">Rationale<\/span><\/h3>\n<p>Users re-use passwords for multiple services. If an attacker gains access to one server and can gain a list of passwords, he may be able to use this password to attack other services. Therefore, only password hashes may be stored. Secure hashing algorithms are easy to use in most languages and ensure the original password cannot be easily recovered and that wrong passwords are not falsely accepted.\n<\/p><p>Adding salts to the password hashes prevents the use of rainbow tables and significantly slows down brute-force attempts. Strengthening slows both off-line brute-force attacks against stolen hashes and on-line brute-force in case the rate limiting fails. However, it increases CPU load on the server and would open a vector for DDoS attacks if not prevented with log in attempt limiting. A good strengthening can slow down off-line brute-force attacks down by a factor of 10000 or more.\n<\/p><p>Limiting log in attempts is necessary to prevent on-line brute-force attacks and DoS via the CPU usage of the password strengthening procedure. Without a limit, an attacker can try a very large number of passwords directly against the server. Assuming 100 attempts per second, which is reasonable for a normal web server, no significant strengthening and an attacker working with multiple threads, this would result in 259,200,000 passwords tried in a single month!\n<\/p><p>Not enforcing any password policies will lead to too many users choosing \u201c123456\u201d, \u201cqwerty\u201d or \u201cpassword\u201d as their password, opening the system up for attack. Enforcing too strict password policies will force users to save passwords or write them down, generally annoy them and foster re-using the same password for all services. Furthermore, users using secure passwords not matching the policies may be forced to use passwords which are harder to remember, but not necessarily secure. A password consisting of 5 concatenated, randomly (!) chosen lowercase dictionary words is significantly more secure than an eight-character password consisting of mixed case letters, numbers and punctuation. Take this into account if you do not get a password policy to implement, but have to design your own.\n<\/p><p>If an attacker cannot obtain the password, he may try to reset it. Often, answers to password reset questions are easy to find or guess. Questions alone are no sufficient protection. Consider using a question together with e-mail verification by sending a new temporary password, for example.\n<\/p>\n<h2><span class=\"mw-headline\" id=\"Further_reading\">Further reading<\/span><\/h2>\n<ul><li> <a href=\"https:\/\/en.wikipedia.org\/wiki\/Password_policy\" class=\"extiw\" title=\"wikipedia:Password policy\" rel=\"external_link\" target=\"_blank\">Password policy<\/a><\/li>\n<li> <a href=\"https:\/\/en.wikipedia.org\/wiki\/Password_strength\" class=\"extiw\" title=\"wikipedia:Password strength\" rel=\"external_link\" target=\"_blank\">Password strength<\/a><\/li><\/ul>\n<h2><span class=\"mw-headline\" id=\"References\">References<\/span><\/h2>\n<ol class=\"references\">\n<li id=\"cite_note-NielsenStoring12-1\"><span class=\"mw-cite-backlink\"><a href=\"#cite_ref-NielsenStoring12_1-0\" rel=\"external_link\">\u2191<\/a><\/span> <span class=\"reference-text\"><span class=\"citation web\">Nielsen, P.M.&#32;(06 June 2012).&#32;<a rel=\"external_link\" class=\"external text\" href=\"https:\/\/patrickmn.com\/security\/storing-passwords-securely\/\" target=\"_blank\">\"Storing Passwords Securely\"<\/a>.&#32;<i>Patrick on<\/i><span class=\"printonly\">.&#32;<a rel=\"external_link\" class=\"external free\" href=\"https:\/\/patrickmn.com\/security\/storing-passwords-securely\/\" target=\"_blank\">https:\/\/patrickmn.com\/security\/storing-passwords-securely\/<\/a><\/span><span class=\"reference-accessdate\">.&#32;Retrieved 10 August 2016<\/span>.<\/span><span class=\"Z3988\" title=\"ctx_ver=Z39.88-2004&amp;rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&amp;rft.genre=bookitem&amp;rft.btitle=Storing+Passwords+Securely&amp;rft.atitle=Patrick+on&amp;rft.aulast=Nielsen%2C+P.M.&amp;rft.au=Nielsen%2C+P.M.&amp;rft.date=06+June+2012&amp;rft_id=https%3A%2F%2Fpatrickmn.com%2Fsecurity%2Fstoring-passwords-securely%2F&amp;rfr_id=info:sid\/en.wikipedia.org:LII:Web_Application_Security_Guide\/Password_security\"><span style=\"display: none;\">&#160;<\/span><\/span><\/span>\n<\/li>\n<li id=\"cite_note-CryptWB-2\"><span class=\"mw-cite-backlink\"><a href=\"#cite_ref-CryptWB_2-0\" rel=\"external_link\">\u2191<\/a><\/span> <span class=\"reference-text\"><span class=\"citation web\"><a rel=\"external_link\" class=\"external text\" href=\"https:\/\/en.wikibooks.org\/wiki\/Cryptography\/Secure_Passwords\" target=\"_blank\">\"Cryptography\/Secure Passwords\"<\/a>.&#32;<i>Cryptography<\/i>.&#32;WikiBooks.&#32;23 September 2015<span class=\"printonly\">.&#32;<a rel=\"external_link\" class=\"external free\" href=\"https:\/\/en.wikibooks.org\/wiki\/Cryptography\/Secure_Passwords\" target=\"_blank\">https:\/\/en.wikibooks.org\/wiki\/Cryptography\/Secure_Passwords<\/a><\/span><span class=\"reference-accessdate\">.&#32;Retrieved 10 August 2016<\/span>.<\/span><span class=\"Z3988\" title=\"ctx_ver=Z39.88-2004&amp;rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&amp;rft.genre=bookitem&amp;rft.btitle=Cryptography%2FSecure+Passwords&amp;rft.atitle=Cryptography&amp;rft.date=23+September+2015&amp;rft.pub=WikiBooks&amp;rft_id=https%3A%2F%2Fen.wikibooks.org%2Fwiki%2FCryptography%2FSecure_Passwords&amp;rfr_id=info:sid\/en.wikipedia.org:LII:Web_Application_Security_Guide\/Password_security\"><span style=\"display: none;\">&#160;<\/span><\/span><\/span>\n<\/li>\n<\/ol>\n<h2><span class=\"mw-headline\" id=\"Notes\">Notes<\/span><\/h2>\n<p>The original source for this page is <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/en.wikibooks.org\/wiki\/Web_Application_Security_Guide\/Password_security\" target=\"_blank\">the associated Wikibooks article<\/a> and is shared here under the <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/creativecommons.org\/licenses\/by-sa\/3.0\/\" target=\"_blank\">CC BY-SA 3.0<\/a> license.\n<\/p>\n<!-- \nNewPP limit report\nCached time: 20190104225200\nCache expiry: 86400\nDynamic content: false\nCPU time usage: 0.068 seconds\nReal time usage: 0.079 seconds\nPreprocessor visited node count: 1251\/1000000\nPreprocessor generated node count: 11485\/1000000\nPost\u2010expand include size: 7273\/2097152 bytes\nTemplate argument size: 2571\/2097152 bytes\nHighest expansion depth: 11\/40\nExpensive parser function count: 0\/100\n-->\n\n<!-- \nTransclusion expansion time report (%,ms,calls,template)\n100.00% 67.144 1 - -total\n 79.43% 53.330 2 - Template:Cite_web\n 71.23% 47.825 2 - Template:Citation\/core\n 6.84% 4.590 4 - Template:Citation\/make_link\n 4.57% 3.071 1 - Template:TOC_right\n-->\n\n<!-- Saved in parser cache with key limswiki:pcache:idhash:9031-0!*!*!!en!*!* and timestamp 20190104225200 and revision id 26914\n -->\n<\/div><div class=\"printfooter\">Source: <a rel=\"external_link\" class=\"external\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Password_security\">https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Password_security<\/a><\/div>\n\t\t\t\t\t\t\t\t\t\t<!-- end content -->\n\t\t\t\t\t\t\t\t\t\t<div class=\"visualClear\"><\/div>\n\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/div>\n\t\t<!-- end of the left (by default at least) column -->\n\t\t<div class=\"visualClear\"><\/div>\n\t\t\t\t\t\n\t\t<\/div>\n\t\t\n\n<\/body>","c41630a44a94b431fbb84b36260b3bbe_images":[],"c41630a44a94b431fbb84b36260b3bbe_timestamp":1546642320,"e6b3471eef8a0699b4a146f6d9ddfeee_type":"article","e6b3471eef8a0699b4a146f6d9ddfeee_title":"Truncation attacks, trimming attacks","e6b3471eef8a0699b4a146f6d9ddfeee_url":"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Truncation_attacks,_trimming_attacks","e6b3471eef8a0699b4a146f6d9ddfeee_plaintext":"\n\n\t\t\n\t\t\t\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t\n\n\t\t\t\tLII:Web Application Security Guide\/Truncation attacks, trimming attacks\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t\tFrom LIMSWiki\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\tJump to: navigation, search\n\n\t\t\t\t\t\n\t\t\t\t\t\n\n Contents\n\n1 Truncation attacks, trimming attacks \n\n1.1 To prevent this type of attack \n1.2 Rationale \n\n\n2 Further reading \n3 Notes \n\n\n\n\nTruncation attacks, trimming attacks \nTruncating input can be problematic if the truncation affects comparisons (e.g. checking users against a blacklist before truncation, and then truncating the name to perform the login). SQL queries can be truncated if they exceed a certain length. This can be used to execute a query with significantly different meaning (e.g. cutting of a part of a WHERE clause).\nStrings can also be automatically trimmed (leading\/trailing whitespace removed), leading to the same vulnerabilities (e.g. checking the input \"eviluser\u2423\" against the blacklist, then logging in \"eviluser\"). SQL may do such trimming automatically.\n\nTo prevent this type of attack \n Avoid truncating input. Treat overlong input as an error instead.\n If truncation is necessary, ensure to check the value after truncation and use only the truncated value.\n Make sure trimming does not occur or checks are done consistently.\n Introduce length checks.\n Care about different lengths due to encoding.\n Make sure SQL treats truncated queries as errors by setting an appropriate SQL MODE.\nRationale \nAvoiding truncation makes sure no issues can arise. If truncation is applied, performing all necessary checks after the truncation and using only the truncated value is equivalent to receiving the value in truncated condition. The same rules apply for trimming. Length checks prevent unexpected truncation due to length limits. Encoding needs to be taken into account because the byte-lengths and character-lengths of a UTF-8 string may be different. Setting the SQL MODE so that truncation causes errors ensures that truncation cannot be abused to modify queries. However, the resulting errors can still cause queries to fail unexpectedly, which should be handled in a secure manner.\n\nFurther reading \n Data truncation\nNotes \nThe original source for this page is the associated Wikibooks article and is shared here under the CC BY-SA 3.0 license.\n\n\n\n\n\n\nSource: <a rel=\"external_link\" class=\"external\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Truncation_attacks,_trimming_attacks\">https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Truncation_attacks,_trimming_attacks<\/a>\n\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\n\t\t\n\t\t\tNavigation menu\n\t\t\t\t\t\n\t\t\tViews\n\n\t\t\t\n\t\t\t\t\n\t\t\t\tLII\n\t\t\t\tDiscussion\n\t\t\t\tView source\n\t\t\t\tHistory\n\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\n\t\t\t\t\n\t\t\t\tPersonal tools\n\n\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\t\t\tLog in\n\t\t\t\t\t\t\t\t\t\t\t\t\tRequest account\n\t\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\t\t\n\t\tNavigation\n\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tMain page\n\t\t\t\t\t\t\t\t\t\t\tRecent changes\n\t\t\t\t\t\t\t\t\t\t\tRandom page\n\t\t\t\t\t\t\t\t\t\t\tHelp\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\n\t\t\t\n\t\t\tSearch\n\n\t\t\t\n\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t&#160;\n\t\t\t\t\t\t\n\t\t\t\t\n\n\t\t\t\t\t\t\t\n\t\t\n\t\t\t\n\t\t\tTools\n\n\t\t\t\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tWhat links here\n\t\t\t\t\t\t\t\t\t\t\tRelated changes\n\t\t\t\t\t\t\t\t\t\t\tSpecial pages\n\t\t\t\t\t\t\t\t\t\t\tPermanent link\n\t\t\t\t\t\t\t\t\t\t\tPage information\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\n\t\t\n\t\tPrint\/export\n\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tCreate a book\n\t\t\t\t\t\t\t\t\t\t\tDownload as PDF\n\t\t\t\t\t\t\t\t\t\t\tDownload as Plain text\n\t\t\t\t\t\t\t\t\t\t\tPrintable version\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\n\t\t\n\t\tSponsors\n\t\t\n\t\t\t \r\n\n\t\r\n\n\t\r\n\n\t\r\n\n\t\n\t\r\n\n \r\n\n\t\n\t\r\n\n \r\n\n\t\n\t\r\n\n\t\n\t\r\n\n\t\r\n\n\t\r\n\n\t\r\n\t\t\n\t\t\n\t\t\t\n\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t This page was last modified on 10 August 2016, at 22:42.\n\t\t\t\t\t\t\t\t\tThis page has been accessed 401 times.\n\t\t\t\t\t\t\t\t\tContent is available under a Creative Commons Attribution-ShareAlike 4.0 International License unless otherwise noted.\n\t\t\t\t\t\t\t\t\tPrivacy policy\n\t\t\t\t\t\t\t\t\tAbout LIMSWiki\n\t\t\t\t\t\t\t\t\tDisclaimers\n\t\t\t\t\t\t\t\n\t\t\n\t\t\n\t\t\n\n","e6b3471eef8a0699b4a146f6d9ddfeee_html":"<body class=\"mediawiki ltr sitedir-ltr ns-202 ns-subject page-LII_Web_Application_Security_Guide_Truncation_attacks_trimming_attacks skin-monobook action-view\">\n<div id=\"rdp-ebb-globalWrapper\">\n\t\t<div id=\"rdp-ebb-column-content\">\n\t\t\t<div id=\"rdp-ebb-content\" class=\"mw-body\" role=\"main\">\n\t\t\t\t<a id=\"rdp-ebb-top\"><\/a>\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t<h1 id=\"rdp-ebb-firstHeading\" class=\"firstHeading\" lang=\"en\">LII:Web Application Security Guide\/Truncation attacks, trimming attacks<\/h1>\n\t\t\t\t\n\t\t\t\t<div id=\"rdp-ebb-bodyContent\" class=\"mw-body-content\">\n\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\n\n\t\t\t\t\t<!-- start content -->\n\t\t\t\t\t<div id=\"rdp-ebb-mw-content-text\" lang=\"en\" dir=\"ltr\" class=\"mw-content-ltr\"><table cellspacing=\"0\" cellpadding=\"0\" style=\"clear: right; margin-bottom: .5em; float: right; padding: .5em 0 .8em 1.4em; background: none; width: auto;\">\n<tr>\n<td> \n\n<\/td><\/tr><\/table>\n<h2><span class=\"mw-headline\" id=\"Truncation_attacks.2C_trimming_attacks\">Truncation attacks, trimming attacks<\/span><\/h2>\n<p>Truncating input can be problematic if the truncation affects comparisons (e.g. checking users against a blacklist before truncation, and then truncating the name to perform the login). SQL queries can be truncated if they exceed a certain length. This can be used to execute a query with significantly different meaning (e.g. cutting of a part of a <code>WHERE<\/code> clause).