[OWASP_PHPSEC] OWASP PHP security project

johanna curiel curiel johanna.curiel at owasp.org
Tue May 28 17:46:49 UTC 2013


Hi All,

There are many other libraries still to work on. Abbas, what about defining
new requirements?
Which could be next? what about


   1.

   *Secure PHP HTTP Request Handling Library*

HTTP Request is user input. Many developers forget this fact and tend to
rely on it as a trustable source and configure many aspects of their
applications based on values of $_SERVER (most of which are set using HTTP
request). While not all values under $_SERVER are unreliable, some of the
values such as ‘QUERY_STRING’, ‘HTTP_REFERRER’ etc are entirely arbitrary
information sent by the client. This library provides wrappers which
securely process these data and hand them to user, and replaces the
$_SERVER values that are insecure with objects that throw exceptions when
cast to string (e.g. in HTTP_HOST), so that developers can no longer
directly access them.

As can be seen that this code entirely depends on the HTTP_REFERRER value
to do a sensitive transaction. A potential attacker can easily spoof this
variable and can trick the server to perform sensitive transaction.


regards


Johanna



On Tue, May 28, 2013 at 1:08 PM, Chetan Wadhwa <tochetanwadhwa at gmail.com>wrote:

> Thanks Johanna & Abbas,
>
> I am very thankful to you. I'll pay my best efforts in the development.
> And one thing i want to confirm about the proposed library for "PASSWORD
> MANAGEMENT", that how will we get the distribution of work among the three
> people (me,abhishek & Rahul) , and please give me idea about the timelines
> set for the differnt phases of project .
>
>
>
> On Tue, May 28, 2013 at 9:55 AM, johanna curiel curiel <
> johanna.curiel at owasp.org> wrote:
>
>> Hi Abbas
>>
>> Chetan & Rahul,you guys are doing a great job and I'll be making a small
>> gift for your efforst.
>> I'm buying their owasp membership for 1 year, for CURACAO chapter, you
>> guys get the same rights as been for others, but I can reuse the funds for
>> my own chapter ;-)
>>
>> So I'll get one for Chetan.
>>
>> regards
>>
>> Johanna
>>
>>
>> On Tue, May 28, 2013 at 12:51 PM, Abbas Naderi <abbas.naderi at owasp.org>wrote:
>>
>>> Hello Chetan,
>>> I have CC'd Johanna here. She is the mentor for PHP Security Project,
>>> and a dear friend of mine.
>>> For you to have an OWASP email address, you need to be an OWASP member
>>> and general membership costs $50 a year.
>>> Now if you can afford it, its fine. Otherwise Johanna can help you
>>> secure funds or obtain it via other means. You usually need to contribute
>>> first, then get an honorary email address.
>>> Check your local chapter's page as well, they might have discounted
>>> memberships (Iran chapters memberships cost $20 a year).
>>> Thanks
>>> -Abbas
>>> On ۷ خرداد ۱۳۹۲, at ۲۱:۰۹, Chetan Wadhwa <tochetanwadhwa at gmail.com>
>>> wrote:
>>>
>>> thanks abbas, i'll definitely start coding
>>>
>>> and one thing i want to ask you that isn't any official mail (or joining
>>> letter type) that i will get from OWASP ??
>>>
>>> I have to show it in my university to get extra time to work in the LABS
>>> of university  !!
>>>
>>>
>>> On Tue, May 28, 2013 at 9:28 AM, Abbas Naderi <abbas.naderi at owasp.org>wrote:
>>>
>>>> You can start developing code! If you had any questions, ask in the
>>>> mailing list. I get your calls.
>>>> -Abbas
>>>>
>>>> On ۷ خرداد ۱۳۹۲, at ۱۳:۳۱, Chetan Wadhwa <tochetanwadhwa at gmail.com>
>>>> wrote:
>>>>
>>>> yeahhh Abbas , i have done that , how to proceed further plzz suggest
>>>> ....
>>>>
>>>>
>>>> On Mon, May 27, 2013 at 11:59 PM, Abbas Naderi <abbas.naderi at owasp.org>wrote:
>>>>
>>>>> Hi again Chetan,
>>>>> Please join the mailing list at
>>>>>
>>>>> Mailing List page here:
>>>>> https://lists.owasp.org/mailman/listinfo/owasp_php_security_project
>>>>>
>>>>> And also browse the GitHub respotiroy at:
>>>>>
>>>>> https://github.com/owasp/phpsec
>>>>>
>>>>> After you joined the mailing list, send an email there introducing
>>>>> yourself and we'll keep it going from there.
>>>>> Thanks a lot
>>>>> -Abbas
>>>>>
>>>>> On ۷ خرداد ۱۳۹۲, at ۱۱:۱۸, Chetan Wadhwa <tochetanwadhwa at gmail.com>
>>>>> wrote:
>>>>>
>>>>> I want to work on PHP Security project, because i have a basic idea
>>>>> about this project and i know wht to do  in this project ???
>>>>>
>>>>>
>>>>> On Mon, May 27, 2013 at 11:15 PM, Abbas Naderi <abbas.naderi at owasp.org
>>>>> > wrote:
>>>>>
>>>>>> Hello Chetan!
>>>>>> Super to hear that! Do you want to work on PHP Security Project, or
>>>>>> the WebGoatPHP?
>>>>>> Please let me know so that I can set you up!
>>>>>> Thanks
>>>>>> -Abbas
>>>>>> On ۷ خرداد ۱۳۹۲, at ۰:۴۷, Chetan Wadhwa <tochetanwadhwa at gmail.com>
>>>>>> wrote:
>>>>>>
>>>>>> > Abbas i have got the GSOC email of not being selected, but i still
>>>>>> want to work for this project !!!
>>>>>> > tell me something about this , that what should i proceed for ???
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> *Chetan Wadhwa*
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> *Chetan Wadhwa*
>>>>
>>>>
>>>>
>>>
>>>
>>> --
>>> *Chetan Wadhwa*
>>>
>>>
>>>
>>
>
>
> --
> *Chetan Wadhwa*
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp_php_security_project/attachments/20130528/0d3ba3a1/attachment.html>


More information about the OWASP_PHP_Security_Project mailing list