[OWASP_PHPSEC] OWASP PHP security project

johanna curiel curiel johanna.curiel at owasp.org
Tue May 28 18:06:33 UTC 2013


Yes, I hope Sam can set the domain and server asap.



On Tue, May 28, 2013 at 1:50 PM, Abbas Naderi <abbas.naderi at owasp.org>wrote:

> Hi Johanna,
> I believe it is a great start, as it has very little dependency on other
> libs.
> We would need the TRAC (project management) system for scheduling things
> and keeping track of all the work. Lets keep it messy until we get it
> working.
>
> I suggest the developer for HTTP Request Handling lib to read about HTTP
> Host Alteration attacks, to know why this library is important.
> Thanks
> -Abbas
> On ۷ خرداد ۱۳۹۲, at ۲۲:۱۶, johanna curiel curiel <johanna.curiel at owasp.org>
> wrote:
>
> Hi All,
>
> There are many other libraries still to work on. Abbas, what about
> defining new requirements?
> Which could be next? what about
>
>
>    1.
>
>    *Secure PHP HTTP Request Handling Library*
>
> HTTP Request is user input. Many developers forget this fact and tend to
> rely on it as a trustable source and configure many aspects of their
> applications based on values of $_SERVER (most of which are set using HTTP
> request). While not all values under $_SERVER are unreliable, some of the
> values such as ‘QUERY_STRING’, ‘HTTP_REFERRER’ etc are entirely arbitrary
> information sent by the client. This library provides wrappers which
> securely process these data and hand them to user, and replaces the
> $_SERVER values that are insecure with objects that throw exceptions when
> cast to string (e.g. in HTTP_HOST), so that developers can no longer
> directly access them.
>
> As can be seen that this code entirely depends on the HTTP_REFERRER value
> to do a sensitive transaction. A potential attacker can easily spoof this
> variable and can trick the server to perform sensitive transaction.
>
>
> regards
>
>
> Johanna
>
>
>
> On Tue, May 28, 2013 at 1:08 PM, Chetan Wadhwa <tochetanwadhwa at gmail.com>wrote:
>
>> Thanks Johanna & Abbas,
>>
>> I am very thankful to you. I'll pay my best efforts in the development.
>> And one thing i want to confirm about the proposed library for "PASSWORD
>> MANAGEMENT", that how will we get the distribution of work among the three
>> people (me,abhishek & Rahul) , and please give me idea about the timelines
>> set for the differnt phases of project .
>>
>>
>>
>> On Tue, May 28, 2013 at 9:55 AM, johanna curiel curiel <
>> johanna.curiel at owasp.org> wrote:
>>
>>> Hi Abbas
>>>
>>> Chetan & Rahul,you guys are doing a great job and I'll be making a small
>>> gift for your efforst.
>>> I'm buying their owasp membership for 1 year, for CURACAO chapter, you
>>> guys get the same rights as been for others, but I can reuse the funds for
>>> my own chapter ;-)
>>>
>>> So I'll get one for Chetan.
>>>
>>> regards
>>>
>>> Johanna
>>>
>>>
>>> On Tue, May 28, 2013 at 12:51 PM, Abbas Naderi <abbas.naderi at owasp.org>wrote:
>>>
>>>> Hello Chetan,
>>>> I have CC'd Johanna here. She is the mentor for PHP Security Project,
>>>> and a dear friend of mine.
>>>> For you to have an OWASP email address, you need to be an OWASP member
>>>> and general membership costs $50 a year.
>>>> Now if you can afford it, its fine. Otherwise Johanna can help you
>>>> secure funds or obtain it via other means. You usually need to contribute
>>>> first, then get an honorary email address.
>>>> Check your local chapter's page as well, they might have discounted
>>>> memberships (Iran chapters memberships cost $20 a year).
>>>> Thanks
>>>> -Abbas
>>>> On ۷ خرداد ۱۳۹۲, at ۲۱:۰۹, Chetan Wadhwa <tochetanwadhwa at gmail.com>
>>>> wrote:
>>>>
>>>> thanks abbas, i'll definitely start coding
>>>>
>>>> and one thing i want to ask you that isn't any official mail (or
>>>> joining letter type) that i will get from OWASP ??
>>>>
>>>> I have to show it in my university to get extra time to work in the
>>>> LABS of university  !!
>>>>
>>>>
>>>> On Tue, May 28, 2013 at 9:28 AM, Abbas Naderi <abbas.naderi at owasp.org>wrote:
>>>>
>>>>> You can start developing code! If you had any questions, ask in the
>>>>> mailing list. I get your calls.
>>>>> -Abbas
>>>>>
>>>>> On ۷ خرداد ۱۳۹۲, at ۱۳:۳۱, Chetan Wadhwa <tochetanwadhwa at gmail.com>
>>>>> wrote:
>>>>>
>>>>> yeahhh Abbas , i have done that , how to proceed further plzz suggest
>>>>> ....
>>>>>
>>>>>
>>>>> On Mon, May 27, 2013 at 11:59 PM, Abbas Naderi <abbas.naderi at owasp.org
>>>>> > wrote:
>>>>>
>>>>>> Hi again Chetan,
>>>>>> Please join the mailing list at
>>>>>>
>>>>>> Mailing List page here:
>>>>>> https://lists.owasp.org/mailman/listinfo/owasp_php_security_project
>>>>>>
>>>>>> And also browse the GitHub respotiroy at:
>>>>>>
>>>>>> https://github.com/owasp/phpsec
>>>>>>
>>>>>> After you joined the mailing list, send an email there introducing
>>>>>> yourself and we'll keep it going from there.
>>>>>> Thanks a lot
>>>>>> -Abbas
>>>>>>
>>>>>> On ۷ خرداد ۱۳۹۲, at ۱۱:۱۸, Chetan Wadhwa <tochetanwadhwa at gmail.com>
>>>>>> wrote:
>>>>>>
>>>>>> I want to work on PHP Security project, because i have a basic idea
>>>>>> about this project and i know wht to do  in this project ???
>>>>>>
>>>>>>
>>>>>> On Mon, May 27, 2013 at 11:15 PM, Abbas Naderi <
>>>>>> abbas.naderi at owasp.org> wrote:
>>>>>>
>>>>>>> Hello Chetan!
>>>>>>> Super to hear that! Do you want to work on PHP Security Project, or
>>>>>>> the WebGoatPHP?
>>>>>>> Please let me know so that I can set you up!
>>>>>>> Thanks
>>>>>>> -Abbas
>>>>>>> On ۷ خرداد ۱۳۹۲, at ۰:۴۷, Chetan Wadhwa <tochetanwadhwa at gmail.com>
>>>>>>> wrote:
>>>>>>>
>>>>>>> > Abbas i have got the GSOC email of not being selected, but i still
>>>>>>> want to work for this project !!!
>>>>>>> > tell me something about this , that what should i proceed for ???
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> *Chetan Wadhwa*
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> *Chetan Wadhwa*
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> *Chetan Wadhwa*
>>>>
>>>>
>>>>
>>>
>>
>>
>> --
>> *Chetan Wadhwa*
>>
>
> _______________________________________________
> OWASP_PHP_Security_Project mailing list
> OWASP_PHP_Security_Project at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp_php_security_project
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp_php_security_project/attachments/20130528/093a3c1d/attachment.html>


More information about the OWASP_PHP_Security_Project mailing list