\nStrings can also be automatically trimmed (leading\/trailing whitespace removed), leading to the same vulnerabilities (e.g. checking the input \"<tt>eviluser\u2423<\/tt>\" against the blacklist, then logging in \"<tt>eviluser<\/tt>\"). SQL may do such trimming automatically.\n<\/p>\n<h3><span class=\"mw-headline\" id=\"To_prevent_this_type_of_attack\">To prevent this type of attack<\/span><\/h3>\n<ul><li> Avoid truncating input. Treat overlong input as an error instead.<\/li>\n<li> If truncation is necessary, ensure to check the value after truncation and use only the truncated value.<\/li>\n<li> Make sure trimming does not occur or checks are done consistently.<\/li>\n<li> Introduce length checks.\n<ul><li> Care about different lengths due to encoding.<\/li><\/ul><\/li>\n<li> Make sure SQL treats truncated queries as errors by setting an appropriate <tt>SQL MODE<\/tt>.<\/li><\/ul>\n<h3><span class=\"mw-headline\" id=\"Rationale\">Rationale<\/span><\/h3>\n<p>Avoiding truncation makes sure no issues can arise. If truncation is applied, performing all necessary checks after the truncation and using only the truncated value is equivalent to receiving the value in truncated condition. The same rules apply for trimming. Length checks prevent unexpected truncation due to length limits. Encoding needs to be taken into account because the byte-lengths and character-lengths of a UTF-8 string may be different. Setting the SQL MODE so that truncation causes errors ensures that truncation cannot be abused to modify queries. However, the resulting errors can still cause queries to fail unexpectedly, which should be handled in a secure manner.\n<\/p>\n<h2><span class=\"mw-headline\" id=\"Further_reading\">Further reading<\/span><\/h2>\n<ul><li> <a href=\"https:\/\/en.wikipedia.org\/wiki\/Data_truncation\" class=\"extiw\" title=\"wikipedia:Data truncation\" rel=\"external_link\" target=\"_blank\">Data truncation<\/a><\/li><\/ul>\n<h2><span class=\"mw-headline\" id=\"Notes\">Notes<\/span><\/h2>\n<p>The original source for this page is <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/en.wikibooks.org\/wiki\/Web_Application_Security_Guide\/Truncation_attacks,_trimming_attacks\" target=\"_blank\">the associated Wikibooks article<\/a> and is shared here under the <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/creativecommons.org\/licenses\/by-sa\/3.0\/\" target=\"_blank\">CC BY-SA 3.0<\/a> license.\n<\/p>\n<!-- \nNewPP limit report\nCached time: 20190104225200\nCache expiry: 86400\nDynamic content: false\nCPU time usage: 0.010 seconds\nReal time usage: 0.014 seconds\nPreprocessor visited node count: 27\/1000000\nPreprocessor generated node count: 86\/1000000\nPost\u2010expand include size: 165\/2097152 bytes\nTemplate argument size: 0\/2097152 bytes\nHighest expansion depth: 3\/40\nExpensive parser function count: 0\/100\n-->\n\n<!-- \nTransclusion expansion time report (%,ms,calls,template)\n100.00% 3.055 1 - Template:TOC_right\n100.00% 3.055 1 - -total\n-->\n\n<!-- Saved in parser cache with key limswiki:pcache:idhash:9030-0!*!*!!en!*!* and timestamp 20190104225200 and revision id 26913\n -->\n<\/div><div class=\"printfooter\">Source: <a rel=\"external_link\" class=\"external\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Truncation_attacks,_trimming_attacks\">https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Truncation_attacks,_trimming_attacks<\/a><\/div>\n\t\t\t\t\t\t\t\t\t\t<!-- end content -->\n\t\t\t\t\t\t\t\t\t\t<div class=\"visualClear\"><\/div>\n\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/div>\n\t\t<!-- end of the left (by default at least) column -->\n\t\t<div class=\"visualClear\"><\/div>\n\t\t\t\t\t\n\t\t<\/div>\n\t\t\n\n<\/body>","e6b3471eef8a0699b4a146f6d9ddfeee_images":[],"e6b3471eef8a0699b4a146f6d9ddfeee_timestamp":1546642320,"7c040f2ac67d7ff8ac0517c25531ccc2_type":"article","7c040f2ac67d7ff8ac0517c25531ccc2_title":"Session stealing","7c040f2ac67d7ff8ac0517c25531ccc2_url":"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Session_stealing","7c040f2ac67d7ff8ac0517c25531ccc2_plaintext":"\n\n\t\t\n\t\t\t\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t\n\n\t\t\t\tLII:Web Application Security Guide\/Session stealing\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t\tFrom LIMSWiki\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\tJump to: navigation, search\n\n\t\t\t\t\t\n\t\t\t\t\t\n\n Contents\n\n1 Session stealing \n\n1.1 To prevent this type of attack \n1.2 Rationale \n\n\n2 Further reading \n3 Notes \n\n\n\n\nSession stealing \nAn attacker who is able to obtain or guess the session ID can steal the session and abuse the privileges of the user.\n\nTo prevent this type of attack \n Set the \u201cHttpOnly\u201d attribute for session cookies.\n Generate random session IDs with secure randomness and sufficient length.\n Do not leak session IDs.\nRationale \nSetting the \u201cHttpOnly\u201d attribute on cookies prevents them from being read using JavaScript. This makes it harder to perform successful XSS attacks. Random, secure session IDs prevent the attacker from guessing a valid session ID. Ensuring that session IDs do not leak, for example in Referer information, copied links and HTML content from the site etc. makes sure that the attacker cannot obtain the session ID in this way.\n\nFurther reading \n Session hijacking\nNotes \nThe original source for this page is the associated Wikibooks article and is shared here under the CC BY-SA 3.0 license.\n\n\n\n\n\n\nSource: <a rel=\"external_link\" class=\"external\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Session_stealing\">https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Session_stealing<\/a>\n\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\n\t\t\n\t\t\tNavigation menu\n\t\t\t\t\t\n\t\t\tViews\n\n\t\t\t\n\t\t\t\t\n\t\t\t\tLII\n\t\t\t\tDiscussion\n\t\t\t\tView source\n\t\t\t\tHistory\n\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\n\t\t\t\t\n\t\t\t\tPersonal tools\n\n\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\t\t\tLog in\n\t\t\t\t\t\t\t\t\t\t\t\t\tRequest account\n\t\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\t\t\n\t\tNavigation\n\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tMain page\n\t\t\t\t\t\t\t\t\t\t\tRecent changes\n\t\t\t\t\t\t\t\t\t\t\tRandom page\n\t\t\t\t\t\t\t\t\t\t\tHelp\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\n\t\t\t\n\t\t\tSearch\n\n\t\t\t\n\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t&#160;\n\t\t\t\t\t\t\n\t\t\t\t\n\n\t\t\t\t\t\t\t\n\t\t\n\t\t\t\n\t\t\tTools\n\n\t\t\t\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tWhat links here\n\t\t\t\t\t\t\t\t\t\t\tRelated changes\n\t\t\t\t\t\t\t\t\t\t\tSpecial pages\n\t\t\t\t\t\t\t\t\t\t\tPermanent link\n\t\t\t\t\t\t\t\t\t\t\tPage information\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\n\t\t\n\t\tPrint\/export\n\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tCreate a book\n\t\t\t\t\t\t\t\t\t\t\tDownload as PDF\n\t\t\t\t\t\t\t\t\t\t\tDownload as Plain text\n\t\t\t\t\t\t\t\t\t\t\tPrintable version\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\n\t\t\n\t\tSponsors\n\t\t\n\t\t\t \r\n\n\t\r\n\n\t\r\n\n\t\r\n\n\t\n\t\r\n\n \r\n\n\t\n\t\r\n\n \r\n\n\t\n\t\r\n\n\t\n\t\r\n\n\t\r\n\n\t\r\n\n\t\r\n\t\t\n\t\t\n\t\t\t\n\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t This page was last modified on 10 August 2016, at 22:39.\n\t\t\t\t\t\t\t\t\tThis page has been accessed 358 times.\n\t\t\t\t\t\t\t\t\tContent is available under a Creative Commons Attribution-ShareAlike 4.0 International License unless otherwise noted.\n\t\t\t\t\t\t\t\t\tPrivacy policy\n\t\t\t\t\t\t\t\t\tAbout LIMSWiki\n\t\t\t\t\t\t\t\t\tDisclaimers\n\t\t\t\t\t\t\t\n\t\t\n\t\t\n\t\t\n\n","7c040f2ac67d7ff8ac0517c25531ccc2_html":"<body class=\"mediawiki ltr sitedir-ltr ns-202 ns-subject page-LII_Web_Application_Security_Guide_Session_stealing skin-monobook action-view\">\n<div id=\"rdp-ebb-globalWrapper\">\n\t\t<div id=\"rdp-ebb-column-content\">\n\t\t\t<div id=\"rdp-ebb-content\" class=\"mw-body\" role=\"main\">\n\t\t\t\t<a id=\"rdp-ebb-top\"><\/a>\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t<h1 id=\"rdp-ebb-firstHeading\" class=\"firstHeading\" lang=\"en\">LII:Web Application Security Guide\/Session stealing<\/h1>\n\t\t\t\t\n\t\t\t\t<div id=\"rdp-ebb-bodyContent\" class=\"mw-body-content\">\n\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\n\n\t\t\t\t\t<!-- start content -->\n\t\t\t\t\t<div id=\"rdp-ebb-mw-content-text\" lang=\"en\" dir=\"ltr\" class=\"mw-content-ltr\"><table cellspacing=\"0\" cellpadding=\"0\" style=\"clear: right; margin-bottom: .5em; float: right; padding: .5em 0 .8em 1.4em; background: none; width: auto;\">\n<tr>\n<td> \n\n<\/td><\/tr><\/table>\n<h2><span class=\"mw-headline\" id=\"Session_stealing\">Session stealing<\/span><\/h2>\n<p>An attacker who is able to obtain or guess the session ID can steal the session and abuse the privileges of the user.\n<\/p>\n<h3><span class=\"mw-headline\" id=\"To_prevent_this_type_of_attack\">To prevent this type of attack<\/span><\/h3>\n<ul><li> Set the \u201cHttpOnly\u201d attribute for session cookies.<\/li>\n<li> Generate random session IDs with secure randomness and sufficient length.<\/li>\n<li> Do not leak session IDs.<\/li><\/ul>\n<h3><span class=\"mw-headline\" id=\"Rationale\">Rationale<\/span><\/h3>\n<p>Setting the \u201cHttpOnly\u201d attribute on cookies prevents them from being read using JavaScript. This makes it harder to perform successful XSS attacks. Random, secure session IDs prevent the attacker from guessing a valid session ID. Ensuring that session IDs do not leak, for example in Referer information, copied links and HTML content from the site etc. makes sure that the attacker cannot obtain the session ID in this way.\n<\/p>\n<h2><span class=\"mw-headline\" id=\"Further_reading\">Further reading<\/span><\/h2>\n<ul><li> <a href=\"https:\/\/en.wikipedia.org\/wiki\/Session_hijacking\" class=\"extiw\" title=\"wikipedia:Session hijacking\" rel=\"external_link\" target=\"_blank\">Session hijacking<\/a><\/li><\/ul>\n<h2><span class=\"mw-headline\" id=\"Notes\">Notes<\/span><\/h2>\n<p>The original source for this page is <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/en.wikibooks.org\/wiki\/Web_Application_Security_Guide\/Session_stealing\" target=\"_blank\">the associated Wikibooks article<\/a> and is shared here under the <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/creativecommons.org\/licenses\/by-sa\/3.0\/\" target=\"_blank\">CC BY-SA 3.0<\/a> license.\n<\/p>\n<!-- \nNewPP limit report\nCached time: 20190104225200\nCache expiry: 86400\nDynamic content: false\nCPU time usage: 0.010 seconds\nReal time usage: 0.013 seconds\nPreprocessor visited node count: 27\/1000000\nPreprocessor generated node count: 86\/1000000\nPost\u2010expand include size: 165\/2097152 bytes\nTemplate argument size: 0\/2097152 bytes\nHighest expansion depth: 3\/40\nExpensive parser function count: 0\/100\n-->\n\n<!-- \nTransclusion expansion time report (%,ms,calls,template)\n100.00% 2.903 1 - Template:TOC_right\n100.00% 2.903 1 - -total\n-->\n\n<!-- Saved in parser cache with key limswiki:pcache:idhash:9029-0!*!*!!en!*!* and timestamp 20190104225200 and revision id 26912\n -->\n<\/div><div class=\"printfooter\">Source: <a rel=\"external_link\" class=\"external\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Session_stealing\">https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Session_stealing<\/a><\/div>\n\t\t\t\t\t\t\t\t\t\t<!-- end content -->\n\t\t\t\t\t\t\t\t\t\t<div class=\"visualClear\"><\/div>\n\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/div>\n\t\t<!-- end of the left (by default at least) column -->\n\t\t<div class=\"visualClear\"><\/div>\n\t\t\t\t\t\n\t\t<\/div>\n\t\t\n\n<\/body>","7c040f2ac67d7ff8ac0517c25531ccc2_images":[],"7c040f2ac67d7ff8ac0517c25531ccc2_timestamp":1546642320,"9fb164a42840c24a5ae22cf9d7f16827_type":"article","9fb164a42840c24a5ae22cf9d7f16827_title":"Session fixation","9fb164a42840c24a5ae22cf9d7f16827_url":"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Session_fixation","9fb164a42840c24a5ae22cf9d7f16827_plaintext":"\n\n\t\t\n\t\t\t\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t\n\n\t\t\t\tLII:Web Application Security Guide\/Session fixation\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t\tFrom LIMSWiki\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\tJump to: navigation, search\n\n\t\t\t\t\t\n\t\t\t\t\t\n\n Contents\n\n1 Session fixation \n\n1.1 To prevent this type of attack \n1.2 Rationale \n\n\n2 Further reading \n3 Notes \n\n\n\n\nSession fixation \nIn a session fixation attack, an attacker creates an unauthenticated session and then tricks a user to use and authenticate the session. As soon as the user has authenticated, the attacker can then use the session, as he knows the session id.\n\nTo prevent this type of attack \n Regenerate (change) the session ID as soon as the user logs in (destroying the old session).\n Prevent the attacker from making the user use his session by accepting session IDs only from cookies, not from GET or POST parameters (PHP: php.ini setting \u201csession.use_only_cookies\u201d).\nRationale \nRegenerating the ID makes the old session ID worthless to the attacker. Even if the attacker manages to fix a session, his session will never be authenticated. The second countermeasure is aimed at making it impossible to fix the session. However, XSS or similar issues with other applications on the same domain (not necessarily sub-domain!) may allow attackers to set false cookies.\n\nFurther reading \n Session fixation\nNotes \nThe original source for this page is the associated Wikibooks article and is shared here under the CC BY-SA 3.0 license.