[OWASP_PHPSEC] OWASP PHP security project

Abhishek Das das.abhshk at gmail.com
Wed May 29 18:53:47 UTC 2013


Hi all,

I wanted to start working on the HTTP request handling library.

Like Abbas suggested, I read about host alteration attacks and the need for
such a library. I understand that http headers can easily be spoofed and
relying on them for sensitive transactions is foolish.

>From what was written above:

>This library provides wrappers which securely process these data and hand
them to user, and replaces the $_SERVER values that are insecure with
objects that throw exceptions when cast to string (e.g. in HTTP_HOST), >so
that developers can no longer directly access them.

^I don't exactly understand that. It would be nice if someone could explain
in detail what is finally the functionality expected of the library.

Also, there was some information I wanted to confirm.
$_SERVER['REMOTE_ADDR'] is supposed to be a reliable source of the IP
address, and if someone is behind a proxy, the proxy may have set the
$_SERVER['HTTP_X_FORWARDED_FOR']
or $_SERVER['HTTP_CLIENT_IP'] headers. But again, these values can be
easily spoofed. So the only reliable information is $_SERVER['REMOTE_ADDR'].
So should the library provide an abstraction layer for developers to easily
use the client IP address value  and write conditional code, or is there
more to it or am I missing the point completely?

Thanks


On Tue, May 28, 2013 at 11:36 PM, johanna curiel curiel <
johanna.curiel at owasp.org> wrote:

