[OWASP_PHPSEC] OWASP PHP security project

Abbas Naderi abbas.naderi at owasp.org
Tue May 28 17:50:41 UTC 2013


Hi Johanna,
I believe it is a great start, as it has very little dependency on other libs. 
We would need the TRAC (project management) system for scheduling things and keeping track of all the work. Lets keep it messy until we get it working.

I suggest the developer for HTTP Request Handling lib to read about HTTP Host Alteration attacks, to know why this library is important.
Thanks
-Abbas
On ۷ خرداد ۱۳۹۲, at ۲۲:۱۶, johanna curiel curiel <johanna.curiel at owasp.org> wrote:

> Hi All,
> 
> There are many other libraries still to work on. Abbas, what about defining new requirements? 
> Which could be next? what about
> 
> Secure PHP HTTP Request Handling Library
> HTTP Request is user input. Many developers forget this fact and tend to rely on it as a trustable source and configure many aspects of their applications based  on values of $_SERVER (most of which are set using HTTP request). While not all values under $_SERVER are unreliable, some of the values such as ‘QUERY_STRING’, ‘HTTP_REFERRER’ etc are entirely arbitrary information sent by the client. This library provides wrappers which securely process these data and hand them to user, and replaces the $_SERVER values that are insecure with objects that throw exceptions when cast to string (e.g. in HTTP_HOST), so that developers can no longer directly access them.
> 
> As can be seen that this code entirely depends on the HTTP_REFERRER value to do a sensitive transaction. A potential attacker can easily spoof this variable and can trick the server to perform sensitive transaction.
> 
> regards
> 
> Johanna
> 
> 
> 
> On Tue, May 28, 2013 at 1:08 PM, Chetan Wadhwa <tochetanwadhwa at gmail.com> wrote:
> Thanks Johanna & Abbas,
> 
> I am very thankful to you. I'll pay my best efforts in the development.
> And one thing i want to confirm about the proposed library for "PASSWORD MANAGEMENT", that how will we get the distribution of work among the three people (me,abhishek & Rahul) , and please give me idea about the timelines set for the differnt phases of project .
> 
> 
> 
> On Tue, May 28, 2013 at 9:55 AM, johanna curiel curiel <johanna.curiel at owasp.org> wrote:
> Hi Abbas
> 
> Chetan & Rahul,you guys are doing a great job and I'll be making a small gift for your efforst.
> I'm buying their owasp membership for 1 year, for CURACAO chapter, you guys get the same rights as been for others, but I can reuse the funds for my own chapter ;-)
> 
> So I'll get one for Chetan.
> 
> regards
> 
> Johanna
> 
> 
> On Tue, May 28, 2013 at 12:51 PM, Abbas Naderi <abbas.naderi at owasp.org> wrote:
> Hello Chetan,
> I have CC'd Johanna here. She is the mentor for PHP Security Project, and a dear friend of mine.
> For you to have an OWASP email address, you need to be an OWASP member and general membership costs $50 a year.
> Now if you can afford it, its fine. Otherwise Johanna can help you secure funds or obtain it via other means. You usually need to contribute first, then get an honorary email address.
> Check your local chapter's page as well, they might have discounted memberships (Iran chapters memberships cost $20 a year).
> Thanks
> -Abbas
> On ۷ خرداد ۱۳۹۲, at ۲۱:۰۹, Chetan Wadhwa <tochetanwadhwa at gmail.com> wrote:
> 
>> thanks abbas, i'll definitely start coding
>> 
>> and one thing i want to ask you that isn't any official mail (or joining letter type) that i will get from OWASP ??
>> 
>> I have to show it in my university to get extra time to work in the LABS of university  !!
>> 
>> 
>> On Tue, May 28, 2013 at 9:28 AM, Abbas Naderi <abbas.naderi at owasp.org> wrote:
>> You can start developing code! If you had any questions, ask in the mailing list. I get your calls.
>> -Abbas
>> 
>> On ۷ خرداد ۱۳۹۲, at ۱۳:۳۱, Chetan Wadhwa <tochetanwadhwa at gmail.com> wrote:
>> 
>>> yeahhh Abbas , i have done that , how to proceed further plzz suggest ....
>>> 
>>> 
>>> On Mon, May 27, 2013 at 11:59 PM, Abbas Naderi <abbas.naderi at owasp.org> wrote:
>>> Hi again Chetan,
>>> Please join the mailing list at 
>>> 
>>> Mailing List page here: https://lists.owasp.org/mailman/listinfo/owasp_php_security_project
>>> 
>>> And also browse the GitHub respotiroy at:
>>> 
>>> https://github.com/owasp/phpsec
>>> 
>>> After you joined the mailing list, send an email there introducing yourself and we'll keep it going from there.
>>> Thanks a lot
>>> -Abbas
>>> 
>>> On ۷ خرداد ۱۳۹۲, at ۱۱:۱۸, Chetan Wadhwa <tochetanwadhwa at gmail.com> wrote:
>>> 
>>>> I want to work on PHP Security project, because i have a basic idea about this project and i know wht to do  in this project ???
>>>> 
>>>> 
>>>> On Mon, May 27, 2013 at 11:15 PM, Abbas Naderi <abbas.naderi at owasp.org> wrote:
>>>> Hello Chetan!
>>>> Super to hear that! Do you want to work on PHP Security Project, or the WebGoatPHP?
>>>> Please let me know so that I can set you up!
>>>> Thanks
>>>> -Abbas
>>>> On ۷ خرداد ۱۳۹۲, at ۰:۴۷, Chetan Wadhwa <tochetanwadhwa at gmail.com> wrote:
>>>> 
>>>> > Abbas i have got the GSOC email of not being selected, but i still want to work for this project !!!
>>>> > tell me something about this , that what should i proceed for ???
>>>> 
>>>> 
>>>> 
>>>> 
>>>> -- 
>>>> Chetan Wadhwa
>>> 
>>> 
>>> 
>>> 
>>> -- 
>>> Chetan Wadhwa
>> 
>> 
>> 
>> 
>> -- 
>> Chetan Wadhwa
> 
> 
> 
> 
> 
> -- 
> Chetan Wadhwa
> 
> _______________________________________________
> OWASP_PHP_Security_Project mailing list
> OWASP_PHP_Security_Project at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp_php_security_project

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp_php_security_project/attachments/20130528/1bb34baf/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4893 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp_php_security_project/attachments/20130528/1bb34baf/attachment-0001.bin>


More information about the OWASP_PHP_Security_Project mailing list