\n\n\n\n\n\n\nSource: <a rel=\"external_link\" class=\"external\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Session_fixation\">https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Session_fixation<\/a>\n\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\n\t\t\n\t\t\tNavigation menu\n\t\t\t\t\t\n\t\t\tViews\n\n\t\t\t\n\t\t\t\t\n\t\t\t\tLII\n\t\t\t\tDiscussion\n\t\t\t\tView source\n\t\t\t\tHistory\n\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\n\t\t\t\t\n\t\t\t\tPersonal tools\n\n\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\t\t\tLog in\n\t\t\t\t\t\t\t\t\t\t\t\t\tRequest account\n\t\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\t\t\n\t\tNavigation\n\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tMain page\n\t\t\t\t\t\t\t\t\t\t\tRecent changes\n\t\t\t\t\t\t\t\t\t\t\tRandom page\n\t\t\t\t\t\t\t\t\t\t\tHelp\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\n\t\t\t\n\t\t\tSearch\n\n\t\t\t\n\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t&#160;\n\t\t\t\t\t\t\n\t\t\t\t\n\n\t\t\t\t\t\t\t\n\t\t\n\t\t\t\n\t\t\tTools\n\n\t\t\t\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tWhat links here\n\t\t\t\t\t\t\t\t\t\t\tRelated changes\n\t\t\t\t\t\t\t\t\t\t\tSpecial pages\n\t\t\t\t\t\t\t\t\t\t\tPermanent link\n\t\t\t\t\t\t\t\t\t\t\tPage information\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\n\t\t\n\t\tPrint\/export\n\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tCreate a book\n\t\t\t\t\t\t\t\t\t\t\tDownload as PDF\n\t\t\t\t\t\t\t\t\t\t\tDownload as Plain text\n\t\t\t\t\t\t\t\t\t\t\tPrintable version\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\n\t\t\n\t\tSponsors\n\t\t\n\t\t\t \r\n\n\t\r\n\n\t\r\n\n\t\r\n\n\t\n\t\r\n\n \r\n\n\t\n\t\r\n\n \r\n\n\t\n\t\r\n\n\t\n\t\r\n\n\t\r\n\n\t\r\n\n\t\r\n\t\t\n\t\t\n\t\t\t\n\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t This page was last modified on 10 August 2016, at 22:38.\n\t\t\t\t\t\t\t\t\tThis page has been accessed 294 times.\n\t\t\t\t\t\t\t\t\tContent is available under a Creative Commons Attribution-ShareAlike 4.0 International License unless otherwise noted.\n\t\t\t\t\t\t\t\t\tPrivacy policy\n\t\t\t\t\t\t\t\t\tAbout LIMSWiki\n\t\t\t\t\t\t\t\t\tDisclaimers\n\t\t\t\t\t\t\t\n\t\t\n\t\t\n\t\t\n\n","9fb164a42840c24a5ae22cf9d7f16827_html":"<body class=\"mediawiki ltr sitedir-ltr ns-202 ns-subject page-LII_Web_Application_Security_Guide_Session_fixation skin-monobook action-view\">\n<div id=\"rdp-ebb-globalWrapper\">\n\t\t<div id=\"rdp-ebb-column-content\">\n\t\t\t<div id=\"rdp-ebb-content\" class=\"mw-body\" role=\"main\">\n\t\t\t\t<a id=\"rdp-ebb-top\"><\/a>\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t<h1 id=\"rdp-ebb-firstHeading\" class=\"firstHeading\" lang=\"en\">LII:Web Application Security Guide\/Session fixation<\/h1>\n\t\t\t\t\n\t\t\t\t<div id=\"rdp-ebb-bodyContent\" class=\"mw-body-content\">\n\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\n\n\t\t\t\t\t<!-- start content -->\n\t\t\t\t\t<div id=\"rdp-ebb-mw-content-text\" lang=\"en\" dir=\"ltr\" class=\"mw-content-ltr\"><table cellspacing=\"0\" cellpadding=\"0\" style=\"clear: right; margin-bottom: .5em; float: right; padding: .5em 0 .8em 1.4em; background: none; width: auto;\">\n<tr>\n<td> \n\n<\/td><\/tr><\/table>\n<h2><span class=\"mw-headline\" id=\"Session_fixation\">Session fixation<\/span><\/h2>\n<p>In a session fixation attack, an attacker creates an unauthenticated session and then tricks a user to use and authenticate the session. As soon as the user has authenticated, the attacker can then use the session, as he knows the session id.\n<\/p>\n<h3><span class=\"mw-headline\" id=\"To_prevent_this_type_of_attack\">To prevent this type of attack<\/span><\/h3>\n<ul><li> Regenerate (change) the session ID as soon as the user logs in (destroying the old session).<\/li>\n<li> Prevent the attacker from making the user use his session by accepting session IDs only from cookies, not from GET or POST parameters (PHP: php.ini setting \u201c<tt>session.use_only_cookies<\/tt>\u201d).<\/li><\/ul>\n<h3><span class=\"mw-headline\" id=\"Rationale\">Rationale<\/span><\/h3>\n<p>Regenerating the ID makes the old session ID worthless to the attacker. Even if the attacker manages to fix a session, his session will never be authenticated. The second countermeasure is aimed at making it impossible to fix the session. However, XSS or similar issues with other applications on the same domain (not necessarily sub-domain!) may allow attackers to set false cookies.\n<\/p>\n<h2><span class=\"mw-headline\" id=\"Further_reading\">Further reading<\/span><\/h2>\n<ul><li> <a href=\"https:\/\/en.wikipedia.org\/wiki\/Session_fixation\" class=\"extiw\" title=\"wikipedia:Session fixation\" rel=\"external_link\" target=\"_blank\">Session fixation<\/a><\/li><\/ul>\n<h2><span class=\"mw-headline\" id=\"Notes\">Notes<\/span><\/h2>\n<p>The original source for this page is <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/en.wikibooks.org\/wiki\/Web_Application_Security_Guide\/Session_fixation\" target=\"_blank\">the associated Wikibooks article<\/a> and is shared here under the <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/creativecommons.org\/licenses\/by-sa\/3.0\/\" target=\"_blank\">CC BY-SA 3.0<\/a> license.\n<\/p>\n<!-- \nNewPP limit report\nCached time: 20190104225200\nCache expiry: 86400\nDynamic content: false\nCPU time usage: 0.009 seconds\nReal time usage: 0.013 seconds\nPreprocessor visited node count: 27\/1000000\nPreprocessor generated node count: 86\/1000000\nPost\u2010expand include size: 165\/2097152 bytes\nTemplate argument size: 0\/2097152 bytes\nHighest expansion depth: 3\/40\nExpensive parser function count: 0\/100\n-->\n\n<!-- \nTransclusion expansion time report (%,ms,calls,template)\n100.00% 3.164 1 - Template:TOC_right\n100.00% 3.164 1 - -total\n-->\n\n<!-- Saved in parser cache with key limswiki:pcache:idhash:9028-0!*!*!!en!*!* and timestamp 20190104225200 and revision id 26911\n -->\n<\/div><div class=\"printfooter\">Source: <a rel=\"external_link\" class=\"external\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Session_fixation\">https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Session_fixation<\/a><\/div>\n\t\t\t\t\t\t\t\t\t\t<!-- end content -->\n\t\t\t\t\t\t\t\t\t\t<div class=\"visualClear\"><\/div>\n\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/div>\n\t\t<!-- end of the left (by default at least) column -->\n\t\t<div class=\"visualClear\"><\/div>\n\t\t\t\t\t\n\t\t<\/div>\n\t\t\n\n<\/body>","9fb164a42840c24a5ae22cf9d7f16827_images":[],"9fb164a42840c24a5ae22cf9d7f16827_timestamp":1546642319,"08ea7349146b981be92d29df45ea3c22_type":"article","08ea7349146b981be92d29df45ea3c22_title":"Insecure data transfer","08ea7349146b981be92d29df45ea3c22_url":"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Insecure_data_transfer","08ea7349146b981be92d29df45ea3c22_plaintext":"\n\n\t\t\n\t\t\t\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t\n\n\t\t\t\tLII:Web Application Security Guide\/Insecure data transfer\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t\tFrom LIMSWiki\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\tJump to: navigation, search\n\n\t\t\t\t\t\n\t\t\t\t\t\n\n Contents\n\n1 Insecure data transfer \n\n1.1 To prevent this type of attack \n1.2 Rationale \n\n\n2 Further reading \n3 Notes \n\n\n\n\nInsecure data transfer \nData transferred unencrypted can be sniffed. This can not only give an attacker valuable information, but also the content of session cookies, allowing him to hijack a session. Additionally, non-secure communication can be modified by an attacker.\n\nTo prevent this type of attack \n Use SSL\/TLS (https) for any and all data transfer.\n Do not start communicating via http, only redirecting to https when \u201cneeded\u201d.\n Mark cookies with the \u201csecure\u201d attribute.\n Use the Strict-Transport-Security header where possible.\n Educate users to visit the https:\/\/ URL directly.\n If your web application performs HTTPS requests, make sure it verifies the certificate and host name.\n Consider limiting trusted CAs if connecting to internal servers.\nRationale \nUsing https ensures all data transfer is encrypted and the server is authenticated. Redirects sent on unencrypted pages can be removed or modified by the attacker. Thus, the transition from plain http to https can be sabotaged, making any plain http communication before switching to https dangerous. Marking the cookies secure-only ensures they are never transferred via unencrypted connections to prevent sniffing.\nThe STS header ensures that after the first visit, even if users visit the http:\/\/ URL, the request is performed via secure https. This prevents attacks like the SSLstrip attack on the unencrypted redirect. Educating the user to visit the https:\/\/ URL directly provides this protection for the first request and browsers that do not support STS and thus ignore the header. This education can be supported by serving nothing or only an information page without a clickable link on port 80 to force users to enter the correct URL and remove the incentive to be lazy and omit the \u201chttps:\/\/\u201d.\nIn some web applications, the web server performs HTTPS requests (for example when fetching or pushing data to APIs or running the OpenID or OAuth protocols). HTTPS is only secure if the software initiating the connection (i.e. your web application) correctly verifies the remote certificate:\n\n Checks if the certificate is still valid\n Checks if the certificate is signed by a trusted CA (a list of trusted CAs is needed)\n Checks if the hostname you are connecting to matches the name in the certificate (the wrapper performing the SSL handling needs access to the host name)\nSome libraries do not do this by default, making HTTPS connections insecure! Consider it suspicious if you are not required to provide a list of trusted CAs, or it looks like the SSL wrapper does not have access to the host name you are connecting to. To test for this isssue, attempt to connect to a host that uses a non-expired selfsigned certificate, then attempt to connect to a host that uses a valid certificate, but use a different hostname (e.g. address the host by its IP address) than the one specified in the certificate. If either of these connections succeed, your library\/configuration is insecure.\nIn PHP, both standard ways to perform HTTP(S) requests have issues: The cURL library doesn't check certificates by default if used with cURL below version 7.10. The Stream API always requires explicit configuration (affecting all functions using url_fopen, e.g. fopen(), file(), file_get_contents()). For cURL, set CURLOPT_SSL_VERIFYPEER and CURLOPT_CAINFO. For the Stream API, use a stream context with the verify_peer, CN_match and cafile SSL context options.\nIf you are connecting to internal servers, consider limiting the list of trusted CAs to the CA you are using. This reduces the risk from compromised\/malicious CAs. The default CA bundles often include CAs which you may not consider trustworthy, e.g. the Chinese internet authority CNNIC.\n\nFurther reading \n Encryption\n HTTPS\nNotes \nThe original source for this page is the associated Wikibooks article and is shared here under the CC BY-SA 3.0 license.\n\n\n\n\n\n\nSource: <a rel=\"external_link\" class=\"external\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Insecure_data_transfer\">https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Insecure_data_transfer<\/a>\n\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\n\t\t\n\t\t\tNavigation menu\n\t\t\t\t\t\n\t\t\tViews\n\n\t\t\t\n\t\t\t\t\n\t\t\t\tLII\n\t\t\t\tDiscussion\n\t\t\t\tView source\n\t\t\t\tHistory\n\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\n\t\t\t\t\n\t\t\t\tPersonal tools\n\n\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\t\t\tLog in\n\t\t\t\t\t\t\t\t\t\t\t\t\tRequest account\n\t\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\t\t\n\t\tNavigation\n\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tMain page\n\t\t\t\t\t\t\t\t\t\t\tRecent changes\n\t\t\t\t\t\t\t\t\t\t\tRandom page\n\t\t\t\t\t\t\t\t\t\t\tHelp\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\n\t\t\t\n\t\t\tSearch\n\n\t\t\t\n\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t&#160;\n\t\t\t\t\t\t\n\t\t\t\t\n\n\t\t\t\t\t\t\t\n\t\t\n\t\t\t\n\t\t\tTools\n\n\t\t\t\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tWhat links here\n\t\t\t\t\t\t\t\t\t\t\tRelated changes\n\t\t\t\t\t\t\t\t\t\t\tSpecial pages\n\t\t\t\t\t\t\t\t\t\t\tPermanent link\n\t\t\t\t\t\t\t\t\t\t\tPage information\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\n\t\t\n\t\tPrint\/export\n\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tCreate a book\n\t\t\t\t\t\t\t\t\t\t\tDownload as PDF\n\t\t\t\t\t\t\t\t\t\t\tDownload as Plain text\n\t\t\t\t\t\t\t\t\t\t\tPrintable version\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\n\t\t\n\t\tSponsors\n\t\t\n\t\t\t \r\n\n\t\r\n\n\t\r\n\n\t\r\n\n\t\n\t\r\n\n \r\n\n\t\n\t\r\n\n \r\n\n\t\n\t\r\n\n\t\n\t\r\n\n\t\r\n\n\t\r\n\n\t\r\n\t\t\n\t\t\n\t\t\t\n\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t This page was last modified on 10 August 2016, at 22:36.\n\t\t\t\t\t\t\t\t\tThis page has been accessed 296 times.\n\t\t\t\t\t\t\t\t\tContent is available under a Creative Commons Attribution-ShareAlike 4.0 International License unless otherwise noted.\n\t\t\t\t\t\t\t\t\tPrivacy policy\n\t\t\t\t\t\t\t\t\tAbout LIMSWiki\n\t\t\t\t\t\t\t\t\tDisclaimers\n\t\t\t\t\t\t\t\n\t\t\n\t\t\n\t\t\n\n","08ea7349146b981be92d29df45ea3c22_html":"<body class=\"mediawiki ltr sitedir-ltr ns-202 ns-subject page-LII_Web_Application_Security_Guide_Insecure_data_transfer skin-monobook action-view\">\n<div id=\"rdp-ebb-globalWrapper\">\n\t\t<div id=\"rdp-ebb-column-content\">\n\t\t\t<div id=\"rdp-ebb-content\" class=\"mw-body\" role=\"main\">\n\t\t\t\t<a id=\"rdp-ebb-top\"><\/a>\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t<h1 id=\"rdp-ebb-firstHeading\" class=\"firstHeading\" lang=\"en\">LII:Web Application Security Guide\/Insecure data transfer<\/h1>\n\t\t\t\t\n\t\t\t\t<div id=\"rdp-ebb-bodyContent\" class=\"mw-body-content\">\n\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\n\n\t\t\t\t\t<!