> Yes, I hope Sam can set the domain and server asap.
>
>
>
> On Tue, May 28, 2013 at 1:50 PM, Abbas Naderi <abbas.naderi at owasp.org>wrote:
>
>> Hi Johanna,
>> I believe it is a great start, as it has very little dependency on other
>> libs.
>> We would need the TRAC (project management) system for scheduling things
>> and keeping track of all the work. Lets keep it messy until we get it
>> working.
>>
>> I suggest the developer for HTTP Request Handling lib to read about HTTP
>> Host Alteration attacks, to know why this library is important.
>> Thanks
>> -Abbas
>> On ۷ خرداد ۱۳۹۲, at ۲۲:۱۶, johanna curiel curiel <
>> johanna.curiel at owasp.org> wrote:
>>
>> Hi All,
>>
>> There are many other libraries still to work on. Abbas, what about
>> defining new requirements?
>> Which could be next? what about
>>
>>
>>    1.
>>
>>    *Secure PHP HTTP Request Handling Library*
>>
>> HTTP Request is user input. Many developers forget this fact and tend to
>> rely on it as a trustable source and configure many aspects of their
>> applications based on values of $_SERVER (most of which are set using HTTP
>> request). While not all values under $_SERVER are unreliable, some of the
>> values such as ‘QUERY_STRING’, ‘HTTP_REFERRER’ etc are entirely arbitrary
>> information sent by the client. This library provides wrappers which
>> securely process these data and hand them to user, and replaces the
>> $_SERVER values that are insecure with objects that throw exceptions when
>> cast to string (e.g. in HTTP_HOST), so that developers can no longer
>> directly access them.
>>
>> As can be seen that this code entirely depends on the HTTP_REFERRER value
>> to do a sensitive transaction. A potential attacker can easily spoof this
>> variable and can trick the server to perform sensitive transaction.
>>
>>
>> regards
>>
>>
>> Johanna
>>
>>
>>
>> On Tue, May 28, 2013 at 1:08 PM, Chetan Wadhwa <tochetanwadhwa at gmail.com>wrote:
>>
>>> Thanks Johanna & Abbas,
>>>
>>> I am very thankful to you. I'll pay my best efforts in the development.
>>> And one thing i want to confirm about the proposed library for "PASSWORD
>>> MANAGEMENT", that how will we get the distribution of work among the three
>>> people (me,abhishek & Rahul) , and please give me idea about the timelines
>>> set for the differnt phases of project .
>>>
>>>
>>>
>>> On Tue, May 28, 2013 at 9:55 AM, johanna curiel curiel <
>>> johanna.curiel at owasp.org> wrote:
>>>
>>>> Hi Abbas
>>>>
>>>> Chetan & Rahul,you guys are doing a great job and I'll be making a
>>>> small gift for your efforst.
>>>> I'm buying their owasp membership for 1 year, for CURACAO chapter, you
>>>> guys get the same rights as been for others, but I can reuse the funds for
>>>> my own chapter ;-)
>>>>
>>>> So I'll get one for Chetan.
>>>>
>>>> regards
>>>>
>>>> Johanna
>>>>
>>>>
>>>> On Tue, May 28, 2013 at 12:51 PM, Abbas Naderi <abbas.naderi at owasp.org>wrote:
>>>>
>>>>> Hello Chetan,
>>>>> I have CC'd Johanna here. She is the mentor for PHP Security Project,
>>>>> and a dear friend of mine.
>>>>> For you to have an OWASP email address, you need to be an OWASP member
>>>>> and general membership costs $50 a year.
>>>>> Now if you can afford it, its fine. Otherwise Johanna can help you
>>>>> secure funds or obtain it via other means. You usually need to contribute
>>>>> first, then get an honorary email address.
>>>>> Check your local chapter's page as well, they might have discounted
>>>>> memberships (Iran chapters memberships cost $20 a year).
>>>>> Thanks
>>>>> -Abbas
>>>>> On ۷ خرداد ۱۳۹۲, at ۲۱:۰۹, Chetan Wadhwa <tochetanwadhwa at gmail.com>
>>>>> wrote:
>>>>>
>>>>> thanks abbas, i'll definitely start coding
>>>>>
>>>>> and one thing i want to ask you that isn't any official mail (or
>>>>> joining letter type) that i will get from OWASP ??
>>>>>
>>>>> I have to show it in my university to get extra time to work in the
>>>>> LABS of university  !!
>>>>>
>>>>>
>>>>> On Tue, May 28, 2013 at 9:28 AM, Abbas Naderi <abbas.naderi at owasp.org>wrote:
>>>>>
>>>>>> You can start developing code! If you had any questions, ask in the
>>>>>> mailing list. I get your calls.
>>>>>> -Abbas
>>>>>>
>>>>>> On ۷ خرداد ۱۳۹۲, at ۱۳:۳۱, Chetan Wadhwa <tochetanwadhwa at gmail.com>
>>>>>> wrote:
>>>>>>
>>>>>> yeahhh Abbas , i have done that , how to proceed further plzz suggest
>>>>>> ....
>>>>>>
>>>>>>
>>>>>> On Mon, May 27, 2013 at 11:59 PM, Abbas Naderi <
>>>>>> abbas.naderi at owasp.org> wrote:
>>>>>>
>>>>>>> Hi again Chetan,
>>>>>>> Please join the mailing list at
>>>>>>>
>>>>>>> Mailing List page here:
>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp_php_security_project
>>>>>>>
>>>>>>> And also browse the GitHub respotiroy at:
>>>>>>>
>>>>>>> https://github.com/owasp/phpsec
>>>>>>>
>>>>>>> After you joined the mailing list, send an email there introducing
>>>>>>> yourself and we'll keep it going from there.
>>>>>>> Thanks a lot
>>>>>>> -Abbas
>>>>>>>
>>>>>>> On ۷ خرداد ۱۳۹۲, at ۱۱:۱۸, Chetan Wadhwa <tochetanwadhwa at gmail.com>
>>>>>>> wrote:
>>>>>>>
>>>>>>> I want to work on PHP Security project, because i have a basic idea
>>>>>>> about this project and i know wht to do  in this project ???
>>>>>>>
>>>>>>>
>>>>>>> On Mon, May 27, 2013 at 11:15 PM, Abbas Naderi <
>>>>>>> abbas.naderi at owasp.org> wrote:
>>>>>>>
>>>>>>>> Hello Chetan!
>>>>>>>> Super to hear that! Do you want to work on PHP Security Project, or
>>>>>>>> the WebGoatPHP?
>>>>>>>> Please let me know so that I can set you up!
>>>>>>>> Thanks
>>>>>>>> -Abbas
>>>>>>>> On ۷ خرداد ۱۳۹۲, at ۰:۴۷, Chetan Wadhwa <tochetanwadhwa at gmail.com>
>>>>>>>> wrote:
>>>>>>>>
>>>>>>>> > Abbas i have got the GSOC email of not being selected, but i
>>>>>>>> still want to work for this project !!!
>>>>>>>> > tell me something about this , that what should i proceed for ???
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> *Chetan Wadhwa*
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> *Chetan Wadhwa*
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> *Chetan Wadhwa*
>>>>>
>>>>>
>>>>>
>>>>
>>>
>>>
>>> --
>>> *Chetan Wadhwa*
>>>
>>
>> _______________________________________________
>> OWASP_PHP_Security_Project mailing list
>> OWASP_PHP_Security_Project at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp_php_security_project
>>
>>
>>
>
> _______________________________________________
> OWASP_PHP_Security_Project mailing list
> OWASP_PHP_Security_Project at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp_php_security_project
>
>


-- 
*Abh**ishek Das*
B. Tech. (2nd year)
Electrical Engineering
IIT Roorkee
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp_php_security_project/attachments/20130530/4a09209d/attachment.html>


More information about the OWASP_PHP_Security_Project mailing list