-- start content -->\n\t\t\t\t\t<div id=\"rdp-ebb-mw-content-text\" lang=\"en\" dir=\"ltr\" class=\"mw-content-ltr\"><table cellspacing=\"0\" cellpadding=\"0\" style=\"clear: right; margin-bottom: .5em; float: right; padding: .5em 0 .8em 1.4em; background: none; width: auto;\">\n<tr>\n<td> \n\n<\/td><\/tr><\/table>\n<h2><span class=\"mw-headline\" id=\"Insecure_data_transfer\">Insecure data transfer<\/span><\/h2>\n<p>Data transferred unencrypted can be sniffed. This can not only give an attacker valuable information, but also the content of session cookies, allowing him to hijack a session. Additionally, non-secure communication can be modified by an attacker.\n<\/p>\n<h3><span class=\"mw-headline\" id=\"To_prevent_this_type_of_attack\">To prevent this type of attack<\/span><\/h3>\n<ul><li> Use SSL\/TLS (https) for any and all data transfer.<\/li>\n<li> Do <b>not<\/b> start communicating via http, only redirecting to https when \u201cneeded\u201d.<\/li>\n<li> Mark cookies with the \u201csecure\u201d attribute.<\/li>\n<li> Use the Strict-Transport-Security header where possible.<\/li>\n<li> Educate users to visit the <tt>https:\/\/<\/tt> URL directly.<\/li>\n<li> If your web application performs HTTPS requests, make sure it verifies the certificate and host name.\n<ul><li> Consider limiting trusted CAs if connecting to internal servers.<\/li><\/ul><\/li><\/ul>\n<h3><span class=\"mw-headline\" id=\"Rationale\">Rationale<\/span><\/h3>\n<p>Using https ensures all data transfer is encrypted and the server is authenticated. Redirects sent on unencrypted pages can be removed or modified by the attacker. Thus, the transition from plain http to https can be sabotaged, making any plain http communication before switching to https dangerous. Marking the cookies secure-only ensures they are never transferred via unencrypted connections to prevent sniffing.\n<\/p><p>The STS header ensures that after the first visit, even if users visit the <tt>http:\/\/<\/tt> URL, the request is performed via secure https. This prevents attacks like the SSLstrip attack on the unencrypted redirect. Educating the user to visit the <tt>https:\/\/<\/tt> URL directly provides this protection for the first request and browsers that do not support STS and thus ignore the header. This education can be supported by serving nothing or only an information page without a clickable link on port 80 to force users to enter the correct URL and remove the incentive to be lazy and omit the \u201c<tt>https:\/\/<\/tt>\u201d.\n<\/p><p>In some web applications, the web server performs HTTPS requests (for example when fetching or pushing data to APIs or running the OpenID or OAuth protocols). HTTPS is only secure if the software initiating the connection (i.e. your web application) correctly verifies the remote certificate:\n<\/p>\n<ul><li> Checks if the certificate is still valid<\/li>\n<li> Checks if the certificate is signed by a trusted CA (a list of trusted CAs is needed)<\/li>\n<li> Checks if the hostname you are connecting to matches the name in the certificate (the wrapper performing the SSL handling needs access to the host name)<\/li><\/ul>\n<p>Some libraries do not do this by default, making HTTPS connections insecure! Consider it suspicious if you are not required to provide a list of trusted CAs, or it looks like the SSL wrapper does not have access to the host name you are connecting to. To test for this isssue, attempt to connect to a host that uses a non-expired selfsigned certificate, then attempt to connect to a host that uses a valid certificate, but use a different hostname (e.g. address the host by its IP address) than the one specified in the certificate. If either of these connections succeed, your library\/configuration is insecure.\n<\/p><p>In PHP, both standard ways to perform HTTP(S) requests have issues: The cURL library doesn't check certificates by default if used with cURL below version 7.10. The Stream API always requires explicit configuration (affecting all functions using <code>url_fopen<\/code>, e.g. <code>fopen()<\/code>, <code>file()<\/code>, <code>file_get_contents()<\/code>). For cURL, set <code>CURLOPT_SSL_VERIFYPEER<\/code> and <code>CURLOPT_CAINFO<\/code>. For the Stream API, use a stream context with the <code>verify_peer<\/code>, <code>CN_match<\/code> and <code>cafile<\/code> <a rel=\"external_link\" class=\"external text\" href=\"http:\/\/de2.php.net\/manual\/en\/context.ssl.php\" target=\"_blank\">SSL context options<\/a>.\n<\/p><p>If you are connecting to internal servers, consider limiting the list of trusted CAs to the CA you are using. This reduces the risk from compromised\/malicious CAs. The default CA bundles often include CAs which you may not consider trustworthy, e.g. the Chinese internet authority <a href=\"https:\/\/en.wikipedia.org\/wiki\/CNNIC\" class=\"extiw\" title=\"wikipedia:CNNIC\" rel=\"external_link\" target=\"_blank\">CNNIC<\/a>.\n<\/p>\n<h2><span class=\"mw-headline\" id=\"Further_reading\">Further reading<\/span><\/h2>\n<ul><li> <a href=\"https:\/\/en.wikipedia.org\/wiki\/Encryption\" class=\"extiw\" title=\"wikipedia:Encryption\" rel=\"external_link\" target=\"_blank\">Encryption<\/a><\/li>\n<li> <a href=\"https:\/\/en.wikipedia.org\/wiki\/HTTPS\" class=\"extiw\" title=\"wikipedia:HTTPS\" rel=\"external_link\" target=\"_blank\">HTTPS<\/a><\/li><\/ul>\n<h2><span class=\"mw-headline\" id=\"Notes\">Notes<\/span><\/h2>\n<p>The original source for this page is <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/en.wikibooks.org\/wiki\/Web_Application_Security_Guide\/Insecure_data_transfer\" target=\"_blank\">the associated Wikibooks article<\/a> and is shared here under the <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/creativecommons.org\/licenses\/by-sa\/3.0\/\" target=\"_blank\">CC BY-SA 3.0<\/a> license.\n<\/p>\n<!-- \nNewPP limit report\nCached time: 20190104225159\nCache expiry: 86400\nDynamic content: false\nCPU time usage: 0.011 seconds\nReal time usage: 0.015 seconds\nPreprocessor visited node count: 27\/1000000\nPreprocessor generated node count: 86\/1000000\nPost\u2010expand include size: 165\/2097152 bytes\nTemplate argument size: 0\/2097152 bytes\nHighest expansion depth: 3\/40\nExpensive parser function count: 0\/100\n-->\n\n<!-- \nTransclusion expansion time report (%,ms,calls,template)\n100.00% 3.188 1 - Template:TOC_right\n100.00% 3.188 1 - -total\n-->\n\n<!-- Saved in parser cache with key limswiki:pcache:idhash:9027-0!*!*!!en!*!* and timestamp 20190104225159 and revision id 26910\n -->\n<\/div><div class=\"printfooter\">Source: <a rel=\"external_link\" class=\"external\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Insecure_data_transfer\">https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Insecure_data_transfer<\/a><\/div>\n\t\t\t\t\t\t\t\t\t\t<!-- end content -->\n\t\t\t\t\t\t\t\t\t\t<div class=\"visualClear\"><\/div>\n\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/div>\n\t\t<!-- end of the left (by default at least) column -->\n\t\t<div class=\"visualClear\"><\/div>\n\t\t\t\t\t\n\t\t<\/div>\n\t\t\n\n<\/body>","08ea7349146b981be92d29df45ea3c22_images":[],"08ea7349146b981be92d29df45ea3c22_timestamp":1546642319,"f052b1a9962cd409a0d68e10cc6d01b5_type":"article","f052b1a9962cd409a0d68e10cc6d01b5_title":"Clickjacking","f052b1a9962cd409a0d68e10cc6d01b5_url":"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Clickjacking","f052b1a9962cd409a0d68e10cc6d01b5_plaintext":"\n\n\t\t\n\t\t\t\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t\n\n\t\t\t\tLII:Web Application Security Guide\/Clickjacking\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t\tFrom LIMSWiki\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\tJump to: navigation, search\n\n\t\t\t\t\t\n\t\t\t\t\t\n\n Contents\n\n1 Clickjacking \n\n1.1 To prevent this type of attack \n1.2 Rationale \n\n\n2 Further reading \n3 Notes \n\n\n\n\nClickjacking \nIn clickjacking attacks, the target site is embedded in an IFRAME on the attacking site and either kept in the background, but mostly covered by other elements or made transparent and kept in the foreground. The user is then incited to click a certain location (e.g. when using the transparency method by placing a button in the background). Instead of the visible button, the click hits the invisible window. The placement of the IFRAME and button is chosen so that the click triggers the action wanted by the attacker (e.g. change settings). As the user is logged into the target site, the click can trigger actions that would otherwise be unreachable for the attacker. Multiple Facebook spam waves were generated using this method.\n\nTo prevent this type of attack \n Prevent (i)framing of your application in current browsers by including the HTTP response header \u201cX-Frame-Options: deny\u201d.\n Prevent (i)framing in outdated browsers by including a JavaScript frame breaker which checks for (i)framing and refuses to show the page if it is detected.\n For applications with high security requirements where you expect users to use outdated browsers with JavaScript disabled, consider requiring users of older browsers to enable JavaScript.\nRationale \nThe X-Frame-Options header is required as JavaScript frame breakers could be ineffective in some newer browsers that allow undetectable framing. However, older, still common browsers ignore the header and thus require additional protection using classic JavaScript based frame breakers. Since (as opposed to the header method) those do not work if JavaScript is disabled, additional measures may be necessary.\n\nFurther reading \n Clickjacking\nNotes \nThe original source for this page is the associated Wikibooks article and is shared here under the CC BY-SA 3.0 license.\n\n\n\n\n\n\nSource: <a rel=\"external_link\" class=\"external\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Clickjacking\">https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Clickjacking<\/a>\n\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\n\t\t\n\t\t\tNavigation menu\n\t\t\t\t\t\n\t\t\tViews\n\n\t\t\t\n\t\t\t\t\n\t\t\t\tLII\n\t\t\t\tDiscussion\n\t\t\t\tView source\n\t\t\t\tHistory\n\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\n\t\t\t\t\n\t\t\t\tPersonal tools\n\n\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\t\t\tLog in\n\t\t\t\t\t\t\t\t\t\t\t\t\tRequest account\n\t\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\t\t\n\t\tNavigation\n\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tMain page\n\t\t\t\t\t\t\t\t\t\t\tRecent changes\n\t\t\t\t\t\t\t\t\t\t\tRandom page\n\t\t\t\t\t\t\t\t\t\t\tHelp\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\n\t\t\t\n\t\t\tSearch\n\n\t\t\t\n\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t&#160;\n\t\t\t\t\t\t\n\t\t\t\t\n\n\t\t\t\t\t\t\t\n\t\t\n\t\t\t\n\t\t\tTools\n\n\t\t\t\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tWhat links here\n\t\t\t\t\t\t\t\t\t\t\tRelated changes\n\t\t\t\t\t\t\t\t\t\t\tSpecial pages\n\t\t\t\t\t\t\t\t\t\t\tPermanent link\n\t\t\t\t\t\t\t\t\t\t\tPage information\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\n\t\t\n\t\tPrint\/export\n\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tCreate a book\n\t\t\t\t\t\t\t\t\t\t\tDownload as PDF\n\t\t\t\t\t\t\t\t\t\t\tDownload as Plain text\n\t\t\t\t\t\t\t\t\t\t\tPrintable version\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\n\t\t\n\t\tSponsors\n\t\t\n\t\t\t \r\n\n\t\r\n\n\t\r\n\n\t\r\n\n\t\n\t\r\n\n \r\n\n\t\n\t\r\n\n \r\n\n\t\n\t\r\n\n\t\n\t\r\n\n\t\r\n\n\t\r\n\n\t\r\n\t\t\n\t\t\n\t\t\t\n\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t This page was last modified on 10 August 2016, at 22:35.\n\t\t\t\t\t\t\t\t\tThis page has been accessed 219 times.\n\t\t\t\t\t\t\t\t\tContent is available under a Creative Commons Attribution-ShareAlike 4.0 International License unless otherwise noted.\n\t\t\t\t\t\t\t\t\tPrivacy policy\n\t\t\t\t\t\t\t\t\tAbout LIMSWiki\n\t\t\t\t\t\t\t\t\tDisclaimers\n\t\t\t\t\t\t\t\n\t\t\n\t\t\n\t\t\n\n","f052b1a9962cd409a0d68e10cc6d01b5_html":"<body class=\"mediawiki ltr sitedir-ltr ns-202 ns-subject page-LII_Web_Application_Security_Guide_Clickjacking skin-monobook action-view\">\n<div id=\"rdp-ebb-globalWrapper\">\n\t\t<div id=\"rdp-ebb-column-content\">\n\t\t\t<div id=\"rdp-ebb-content\" class=\"mw-body\" role=\"main\">\n\t\t\t\t<a id=\"rdp-ebb-top\"><\/a>\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t<h1 id=\"rdp-ebb-firstHeading\" class=\"firstHeading\" lang=\"en\">LII:Web Application Security Guide\/Clickjacking<\/h1>\n\t\t\t\t\n\t\t\t\t<div id=\"rdp-ebb-bodyContent\" class=\"mw-body-content\">\n\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\n\n\t\t\t\t\t<!-- start content -->\n\t\t\t\t\t<div id=\"rdp-ebb-mw-content-text\" lang=\"en\" dir=\"ltr\" class=\"mw-content-ltr\"><table cellspacing=\"0\" cellpadding=\"0\" style=\"clear: right; margin-bottom: .5em; float: right; padding: .5em 0 .8em 1.4em; background: none; width: auto;\">\n<tr>\n<td> \n\n<\/td><\/tr><\/table>\n<h2><span class=\"mw-headline\" id=\"Clickjacking\">Clickjacking<\/span><\/h2>\n<p>In clickjacking attacks, the target site is embedded in an IFRAME on the attacking site and either kept in the background, but mostly covered by other elements or made transparent and kept in the foreground. The user is then incited to click a certain location (e.g. when using the transparency method by placing a button in the background). Instead of the visible button, the click hits the invisible window. The placement of the IFRAME and button is chosen so that the click triggers the action wanted by the attacker (e.g. change settings). As the user is logged into the target site, the click can trigger actions that would otherwise be unreachable for the attacker. Multiple Facebook spam waves were generated using this method.\n<\/p>\n<h3><span class=\"mw-headline\" id=\"To_prevent_this_type_of_attack\">To prevent this type of attack<\/span><\/h3>\n<ul><li> Prevent (i)framing of your application in current browsers by including the HTTP response header \u201c<tt>X-Frame-Options: deny<\/tt>\u201d.<\/li>\n<li> Prevent (i)framing in outdated browsers by including a JavaScript frame breaker which checks for (i)framing and refuses to show the page if it is detected.<\/li>\n<li> For applications with high security requirements where you expect users to use outdated browsers with JavaScript disabled, consider requiring users of older browsers to enable JavaScript.<\/li><\/ul>\n<h3><span class=\"mw-headline\" id=\"Rationale\">Rationale<\/span><\/h3>\n<p>The X-Frame-Options header is required as JavaScript frame breakers could be ineffective in some newer browsers that allow undetectable framing. However, older, still common browsers ignore the header and thus require additional protection using classic JavaScript based frame breakers. Since (as opposed to the header method) those do not work if JavaScript is disabled, additional measures may be necessary.\n<\/p>\n<h2><span class=\"mw-headline\" id=\"Further_reading\">Further reading<\/span><\/h2>\n<ul><li> <a href=\"https:\/\/en.wikipedia.org\/wiki\/Clickjacking\" class=\"extiw\" title=\"wikipedia:Clickjacking\" rel=\"external_link\" target=\"_blank\">Clickjacking<\/a><\/li><\/ul>\n<h2><span class=\"mw-headline\" id=\"Notes\">Notes<\/span><\/h2>\n<p>The original source for this page is <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/en.wikibooks.org\/wiki\/Web_Application_Security_Guide\/Clickjacking\" target=\"_blank\">the associated Wikibooks article<\/a> and is shared here under the <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/creativecommons.org\/licenses\/by-sa\/3.0\/\" target=\"_blank\">CC BY-SA 3.0<\/a> license.\n<\/p>\n<!-- \nNewPP limit report\nCached time: 20190104225159\nCache expiry: 86400\nDynamic content: false\nCPU time usage: 0.010 seconds\nReal time usage: 0.013 seconds\nPreprocessor visited node count: 27\/1000000\nPreprocessor generated node count: 86\/1000000\nPost\u2010expand include size: 165\/2097152 bytes\nTemplate argument size: 0\/2097152 bytes\nHighest expansion depth: 3\/40\nExpensive parser function count: 0\/100\n-->\n\n<!-- \nTransclusion expansion time report (%,ms,calls,template)\n100.00% 2.942 1 - Template:TOC_right\n100.00% 2.942 1 - -total\n-->\n\n<!-- Saved in parser cache with key limswiki:pcache:idhash:9026-0!*!*!!en!*!* and timestamp 20190104225159 and revision id 26909\n -->\n<\/div><div class=\"printfooter\">Source: <a rel=\"external_link\" class=\"external\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Clickjacking\">https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Clickjacking<\/a><\/div>\n\t\t\t\t\t\t\t\t\t\t<!-- end content -->\n\t\t\t\t\t\t\t\t\t\t<div class=\"visualClear\"><\/div>\n\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/div>\n\t\t<!-- end of the left (by default at least) column -->\n\t\t<div class=\"visualClear\"><\/div>\n\t\t\t\t\t\n\t\t<\/div>\n\t\t\n\n<\/body>","f052b1a9962cd409a0d68e10cc6d01b5_images":[],"f052b1a9962cd409a0d68e10cc6d01b5_timestamp":1546642319,"57069b13cd4c6c205a34744f07e84805_type":"article","57069b13cd4c6c205a34744f07e84805_title":"Cross-site request forgery (CSRF)","57069b13cd4c6c205a34744f07e84805_url":"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Cross-site_request_forgery_(CSRF)","57069b13cd4c6c205a34744f07e84805_plaintext":"\n\n\t\t\n\t\t\t\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t\n\n\t\t\t\tLII:Web Application Security Guide\/Cross-site request forgery (CSRF)\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t\tFrom LIMSWiki\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\tJump to: navigation, search\n\n\t\t\t\t\t\n\t\t\t\t\t\n\n Contents\n\n1 Cross-site request forgery (CSRF) \n\n1.1 To prevent this type of attack \n1.2 Rationale \n\n\n2 Further reading \n3 Notes \n\n\n\n\nCross-site request forgery (CSRF) \nCross-site request forgery occurs if a third-party web site causes the browser of the logged-in user to make a request to your service. With GET forms, this can be done using IFRAMEs or IMG tags. With POST forms, this is possible using a FORM element with the action attribute pointed to your site, possibly submitted using JavaScript. Both methods require no user interaction. The browser automatically submits the session cookie of the user. This can allow an attacker to trigger unwanted action with the permissions of the logged-in user.\n\nTo prevent this type of attack \n Include a hidden form field with a random token bound to the user\u2019s session (and preferably the action to be performed), and check this token in the response.\n Make sure the token is non-predictable and cannot be obtained by the attacker.\n Do not include it in files the attacker could load into his site using &lt;script&gt; tags.\n Referer checks are not secure, but can be used as an additional measure.\nRationale \nCSRF attacks allow attackers to abuse existing user sessions. The same-origin-policy of web browsers prevents the attacking web site to read the content (and thus the token) of the targeted site. As the token is bound to the session, the attacker cannot gain the token by simply visiting the web site himself. The token needs to be non-predictable (secure randomness), as otherwise the attacker could simply guess it.\nReferer checks are unreliable, as some user agents do not send the header and some personal firewalls filter or falsify it for privacy reasons. Additionally the attacker can avoid sending a Referer, for example (tested with IE8 and Firefox 6) simply by setting window.location using JavaScript. \n\nFurther reading \n Cross-site request forgery\nNotes \nThe original source for this page is the associated Wikibooks article and is shared here under the CC BY-SA 3.0 license.\n\n\n\n\n\n\nSource: <a rel=\"external_link\" class=\"external\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Cross-site_request_forgery_(CSRF)\">https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Cross-site_request_forgery_(CSRF)<\/a>\n\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\n\t\t\n\t\t\tNavigation menu\n\t\t\t\t\t\n\t\t\tViews\n\n\t\t\t\n\t\t\t\t\n\t\t\t\tLII\n\t\t\t\tDiscussion\n\t\t\t\tView source\n\t\t\t\tHistory\n\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\n\t\t\t\t\n\t\t\t\tPersonal tools\n\n\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\t\t\tLog in\n\t\t\t\t\t\t\t\t\t\t\t\t\tRequest account\n\t\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\t\t\n\t\tNavigation\n\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tMain page\n\t\t\t\t\t\t\t\t\t\t\tRecent changes\n\t\t\t\t\t\t\t\t\t\t\tRandom page\n\t\t\t\t\t\t\t\t\t\t\tHelp\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\n\t\t\t\n\t\t\tSearch\n\n\t\t\t\n\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t&#160;\n\t\t\t\t\t\t\n\t\t\t\t\n\n\t\t\t\t\t\t\t\n\t\t\n\t\t\t\n\t\t\tTools\n\n\t\t\t\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tWhat links here\n\t\t\t\t\t\t\t\t\t\t\tRelated changes\n\t\t\t\t\t\t\t\t\t\t\tSpecial pages\n\t\t\t\t\t\t\t\t\t\t\tPermanent link\n\t\t\t\t\t\t\t\t\t\t\tPage information\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\n\t\t\n\t\tPrint\/export\n\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tCreate a book\n\t\t\t\t\t\t\t\t\t\t\tDownload as PDF\n\t\t\t\t\t\t\t\t\t\t\tDownload as Plain text\n\t\t\t\t\t\t\t\t\t\t\tPrintable version\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\n\t\t\n\t\tSponsors\n\t\t\n\t\t\t \r\n\n\t\r\n\n\t\r\n\n\t\r\n\n\t\n\t\r\n\n \r\n\n\t\n\t\r\n\n \r\n\n\t\n\t\r\n\n\t\n\t\r\n\n\t\r\n\n\t\r\n\n\t\r\n\t\t\n\t\t\n\t\t\t\n\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t This page was last modified on 10 August 2016, at 22:33.\n\t\t\t\t\t\t\t\t\tThis page has been accessed 253 times.\n\t\t\t\t\t\t\t\t\tContent is available under a Creative Commons Attribution-ShareAlike 4.0 International License unless otherwise noted.\n\t\t\t\t\t\t\t\t\tPrivacy policy\n\t\t\t\t\t\t\t\t\tAbout LIMSWiki\n\t\t\t\t\t\t\t\t\tDisclaimers\n\t\t\t\t\t\t\t\n\t\t\n\t\t\n\t\t\n\n","57069b13cd4c6c205a34744f07e84805_html":"<body class=\"mediawiki ltr sitedir-ltr ns-202 ns-subject page-LII_Web_Application_Security_Guide_Cross-site_request_forgery_CSRF skin-monobook action-view\">\n<div id=\"rdp-ebb-globalWrapper\">\n\t\t<div id=\"rdp-ebb-column-content\">\n\t\t\t<div id=\"rdp-ebb-content\" class=\"mw-body\" role=\"main\">\n\t\t\t\t<a id=\"rdp-ebb-top\"><\/a>\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t<h1 id=\"rdp-ebb-firstHeading\" class=\"firstHeading\" lang=\"en\">LII:Web Application Security Guide\/Cross-site request forgery (CSRF)<\/h1>\n\t\t\t\t\n\t\t\t\t<div id=\"rdp-ebb-bodyContent\" class=\"mw-body-content\">\n\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\n\n\t\t\t\t\t<!-- start content -->\n\t\t\t\t\t<div id=\"rdp-ebb-mw-content-text\" lang=\"en\" dir=\"ltr\" class=\"mw-content-ltr\"><table cellspacing=\"0\" cellpadding=\"0\" style=\"clear: right; margin-bottom: .5em; float: right; padding: .5em 0 .8em 1.4em; background: none; width: auto;\">\n<tr>\n<td> \n\n<\/td><\/tr><\/table>\n<h2><span class=\"mw-headline\" id=\"Cross-site_request_forgery_.28CSRF.29\">Cross-site request forgery (CSRF)<\/span><\/h2>\n<p>Cross-site request forgery occurs if a third-party web site causes the browser of the logged-in user to make a request to your service. With GET forms, this can be done using IFRAMEs or IMG tags. With POST forms, this is possible using a FORM element with the action attribute pointed to your site, possibly submitted using JavaScript. Both methods require no user interaction. The browser automatically submits the session cookie of the user. This can allow an attacker to trigger unwanted action with the permissions of the logged-in user.\n<\/p>\n<h3><span class=\"mw-headline\" id=\"To_prevent_this_type_of_attack\">To prevent this type of attack<\/span><\/h3>\n<ul><li> Include a hidden form field with a random token bound to the user\u2019s session (and preferably the action to be performed), and check this token in the response.<\/li>\n<li> Make sure the token is non-predictable and cannot be obtained by the attacker.\n<ul><li> Do not include it in files the attacker could load into his site using <code>&lt;script&gt;<\/code> tags.<\/li><\/ul><\/li>\n<li> Referer checks are not secure, but can be used as an additional measure.<\/li><\/ul>\n<h3><span class=\"mw-headline\" id=\"Rationale\">Rationale<\/span><\/h3>\n<p>CSRF attacks allow attackers to abuse existing user sessions. The same-origin-policy of web browsers prevents the attacking web site to read the content (and thus the token) of the targeted site. As the token is bound to the session, the attacker cannot gain the token by simply visiting the web site himself. The token needs to be non-predictable (secure randomness), as otherwise the attacker could simply guess it.\n<\/p><p>Referer checks are unreliable, as some user agents do not send the header and some personal firewalls filter or falsify it for privacy reasons. Additionally the attacker can avoid sending a Referer, for example (tested with IE8 and Firefox 6) simply by setting window.location using JavaScript. \n<\/p>\n<h2><span class=\"mw-headline\" id=\"Further_reading\">Further reading<\/span><\/h2>\n<ul><li> <a href=\"https:\/\/en.wikipedia.org\/wiki\/Cross-site_request_forgery\" class=\"extiw\" title=\"wikipedia:Cross-site request forgery\" rel=\"external_link\" target=\"_blank\">Cross-site request forgery<\/a><\/li><\/ul>\n<h2><span class=\"mw-headline\" id=\"Notes\">Notes<\/span><\/h2>\n<p>The original source for this page is <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/en.wikibooks.org\/wiki\/Web_Application_Security_Guide\/Cross-site_request_forgery_(CSRF)\" target=\"_blank\">the associated Wikibooks article<\/a> and is shared here under the <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/creativecommons.org\/licenses\/by-sa\/3.0\/\" target=\"_blank\">CC BY-SA 3.0<\/a> license.\n<\/p>\n<!-- \nNewPP limit report\nCached time: 20190104225159\nCache expiry: 86400\nDynamic content: false\nCPU time usage: 0.011 seconds\nReal time usage: 0.015 seconds\nPreprocessor visited node count: 36\/1000000\nPreprocessor generated node count: 106\/1000000\nPost\u2010expand include size: 165\/2097152 bytes\nTemplate argument size: 0\/2097152 bytes\nHighest expansion depth: 3\/40\nExpensive parser function count: 0\/100\n-->\n\n<!-- \nTransclusion expansion time report (%,ms,calls,template)\n100.00% 3.015 1 - Template:TOC_right\n100.00% 3.015 1 - -total\n-->\n\n<!-- Saved in parser cache with key limswiki:pcache:idhash:9025-0!*!*!!en!*!* and timestamp 20190104225159 and revision id 26908\n -->\n<\/div><div class=\"printfooter\">Source: <a rel=\"external_link\" class=\"external\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Cross-site_request_forgery_(CSRF)\">https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Cross-site_request_forgery_(CSRF)<\/a><\/div>\n\t\t\t\t\t\t\t\t\t\t<!-- end content -->\n\t\t\t\t\t\t\t\t\t\t<div class=\"visualClear\"><\/div>\n\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/div>\n\t\t<!-- end of the left (by default at least) column -->\n\t\t<div class=\"visualClear\"><\/div>\n\t\t\t\t\t\n\t\t<\/div>\n\t\t\n\n<\/body>","57069b13cd4c6c205a34744f07e84805_images":[],"57069b13cd4c6c205a34744f07e84805_timestamp":1546642319,"5c97b0de3eebc89e348368871c44b0ec_type":"article","5c97b0de3eebc89e348368871c44b0ec_title":"(Un)trusted input","5c97b0de3eebc89e348368871c44b0ec_url":"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/(Un)trusted_input","5c97b0de3eebc89e348368871c44b0ec_plaintext":"\n\n\t\t\n\t\t\t\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t\n\n\t\t\t\tLII:Web Application Security Guide\/(Un)trusted input\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t\tFrom LIMSWiki\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\tJump to: navigation, search\n\n\t\t\t\t\t\n\t\t\t\t\t\n\n Contents\n\n1 (Un)trusted input \n\n1.1 To prevent this type of attack \n1.2 Rationale \n\n\n2 Further reading \n3 Notes \n\n\n\n\n(Un)trusted input \nAll user input is to be considered untrusted. Seemingly \u201ctrusted\/safe\u201d input, like some $_SERVER variables in PHP, can be easily manipulated by attackers.\n\nTo prevent this type of attack \n Thoroughly filter\/escape any untrusted content.\n If the allowed character set for certain input fields is limited, check that the input is valid before using it.\n If in doubt about a certain kind of data (e.g. server variable), treat it as untrusted.\n If you are sure, but there is no real need to treat it as trusted, treat it as untrusted.\n The request URL (e.g. in environment variables) is untrusted.\n Data coming from HTTP headers is untrusted.\n Referer\n X-Forwarded-For\n Cookies\n Server name (!)\n All POST and GET data is untrusted.\n Includes non-user-modifiable input fields like select\n All content validation is to be done server side.\nRationale \nEscaping or filtering \u201ctrusted\u201d input that should not contain any characters that require escaping will only give you a negligible performance penalty, but you will be on the safe side if the input turns out to be untrusted.\nValidating input data using a character whitelist can avoid attacks using unexpected characters (null bytes, UTF-8, control characters used as delimiters in internal representations etc.). Ensure your validation is not too strict, for example you will need to allow both UTF-8 and characters like ' in person name fields.\nAn attacker is not constrained by the constraints a browser puts on him. Just because an input field is specified with maxlength=20 does not mean that an attacker cannot craft a request with 200 KB of data. The same goes for any JavaScript based constraints.\n\nFurther reading \n Secure input and output handling\n Trust boundary\nNotes \nThe original source for this page is the associated Wikibooks article and is shared here under the CC BY-SA 3.0 license.\n\n\n\n\n\n\nSource: <a rel=\"external_link\" class=\"external\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/(Un)trusted_input\">https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/(Un)trusted_input<\/a>\n\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\n\t\t\n\t\t\tNavigation menu\n\t\t\t\t\t\n\t\t\tViews\n\n\t\t\t\n\t\t\t\t\n\t\t\t\tLII\n\t\t\t\tDiscussion\n\t\t\t\tView source\n\t\t\t\tHistory\n\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\n\t\t\t\t\n\t\t\t\tPersonal tools\n\n\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\t\t\tLog in\n\t\t\t\t\t\t\t\t\t\t\t\t\tRequest account\n\t\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\t\t\n\t\tNavigation\n\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tMain page\n\t\t\t\t\t\t\t\t\t\t\tRecent changes\n\t\t\t\t\t\t\t\t\t\t\tRandom page\n\t\t\t\t\t\t\t\t\t\t\tHelp\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\n\t\t\t\n\t\t\tSearch\n\n\t\t\t\n\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t&#160;\n\t\t\t\t\t\t\n\t\t\t\t\n\n\t\t\t\t\t\t\t\n\t\t\n\t\t\t\n\t\t\tTools\n\n\t\t\t\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tWhat links here\n\t\t\t\t\t\t\t\t\t\t\tRelated changes\n\t\t\t\t\t\t\t\t\t\t\tSpecial pages\n\t\t\t\t\t\t\t\t\t\t\tPermanent link\n\t\t\t\t\t\t\t\t\t\t\tPage information\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\n\t\t\n\t\tPrint\/export\n\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tCreate a book\n\t\t\t\t\t\t\t\t\t\t\tDownload as PDF\n\t\t\t\t\t\t\t\t\t\t\tDownload as Plain text\n\t\t\t\t\t\t\t\t\t\t\tPrintable version\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\n\t\t\n\t\tSponsors\n\t\t\n\t\t\t \r\n\n\t\r\n\n\t\r\n\n\t\r\n\n\t\n\t\r\n\n \r\n\n\t\n\t\r\n\n \r\n\n\t\n\t\r\n\n\t\n\t\r\n\n\t\r\n\n\t\r\n\n\t\r\n\t\t\n\t\t\n\t\t\t\n\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t This page was last modified on 10 August 2016, at 22:32.\n\t\t\t\t\t\t\t\t\tThis page has been accessed 232 times.\n\t\t\t\t\t\t\t\t\tContent is available under a Creative Commons Attribution-ShareAlike 4.0 International License unless otherwise noted.\n\t\t\t\t\t\t\t\t\tPrivacy policy\n\t\t\t\t\t\t\t\t\tAbout LIMSWiki\n\t\t\t\t\t\t\t\t\tDisclaimers\n\t\t\t\t\t\t\t\n\t\t\n\t\t\n\t\t\n\n","5c97b0de3eebc89e348368871c44b0ec_html":"<body class=\"mediawiki ltr sitedir-ltr ns-202 ns-subject page-LII_Web_Application_Security_Guide_Un_trusted_input skin-monobook action-view\">\n<div id=\"rdp-ebb-globalWrapper\">\n\t\t<div id=\"rdp-ebb-column-content\">\n\t\t\t<div id=\"rdp-ebb-content\" class=\"mw-body\" role=\"main\">\n\t\t\t\t<a id=\"rdp-ebb-top\"><\/a>\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t<h1 id=\"rdp-ebb-firstHeading\" class=\"firstHeading\" lang=\"en\">LII:Web Application Security Guide\/(Un)trusted input<\/h1>\n\t\t\t\t\n\t\t\t\t<div id=\"rdp-ebb-bodyContent\" class=\"mw-body-content\">\n\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\n\n\t\t\t\t\t<!-- start content -->\n\t\t\t\t\t<div id=\"rdp-ebb-mw-content-text\" lang=\"en\" dir=\"ltr\" class=\"mw-content-ltr\"><table cellspacing=\"0\" cellpadding=\"0\" style=\"clear: right; margin-bottom: .5em; float: right; padding: .5em 0 .8em 1.4em; background: none; width: auto;\">\n<tr>\n<td> \n\n<\/td><\/tr><\/table>\n<h2><span class=\"mw-headline\" id=\".28Un.29trusted_input\">(Un)trusted input<\/span><\/h2>\n<p>All user input is to be considered untrusted. Seemingly \u201ctrusted\/safe\u201d input, like some $_SERVER variables in PHP, can be easily manipulated by attackers.\n<\/p>\n<h3><span class=\"mw-headline\" id=\"To_prevent_this_type_of_attack\">To prevent this type of attack<\/span><\/h3>\n<ul><li> Thoroughly filter\/escape any untrusted content.<\/li>\n<li> If the allowed character set for certain input fields is limited, check that the input is valid before using it.<\/li>\n<li> If in doubt about a certain kind of data (e.g. server variable), treat it as untrusted.<\/li>\n<li> If you are sure, but there is no <b>real<\/b> need to treat it as trusted, treat it as untrusted.<\/li>\n<li> The request URL (e.g. in environment variables) is untrusted.<\/li>\n<li> Data coming from HTTP headers is untrusted.\n<ul><li> Referer<\/li>\n<li> X-Forwarded-For<\/li>\n<li> Cookies<\/li>\n<li> Server name (!)<\/li><\/ul><\/li>\n<li> All POST and GET data is untrusted.\n<ul><li> Includes non-user-modifiable input fields like select<\/li><\/ul><\/li>\n<li> All content validation is to be done server side.<\/li><\/ul>\n<h3><span class=\"mw-headline\" id=\"Rationale\">Rationale<\/span><\/h3>\n<p>Escaping or filtering \u201ctrusted\u201d input that should not contain any characters that require escaping will only give you a negligible performance penalty, but you will be on the safe side if the input turns out to be untrusted.\n<\/p><p>Validating input data using a character whitelist can avoid attacks using unexpected characters (null bytes, UTF-8, control characters used as delimiters in internal representations etc.). Ensure your validation is not too strict, for example you will need to allow both UTF-8 and characters like ' in person name fields.\n<\/p><p>An attacker is not constrained by the constraints a browser puts on him. Just because an input field is specified with <code>maxlength=20<\/code> does not mean that an attacker cannot craft a request with 200 KB of data. The same goes for any JavaScript based constraints.\n<\/p>\n<h2><span class=\"mw-headline\" id=\"Further_reading\">Further reading<\/span><\/h2>\n<ul><li> <a href=\"https:\/\/en.wikipedia.org\/wiki\/Secure_input_and_output_handling\" class=\"extiw\" title=\"wikipedia:Secure input and output handling\" rel=\"external_link\" target=\"_blank\">Secure input and output handling<\/a><\/li>\n<li> <a href=\"https:\/\/en.wikipedia.org\/wiki\/Trust_boundary\" class=\"extiw\" title=\"wikipedia:Trust boundary\" rel=\"external_link\" target=\"_blank\">Trust boundary<\/a><\/li><\/ul>\n<h2><span class=\"mw-headline\" id=\"Notes\">Notes<\/span><\/h2>\n<p>The original source for this page is <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/en.wikibooks.org\/wiki\/Web_Application_Security_Guide\/(Un)trusted_input\" target=\"_blank\">the associated Wikibooks article<\/a> and is shared here under the <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/creativecommons.org\/licenses\/by-sa\/3.0\/\" target=\"_blank\">CC BY-SA 3.0<\/a> license.\n<\/p>\n<!-- \nNewPP limit report\nCached time: 20190104225159\nCache expiry: 86400\nDynamic content: false\nCPU time usage: 0.010 seconds\nReal time usage: 0.014 seconds\nPreprocessor visited node count: 27\/1000000\nPreprocessor generated node count: 86\/1000000\nPost\u2010expand include size: 165\/2097152 bytes\nTemplate argument size: 0\/2097152 bytes\nHighest expansion depth: 3\/40\nExpensive parser function count: 0\/100\n-->\n\n<!-- \nTransclusion expansion time report (%,ms,calls,template)\n100.00% 2.910 1 - Template:TOC_right\n100.00% 2.910 1 - -total\n-->\n\n<!-- Saved in parser cache with key limswiki:pcache:idhash:9024-0!*!*!!en!*!* and timestamp 20190104225159 and revision id 26907\n -->\n<\/div><div class=\"printfooter\">Source: <a rel=\"external_link\" class=\"external\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/(Un)trusted_input\">https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/(Un)trusted_input<\/a><\/div>\n\t\t\t\t\t\t\t\t\t\t<!-- end content -->\n\t\t\t\t\t\t\t\t\t\t<div class=\"visualClear\"><\/div>\n\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/div>\n\t\t<!-- end of the left (by default at least) column -->\n\t\t<div class=\"visualClear\"><\/div>\n\t\t\t\t\t\n\t\t<\/div>\n\t\t\n\n<\/body>","5c97b0de3eebc89e348368871c44b0ec_images":[],"5c97b0de3eebc89e348368871c44b0ec_timestamp":1546642318,"7da5a3e8c4ad0a05309ea9741494fec2_type":"article","7da5a3e8c4ad0a05309ea9741494fec2_title":"XML, JSON and general API security","7da5a3e8c4ad0a05309ea9741494fec2_url":"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/XML,_JSON_and_general_API_security","7da5a3e8c4ad0a05309ea9741494fec2_plaintext":"\n\n\t\t\n\t\t\t\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t\n\n\t\t\t\tLII:Web Application Security Guide\/XML, JSON and general API security\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t\tFrom LIMSWiki\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\tJump to: navigation, search\n\n\t\t\t\t\t\n\t\t\t\t\t\n\n Contents\n\n1 XML, JSON and general API security \n\n1.1 To prevent this type of attack \n1.2 Rationale \n1.3 Further reading \n\n\n2 Notes \n\n\n\n\nXML, JSON and general API security \nAPIs can provide additional security challenges. At the same time, basic security rules (like output escaping) must not be overlooked.\n\nTo prevent this type of attack \n Ensure proper access control to the API.\n Do not forget that you need to correctly escape all output to prevent XSS attacks, that data formats like XML require special consideration, and that protection against cross-site request forgery (CSRF) is needed in many cases.\n Use standard data formats like JSON with proven libraries, and use them correctly. This will probably take care of all your escaping needs.\n Make sure browsers do not misinterpret your document or allow cross-site loading.\n Ensure your document is well-formed.\n Send the correct content type.\n Use the X-Content-Type-Options: nosniff header.\n For XML, provide a charset and ensure attackers cannot insert arbitrary tags.\n For JSON, ensure the top-level data structure is an object and all characters with special meaning in HTML are escaped.\nRationale \nCertain actions are often restricted to users with appropriate privileges. However, some developers forget to properly restrict their API, thus allowing users without proper privileges to perform these actions. Ensure that the API properly enforces access controls. Remember that you still need CSRF protection! A separate client can easily fetch a token (but will need the user's credentials to do so), while a malicious JavaScript can't (due to the same-origin policy). \nEven if your application is not displaying the API output, the attacker may use it for XSS attacks by directly linking to it. For this reason, you must follow proper escaping rules and keep browsers from misinterpreting your output.\nIf you use standard data formats like JSON, you can use standard libraries which have been thoroughly checked by many professionals. This will make it easier for you to correctly escape content, and save you a lot of time (and potential security issues).\nCertain browsers love to interpret anything that looks like it may be HTML as HTML. This is especially true for XML documents (which may also represent other script-bearing formats like SVG). Sending a well-formed document and setting the correct content type makes it less probable that browsers will start guessing. The X-Content-Type-Options: nosniff header will stop browsers from attempting to guess the content type (most importantly, it will disable the aggressive guessing in Internet Explorer).\nProviding the correct charset in XML is important because different charsets can cause vastly different interpretations of the data. For example, what is harmless text in UTF-8 or other common charsets can turn into a script tag in UTF-7.\nJSON uses JavaScript syntax and could possibly be loaded across domain boundaries using &lt;script&gt; tags. Together with creative modification of the Array prototype, this can give access to the data (bypassing the same-origin policy) in outdated browsers. Passing an object instead of an array prevents this (as of 2013).\nEscaping special characters in JSON is recommended to avoid content sniffing. In PHP, it can be done by passing the JSON_HEX_TAG flag to json_encode.\n\nFurther reading \n API security\n JavaScript\/Handling JSON\n JSON\n XML\nNotes \nThe original source for this page is the associated Wikibooks article and is shared here under the CC BY-SA 3.0 license.\n\n\n\n\n\n\nSource: <a rel=\"external_link\" class=\"external\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/XML,_JSON_and_general_API_security\">https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/XML,_JSON_and_general_API_security<\/a>\n\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\n\t\t\n\t\t\tNavigation menu\n\t\t\t\t\t\n\t\t\tViews\n\n\t\t\t\n\t\t\t\t\n\t\t\t\tLII\n\t\t\t\tDiscussion\n\t\t\t\tView source\n\t\t\t\tHistory\n\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\n\t\t\t\t\n\t\t\t\tPersonal tools\n\n\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\t\t\tLog in\n\t\t\t\t\t\t\t\t\t\t\t\t\tRequest account\n\t\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\t\t\n\t\tNavigation\n\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tMain page\n\t\t\t\t\t\t\t\t\t\t\tRecent changes\n\t\t\t\t\t\t\t\t\t\t\tRandom page\n\t\t\t\t\t\t\t\t\t\t\tHelp\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\n\t\t\t\n\t\t\tSearch\n\n\t\t\t\n\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t&#160;\n\t\t\t\t\t\t\n\t\t\t\t\n\n\t\t\t\t\t\t\t\n\t\t\n\t\t\t\n\t\t\tTools\n\n\t\t\t\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tWhat links here\n\t\t\t\t\t\t\t\t\t\t\tRelated changes\n\t\t\t\t\t\t\t\t\t\t\tSpecial pages\n\t\t\t\t\t\t\t\t\t\t\tPermanent link\n\t\t\t\t\t\t\t\t\t\t\tPage information\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\n\t\t\n\t\tPrint\/export\n\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tCreate a book\n\t\t\t\t\t\t\t\t\t\t\tDownload as PDF\n\t\t\t\t\t\t\t\t\t\t\tDownload as Plain text\n\t\t\t\t\t\t\t\t\t\t\tPrintable version\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\n\t\t\n\t\tSponsors\n\t\t\n\t\t\t \r\n\n\t\r\n\n\t\r\n\n\t\r\n\n\t\n\t\r\n\n \r\n\n\t\n\t\r\n\n \r\n\n\t\n\t\r\n\n\t\n\t\r\n\n\t\r\n\n\t\r\n\n\t\r\n\t\t\n\t\t\n\t\t\t\n\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t This page was last modified on 10 August 2016, at 22:20.\n\t\t\t\t\t\t\t\t\tThis page has been accessed 260 times.\n\t\t\t\t\t\t\t\t\tContent is available under a Creative Commons Attribution-ShareAlike 4.0 International License unless otherwise noted.\n\t\t\t\t\t\t\t\t\tPrivacy policy\n\t\t\t\t\t\t\t\t\tAbout LIMSWiki\n\t\t\t\t\t\t\t\t\tDisclaimers\n\t\t\t\t\t\t\t\n\t\t\n\t\t\n\t\t\n\n","7da5a3e8c4ad0a05309ea9741494fec2_html":"<body class=\"mediawiki ltr sitedir-ltr ns-202 ns-subject page-LII_Web_Application_Security_Guide_XML_JSON_and_general_API_security skin-monobook action-view\">\n<div id=\"rdp-ebb-globalWrapper\">\n\t\t<div id=\"rdp-ebb-column-content\">\n\t\t\t<div id=\"rdp-ebb-content\" class=\"mw-body\" role=\"main\">\n\t\t\t\t<a id=\"rdp-ebb-top\"><\/a>\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t<h1 id=\"rdp-ebb-firstHeading\" class=\"firstHeading\" lang=\"en\">LII:Web Application Security Guide\/XML, JSON and general API security<\/h1>\n\t\t\t\t\n\t\t\t\t<div id=\"rdp-ebb-bodyContent\" class=\"mw-body-content\">\n\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\n\n\t\t\t\t\t<!-- start content -->\n\t\t\t\t\t<div id=\"rdp-ebb-mw-content-text\" lang=\"en\" dir=\"ltr\" class=\"mw-content-ltr\"><table cellspacing=\"0\" cellpadding=\"0\" style=\"clear: right; margin-bottom: .5em; float: right; padding: .5em 0 .8em 1.4em; background: none; width: auto;\">\n<tr>\n<td> \n\n<\/td><\/tr><\/table>\n<h2><span class=\"mw-headline\" id=\"XML.2C_JSON_and_general_API_security\">XML, JSON and general API security<\/span><\/h2>\n<p>APIs can provide additional security challenges. At the same time, basic security rules (like output escaping) must not be overlooked.\n<\/p>\n<h3><span class=\"mw-headline\" id=\"To_prevent_this_type_of_attack\">To prevent this type of attack<\/span><\/h3>\n<ul><li> Ensure proper access control to the API.<\/li>\n<li> Do not forget that you need to <a href=\"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Cross-site_scripting_(XSS)\" title=\"LII:Web Application Security Guide\/Cross-site scripting (XSS)\" target=\"_blank\" class=\"wiki-link\" data-key=\"931b3464b3f12dc9e1b1803bd3190cb9\">correctly escape all output to prevent XSS attacks<\/a>, that data formats like XML require <a href=\"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/XML_and_internal_data_escaping\" title=\"LII:Web Application Security Guide\/XML and internal data escaping\" target=\"_blank\" class=\"wiki-link\" data-key=\"9cae4e140675b1a1a21fe8753676d5ac\">special consideration<\/a>, and that protection against <a href=\"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Cross-site_request_forgery_(CSRF)\" title=\"LII:Web Application Security Guide\/Cross-site request forgery (CSRF)\" target=\"_blank\" class=\"wiki-link\" data-key=\"57069b13cd4c6c205a34744f07e84805\">cross-site request forgery (CSRF)<\/a> is needed in many cases.<\/li>\n<li> Use standard data formats like JSON with proven libraries, and use them correctly. This will probably take care of all your escaping needs.<\/li>\n<li> Make sure browsers do not misinterpret your document or allow cross-site loading.\n<ul><li> Ensure your document is well-formed.<\/li>\n<li> Send the correct content type.<\/li>\n<li> Use the <code>X-Content-Type-Options: nosniff<\/code> header.<\/li>\n<li> For XML, provide a charset and ensure attackers cannot insert arbitrary tags.<\/li>\n<li> For JSON, ensure the top-level data structure is an object and all characters with special meaning in HTML are escaped.<\/li><\/ul><\/li><\/ul>\n<h3><span class=\"mw-headline\" id=\"Rationale\">Rationale<\/span><\/h3>\n<p>Certain actions are often restricted to users with appropriate privileges. However, some developers forget to properly restrict their API, thus allowing users without proper privileges to perform these actions. Ensure that the API properly enforces access controls. Remember that you still need CSRF protection! A separate client can easily fetch a token (but will need the user's credentials to do so), while a malicious JavaScript can't (due to the same-origin policy). \n<\/p><p>Even if your application is not displaying the API output, the attacker may use it for XSS attacks by directly linking to it. For this reason, you must follow proper escaping rules <i>and<\/i> keep browsers from misinterpreting your output.\n<\/p><p>If you use standard data formats like JSON, you can use standard libraries which have been thoroughly checked by many professionals. This will make it easier for you to correctly escape content, and save you a lot of time (and potential security issues).\n<\/p><p>Certain browsers love to interpret anything that looks like it may be HTML as HTML. This is especially true for XML documents (which may also represent other script-bearing formats like SVG). Sending a well-formed document and setting the correct content type makes it less probable that browsers will start guessing. The <code>X-Content-Type-Options: nosniff<\/code> header will stop browsers from attempting to guess the content type (most importantly, it will disable the aggressive guessing in Internet Explorer).\n<\/p><p>Providing the correct charset in XML is important because different charsets can cause vastly different interpretations of the data. For example, what is harmless text in UTF-8 or other common charsets can turn into a script tag in UTF-7.\n<\/p><p>JSON uses JavaScript syntax and could possibly be loaded across domain boundaries using <code>&lt;script&gt;<\/code> tags. Together with creative modification of the Array prototype, this can give access to the data (bypassing the same-origin policy) in outdated browsers. Passing an object instead of an array prevents this (as of 2013).\n<\/p><p>Escaping special characters in JSON is recommended to avoid content sniffing. In PHP, it can be done by passing the <code>JSON_HEX_TAG<\/code> flag to <code>json_encode<\/code>.\n<\/p>\n<h3><span class=\"mw-headline\" id=\"Further_reading\">Further reading<\/span><\/h3>\n<ul><li> <a href=\"https:\/\/en.wikipedia.org\/wiki\/API_Security\" class=\"extiw\" title=\"wikipedia:API Security\" rel=\"external_link\" target=\"_blank\">API security<\/a><\/li>\n<li> <a href=\"https:\/\/en.wikibooks.org\/wiki\/JavaScript\/Handling_JSON\" class=\"extiw\" title=\"wikibooks:JavaScript\/Handling JSON\" rel=\"external_link\" target=\"_blank\">JavaScript\/Handling JSON<\/a><\/li>\n<li> <a href=\"https:\/\/en.wikipedia.org\/wiki\/JSON\" class=\"extiw\" title=\"wikipedia:JSON\" rel=\"external_link\" target=\"_blank\">JSON<\/a><\/li>\n<li> <a href=\"https:\/\/en.wikipedia.org\/wiki\/XML\" class=\"extiw\" title=\"wikipedia:XML\" rel=\"external_link\" target=\"_blank\">XML<\/a><\/li><\/ul>\n<h2><span class=\"mw-headline\" id=\"Notes\">Notes<\/span><\/h2>\n<p>The original source for this page is <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/en.wikibooks.org\/wiki\/Web_Application_Security_Guide\/XML,_JSON_and_general_API_security\" target=\"_blank\">the associated Wikibooks article<\/a> and is shared here under the <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/creativecommons.org\/licenses\/by-sa\/3.0\/\" target=\"_blank\">CC BY-SA 3.0<\/a> license.\n<\/p>\n<!-- \nNewPP limit report\nCached time: 20190104225158\nCache expiry: 86400\nDynamic content: false\nCPU time usage: 0.013 seconds\nReal time usage: 0.019 seconds\nPreprocessor visited node count: 72\/1000000\nPreprocessor generated node count: 186\/1000000\nPost\u2010expand include size: 165\/2097152 bytes\nTemplate argument size: 0\/2097152 bytes\nHighest expansion depth: 3\/40\nExpensive parser function count: 0\/100\n-->\n\n<!-- \nTransclusion expansion time report (%,ms,calls,template)\n100.00% 3.187 1 - Template:TOC_right\n100.00% 3.187 1 - -total\n-->\n\n<!-- Saved in parser cache with key limswiki:pcache:idhash:9023-0!*!0!!en!*!* and timestamp 20190104225158 and revision id 26906\n -->\n<\/div><div class=\"printfooter\">Source: <a rel=\"external_link\" class=\"external\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/XML,_JSON_and_general_API_security\">https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/XML,_JSON_and_general_API_security<\/a><\/div>\n\t\t\t\t\t\t\t\t\t\t<!-- end content -->\n\t\t\t\t\t\t\t\t\t\t<div class=\"visualClear\"><\/div>\n\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/div>\n\t\t<!-- end of the left (by default at least) column -->\n\t\t<div class=\"visualClear\"><\/div>\n\t\t\t\t\t\n\t\t<\/div>\n\t\t\n\n<\/body>","7da5a3e8c4ad0a05309ea9741494fec2_images":[],"7da5a3e8c4ad0a05309ea9741494fec2_timestamp":1546642318,"9cae4e140675b1a1a21fe8753676d5ac_type":"article","9cae4e140675b1a1a21fe8753676d5ac_title":"XML and internal data escaping","9cae4e140675b1a1a21fe8753676d5ac_url":"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/XML_and_internal_data_escaping","9cae4e140675b1a1a21fe8753676d5ac_plaintext":"\n\n\t\t\n\t\t\t\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t\n\n\t\t\t\tLII:Web Application Security Guide\/XML and internal data escaping\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t\tFrom LIMSWiki\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\tJump to: navigation, search\n\n\t\t\t\t\t\n\t\t\t\t\t\n\n Contents\n\n1 XML and internal data escaping \n\n1.1 To prevent this type of attack \n1.2 Rationale \n\n\n2 Further reading \n3 Notes \n\n\n\n\nXML and internal data escaping \nEscaping is required in internal data representations, too. For example, incorrectly escaped strings in XML could allow the attackers to close their including tag and inject arbitrary XML.\nXML is a very complex format which can bear many unpleasant surprises.\n\nTo prevent this type of attack \n Avoid XML if possible.\n For XML, use well-tested, high-quality libraries, and pay close attention to the documentation. Know your library \u2013 some libraries have functions that allow you to bypass escaping without knowing it.\n If you parse (read) XML, ensure your parser does not attempt to load external references (e.g. entities and DTDs).\n For other internal representations of data, make sure correct escaping or filtering is applied. Try to use well-tested, high-quality libraries if available, even if it seems to be more difficult.\n If escaping is done manually, ensure that it handles null bytes, unexpected charsets, invalid UTF-8 characters etc. in a secure manner.\nRationale \nXML is a highly complex format with many surprising features - did you know that XML can load other content via HTTP? If you just want to store\/pass a few structured values, the powerful features of XML are often unnecessary. JSON is a less complex alternative, but requires its own safety measures (like avoiding arrays at top level and hex-encoding special characters that may be interpreted by broken browsers).\nXML is too complex to \u201cjust quickly\u201d write code that handles all possibilities correctly and safely. Do not rely on the security of \u201chome-made\u201d minimal libraries. Even some \u201cofficial\u201d XML libraries are known to have escaping issues in some functions or to explicitly allow content to be passed into the XML without escaping. (Notably the addChild method in PHP\u2019s SimpleXML does partial escaping, see comments for PHP bug 36795) Libraries can contain critical issues, too. Read the documentation of your library carefully and consider searching the internet for known issues. If you are not sure, quickly test at least some basic cases.\nXML has features that allow loading of external data like entities and DTDs. Some parsers enable this by default. If you parse untrusted XML files (remember, everything that comes from a user is untrusted), this may be used to read local files, make requests to internal systems not accessible from outside the firewall, and in some cases, even execute code. See OWASP article for details.\nDoing escaping manually is very difficult to do correctly, as all problematic cases (e.g. partial UTF8 characters or different charsets) need to be considered. Writing a solution that works correctly with regular input may be fast and easy, but writing a solution that works correctly with any intentionally malformed input is difficult. \n\nFurther reading \n Escape character\n XML\nNotes \nThe original source for this page is the associated Wikibooks article and is shared here under the CC BY-SA 3.0 license.\n\n\n\n\n\n\nSource: <a rel=\"external_link\" class=\"external\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/XML_and_internal_data_escaping\">https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/XML_and_internal_data_escaping<\/a>\n\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\n\t\t\n\t\t\tNavigation menu\n\t\t\t\t\t\n\t\t\tViews\n\n\t\t\t\n\t\t\t\t\n\t\t\t\tLII\n\t\t\t\tDiscussion\n\t\t\t\tView source\n\t\t\t\tHistory\n\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\n\t\t\t\t\n\t\t\t\tPersonal tools\n\n\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\t\t\tLog in\n\t\t\t\t\t\t\t\t\t\t\t\t\tRequest account\n\t\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\t\t\n\t\tNavigation\n\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tMain page\n\t\t\t\t\t\t\t\t\t\t\tRecent changes\n\t\t\t\t\t\t\t\t\t\t\tRandom page\n\t\t\t\t\t\t\t\t\t\t\tHelp\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\n\t\t\t\n\t\t\tSearch\n\n\t\t\t\n\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t&#160;\n\t\t\t\t\t\t\n\t\t\t\t\n\n\t\t\t\t\t\t\t\n\t\t\n\t\t\t\n\t\t\tTools\n\n\t\t\t\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tWhat links here\n\t\t\t\t\t\t\t\t\t\t\tRelated changes\n\t\t\t\t\t\t\t\t\t\t\tSpecial pages\n\t\t\t\t\t\t\t\t\t\t\tPermanent link\n\t\t\t\t\t\t\t\t\t\t\tPage information\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\n\t\t\n\t\tPrint\/export\n\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tCreate a book\n\t\t\t\t\t\t\t\t\t\t\tDownload as PDF\n\t\t\t\t\t\t\t\t\t\t\tDownload as Plain text\n\t\t\t\t\t\t\t\t\t\t\tPrintable version\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\n\t\t\n\t\tSponsors\n\t\t\n\t\t\t \r\n\n\t\r\n\n\t\r\n\n\t\r\n\n\t\n\t\r\n\n \r\n\n\t\n\t\r\n\n \r\n\n\t\n\t\r\n\n\t\n\t\r\n\n\t\r\n\n\t\r\n\n\t\r\n\t\t\n\t\t\n\t\t\t\n\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t This page was last modified on 10 August 2016, at 22:18.\n\t\t\t\t\t\t\t\t\tThis page has been accessed 273 times.\n\t\t\t\t\t\t\t\t\tContent is available under a Creative Commons Attribution-ShareAlike 4.0 International License unless otherwise noted.\n\t\t\t\t\t\t\t\t\tPrivacy policy\n\t\t\t\t\t\t\t\t\tAbout LIMSWiki\n\t\t\t\t\t\t\t\t\tDisclaimers\n\t\t\t\t\t\t\t\n\t\t\n\t\t\n\t\t\n\n","9cae4e140675b1a1a21fe8753676d5ac_html":"<body class=\"mediawiki ltr sitedir-ltr ns-202 ns-subject page-LII_Web_Application_Security_Guide_XML_and_internal_data_escaping skin-monobook action-view\">\n<div id=\"rdp-ebb-globalWrapper\">\n\t\t<div id=\"rdp-ebb-column-content\">\n\t\t\t<div id=\"rdp-ebb-content\" class=\"mw-body\" role=\"main\">\n\t\t\t\t<a id=\"rdp-ebb-top\"><\/a>\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t<h1 id=\"rdp-ebb-firstHeading\" class=\"firstHeading\" lang=\"en\">LII:Web Application Security Guide\/XML and internal data escaping<\/h1>\n\t\t\t\t\n\t\t\t\t<div id=\"rdp-ebb-bodyContent\" class=\"mw-body-content\">\n\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\n\n\t\t\t\t\t<!-- start content -->\n\t\t\t\t\t<div id=\"rdp-ebb-mw-content-text\" lang=\"en\" dir=\"ltr\" class=\"mw-content-ltr\"><table cellspacing=\"0\" cellpadding=\"0\" style=\"clear: right; margin-bottom: .5em; float: right; padding: .5em 0 .8em 1.4em; background: none; width: auto;\">\n<tr>\n<td> \n\n<\/td><\/tr><\/table>\n<h2><span class=\"mw-headline\" id=\"XML_and_internal_data_escaping\">XML and internal data escaping<\/span><\/h2>\n<p>Escaping is required in internal data representations, too. For example, incorrectly escaped strings in XML could allow the attackers to close their including tag and inject arbitrary XML.\n<\/p><p>XML is a very complex format which can bear many unpleasant surprises.\n<\/p>\n<h3><span class=\"mw-headline\" id=\"To_prevent_this_type_of_attack\">To prevent this type of attack<\/span><\/h3>\n<ul><li> Avoid XML if possible.<\/li>\n<li> For XML, use well-tested, high-quality libraries, and pay close attention to the documentation. Know your library \u2013 some libraries have functions that allow you to bypass escaping without knowing it.<\/li>\n<li> If you parse (read) XML, ensure your parser does not attempt to load external references (e.g. entities and DTDs).<\/li>\n<li> For other internal representations of data, make sure correct escaping or filtering is applied. Try to use well-tested, high-quality libraries if available, even if it seems to be more difficult.<\/li>\n<li> If escaping is done manually, ensure that it handles null bytes, unexpected charsets, invalid UTF-8 characters etc. in a secure manner.<\/li><\/ul>\n<h3><span class=\"mw-headline\" id=\"Rationale\">Rationale<\/span><\/h3>\n<p>XML is a highly complex format with many surprising features - did you know that XML can load other content via HTTP? If you just want to store\/pass a few structured values, the powerful features of XML are often unnecessary. JSON is a less complex alternative, but (like avoiding arrays at top level and hex-encoding special characters that may be interpreted by broken browsers).\n<\/p><p>XML is too complex to \u201cjust quickly\u201d write code that handles all possibilities correctly and safely. Do not rely on the security of \u201chome-made\u201d minimal libraries. Even some \u201cofficial\u201d XML libraries are known to have escaping issues in some functions or to explicitly allow content to be passed into the XML without escaping. (Notably the addChild method in PHP\u2019s SimpleXML does partial escaping, see comments for <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/bugs.php.net\/bug.php?id=36795\" target=\"_blank\">PHP bug 36795<\/a>) Libraries can contain critical issues, too. Read the documentation of your library carefully and consider searching the internet for known issues. If you are not sure, quickly test at least some basic cases.\n<\/p><p>XML has features that allow loading of external data like entities and DTDs. Some parsers enable this by default. If you parse untrusted XML files (remember, everything that comes from a user is untrusted), this may be used to read local files, make requests to internal systems not accessible from outside the firewall, and in some cases, even <a rel=\"external_link\" class=\"external text\" href=\"http:\/\/lists.wikimedia.org\/pipermail\/mediawiki-announce\/2013-April\/000127.html\" target=\"_blank\">execute code<\/a>. See <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/www.owasp.org\/index.php\/XML_External_Entity_%28XXE%29_Processing\" target=\"_blank\">OWASP article<\/a> for details.\n<\/p><p>Doing escaping manually is very difficult to do correctly, as all problematic cases (e.g. partial UTF8 characters or different charsets) need to be considered. Writing a solution that works correctly with regular input may be fast and easy, but writing a solution that works correctly with any intentionally malformed input is difficult. \n<\/p>\n<h2><span class=\"mw-headline\" id=\"Further_reading\">Further reading<\/span><\/h2>\n<ul><li> <a href=\"https:\/\/en.wikipedia.org\/wiki\/Escape_character\" class=\"extiw\" title=\"wikipedia:Escape character\" rel=\"external_link\" target=\"_blank\">Escape character<\/a><\/li>\n<li> <a href=\"https:\/\/en.wikipedia.org\/wiki\/XML\" class=\"extiw\" title=\"wikipedia:XML\" rel=\"external_link\" target=\"_blank\">XML<\/a><\/li><\/ul>\n<h2><span class=\"mw-headline\" id=\"Notes\">Notes<\/span><\/h2>\n<p>The original source for this page is <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/en.wikibooks.org\/wiki\/Web_Application_Security_Guide\/XML_and_internal_data_escaping\" target=\"_blank\">the associated Wikibooks article<\/a> and is shared here under the <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/creativecommons.org\/licenses\/by-sa\/3.0\/\" target=\"_blank\">CC BY-SA 3.0<\/a> license.\n<\/p>\n<!-- \nNewPP limit report\nCached time: 20190104225158\nCache expiry: 86400\nDynamic content: false\nCPU time usage: 0.012 seconds\nReal time usage: 0.016 seconds\nPreprocessor visited node count: 27\/1000000\nPreprocessor generated node count: 86\/1000000\nPost\u2010expand include size: 165\/2097152 bytes\nTemplate argument size: 0\/2097152 bytes\nHighest expansion depth: 3\/40\nExpensive parser function count: 0\/100\n-->\n\n<!-- \nTransclusion expansion time report (%,ms,calls,template)\n100.00% 3.143 1 - Template:TOC_right\n100.00% 3.143 1 - -total\n-->\n\n<!-- Saved in parser cache with key limswiki:pcache:idhash:9022-0!*!0!!en!*!* and timestamp 20190104225158 and revision id 26904\n -->\n<\/div><div class=\"printfooter\">Source: <a rel=\"external_link\" class=\"external\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/XML_and_internal_data_escaping\">https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/XML_and_internal_data_escaping<\/a><\/div>\n\t\t\t\t\t\t\t\t\t\t<!-- end content -->\n\t\t\t\t\t\t\t\t\t\t<div class=\"visualClear\"><\/div>\n\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/div>\n\t\t<!-- end of the left (by default at least) column -->\n\t\t<div class=\"visualClear\"><\/div>\n\t\t\t\t\t\n\t\t<\/div>\n\t\t\n\n<\/body>","9cae4e140675b1a1a21fe8753676d5ac_images":[],"9cae4e140675b1a1a21fe8753676d5ac_timestamp":1546642318,"931b3464b3f12dc9e1b1803bd3190cb9_type":"article","931b3464b3f12dc9e1b1803bd3190cb9_title":"Cross-site scripting (XSS)","931b3464b3f12dc9e1b1803bd3190cb9_url":"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Cross-site_scripting_(XSS)","931b3464b3f12dc9e1b1803bd3190cb9_plaintext":"\n\n\t\t\n\t\t\t\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t\n\n\t\t\t\tLII:Web Application Security Guide\/Cross-site scripting (XSS)\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t\tFrom LIMSWiki\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\tJump to: navigation, search\n\n\t\t\t\t\t\n\t\t\t\t\t\n\n Contents\n\n1 Cross-site scripting (XSS) \n\n1.1 To prevent this type of attack \n1.2 Rationale \n\n1.2.1 Complex XSS example with JS inside HTML \n\n\n\n\n2 Further reading \n3 Notes \n\n\n\n\nCross-site scripting (XSS) \nXSS vulnerabilities occur if user input included in the output of a web application is not escaped correctly. This type of vulnerability allows attackers to inject content into the web application output. This can be used to inject a false login form (reporting the input to an attacker) or malicious JavaScript code which can steal cookies and information or execute actions using the user\u2019s permissions. XSS vulnerabilities are separated into two main categories, reflected (non-persistent) and persistent vulnerabilities.\nReflected XSS vulnerabilities include the user input only in the output directly following the request. Thus, the attacker needs the user to follow a malicious link or make a malicious POST request. The former can be done by including the link as an IFRAME; the latter can be done using JavaScript. Both vulnerabilities do require that the user visits a malicious\/compromised site, but they do not necessarily require user interaction.\nPersistent XSS vulnerabilities store the user input and include it later outputs (e.g. a posting in a forum). This means that the users do not need to visit a malicious\/compromised site.\n\nTo prevent this type of attack \n Escape anything that is not a constant before including it in a response as close to the output as possible (i.e. right in the line containing the \u201cecho\u201d or \u201cprint\u201d call).\n If not possible (e.g. when building a larger HTML block), escape when building and indicate the fact that the variable content is pre-escaped and the expected context in the name.\n Consider the context when escaping: Escaping text inside HTML is different from escaping HTML attribute values, and very different from escaping values inside CSS or JavaScript, or inside HTTP headers.\n This may mean that you need to escape for multiple contexts and\/or multiple times. For example, when passing a HTML fragment as a JS constant for later includsion in the document, you need to escape for JS string inside HTML when writing the constant to the JavaScript source, then escape again for HTML when your script writes the fragment to the document. (See rationale for examples.)\n The attacker must not be able to put anything where it is not supposed to be, even if you think it is not exploitable (e.g. because attempts to exploit it result in broken JavaScript).\n Explicitly set the correct character set at the beginning of the document (i.e. as early as possible) and\/or in the header.\n Ensure that URLs provided by the user start with an allowed scheme (whitelisting) to avoid dangerous schemes (e.g. javascript:-URLs).\n Don\u2019t forget URLs in redirector scripts.\n A content security policy may be used as an additional security measure, but is not sufficient by itself to prevent attacks.\nRationale \nEscaping data directly at the output location makes it easier to check that all outputs are escaped \u2013 each and every variable used as a parameter for an output method must either be marked as pre-escaped or be wrapped in a corresponding escape command.\nDifferent contexts require completely different escaping rules. A \u201c)\u201d character with no dangerous meaning in HTML and HTML attributes can signify the end of an URL path in CSS. See the example at the bottom for a complex but common case where HTML and JavaScript are used together and create countless opportunities for XSS. Note that many simple XSS attempts are \"accidentally\" blocked even by the wrong escaping (e.g. HTML escaping mangles quotes required for a JavaScript string injection, or newlines creating invalid JavaScript in case of injection attempts). Do NOT rely on this. The attacker may know a trick you are not thinking about. If it is possible to place anything in a place of the document structure where it is not supposed to go (e.g. outside a JavaScript string literal), it is a security issue that must be fixed. It might not be exploitable - or you may simply not be seeing the way to exploit it. Don't take that risk!\nNot setting the character set may lead to guessing by the browser. Such guessing can be exploited to pass a string that seems harmless in your intended encoding, but is interpreted as a script tag in the encoding assumed by the browser. For HTML5, use &lt;meta charset=&quot;utf-8&quot; \/&gt; as the first element in the head section.\nURLs can be dangerous, too. User-provided links should be checked against a scheme whitelist, as the javascript scheme is not the only dange