[OWASP_PHPSEC] OWASP PHP security project

rahul chaudhary rahul300chaudhary400 at gmail.com
Wed May 29 19:38:30 UTC 2013


Hello Abhiskek,

you can refer to the Exception Handling library to get familiar with the
pattern to add and throw new exceptions. It would be helpful if we keep
things like these consistent in all our libraries.


On Wed, May 29, 2013 at 3:16 PM, Abbas Naderi <abbas.naderi at owasp.org>wrote:

> Hi,
> Not all libraries need to be complicated.
> You can throw an error whenever insecure variables are used, and let the
> secure ones be directly used.
> -Abbas
>
> On ۸ خرداد ۱۳۹۲, at ۲۳:۲۳, Abhishek Das <das.abhshk at gmail.com> wrote:
>
> Hi all,
>
> I wanted to start working on the HTTP request handling library.
>
> Like Abbas suggested, I read about host alteration attacks and the need
> for such a library. I understand that http headers can easily be spoofed
> and relying on them for sensitive transactions is foolish.
>
> From what was written above:
>
> >This library provides wrappers which securely process these data and hand
> them to user, and replaces the $_SERVER values that are insecure with
> objects that throw exceptions when cast to string (e.g. in HTTP_HOST), >so
> that developers can no longer directly access them.
>
> ^I don't exactly understand that. It would be nice if someone could
> explain in detail what is finally the functionality expected of the library.
>
> Also, there was some information I wanted to confirm.
> $_SERVER['REMOTE_ADDR'] is supposed to be a reliable source of the IP
> address, and if someone is behind a proxy, the proxy may have set the $_SERVER['HTTP_X_FORWARDED_FOR']
> or $_SERVER['HTTP_CLIENT_IP'] headers. But again, these values can be
> easily spoofed. So the only reliable information is $_SERVER['REMOTE_ADDR'].
> So should the library provide an abstraction layer for developers to easily
> use the client IP address value  and write conditional code, or is there
> more to it or am I missing the point completely?
>
> Thanks
>
>
> On Tue, May 28, 2013 at 11:36 PM, johanna curiel curiel <
> johanna.curiel at owasp.org> wrote:
>
>> Yes, I hope Sam can set the domain and server asap.
>>
>>
>>
>> On Tue, May 28, 2013 at 1:50 PM, Abbas Naderi <abbas.naderi at owasp.org>wrote:
>>
>>> Hi Johanna,
>>> I believe it is a great start, as it has very little dependency on other
>>> libs.
>>> We would need the TRAC (project management) system for scheduling things
>>> and keeping track of all the work. Lets keep it messy until we get it
>>> working.
>>>
>>> I suggest the developer for HTTP Request Handling lib to read about HTTP
>>> Host Alteration attacks, to know why this library is important.
>>> Thanks
>>> -Abbas
>>> On ۷ خرداد ۱۳۹۲, at ۲۲:۱۶, johanna curiel curiel <
>>> johanna.curiel at owasp.org> wrote:
>>>
>>> Hi All,
>>>
>>> There are many other libraries still to work on. Abbas, what about
>>> defining new requirements?
>>> Which could be next? what about
>>>
>>>
>>>    1.
>>>
>>>    *Secure PHP HTTP Request Handling Library*
>>>
>>> HTTP Request is user input. Many developers forget this fact and tend to
>>> rely on it as a trustable source and configure many aspects of their
>>> applications based on values of $_SERVER (most of which are set using HTTP
>>> request). While not all values under $_SERVER are unreliable, some of the
>>> values such as ‘QUERY_STRING’, ‘HTTP_REFERRER’ etc are entirely arbitrary
>>> information sent by the client. This library provides wrappers which
>>> securely process these data and hand them to user, and replaces the
>>> $_SERVER values that are insecure with objects that throw exceptions when
>>> cast to string (e.g. in HTTP_HOST), so that developers can no longer
>>> directly access them.
>>>
>>> As can be seen that this code entirely depends on the HTTP_REFERRER
>>> value to do a sensitive transaction. A potential attacker can easily spoof
>>> this variable and can trick the server to perform sensitive transaction.
>>>
>>>
>>> regards
>>>
>>>
>>> Johanna
>>>
>>>
>>>
>>> On Tue, May 28, 2013 at 1:08 PM, Chetan Wadhwa <tochetanwadhwa at gmail.com
>>> > wrote:
>>>
>>>> Thanks Johanna & Abbas,
>>>>
>>>> I am very thankful to you. I'll pay my best efforts in the development.
>>>> And one thing i want to confirm about the proposed library for
>>>> "PASSWORD MANAGEMENT", that how will we get the distribution of work among
>>>> the three people (me,abhishek & Rahul) , and please give me idea about the
>>>> timelines set for the differnt phases of project .
>>>>
>>>>
>>>>
>>>> On Tue, May 28, 2013 at 9:55 AM, johanna curiel curiel <
>>>> johanna.curiel at owasp.org> wrote:
>>>>
>>>>> Hi Abbas
>>>>>
>>>>> Chetan & Rahul,you guys are doing a great job and I'll be making a
>>>>> small gift for your efforst.
>>>>> I'm buying their owasp membership for 1 year, for CURACAO chapter, you
>>>>> guys get the same rights as been for others, but I can reuse the funds for
>>>>> my own chapter ;-)
>>>>>
>>>>> So I'll get one for Chetan.
>>>>>
>>>>> regards
>>>>>
>>>>> Johanna
>>>>>
>>>>>
>>>>> On Tue, May 28, 2013 at 12:51 PM, Abbas Naderi <abbas.naderi at owasp.org
>>>>> > wrote:
>>>>>
>>>>>> Hello Chetan,
>>>>>> I have CC'd Johanna here. She is the mentor for PHP Security Project,
>>>>>> and a dear friend of mine.
>>>>>> For you to have an OWASP email address, you need to be an OWASP
>>>>>> member and general membership costs $50 a year.
>>>>>> Now if you can afford it, its fine. Otherwise Johanna can help you
>>>>>> secure funds or obtain it via other means. You usually need to contribute
>>>>>> first, then get an honorary email address.
>>>>>> Check your local chapter's page as well, they might have discounted
>>>>>> memberships (Iran chapters memberships cost $20 a year).
>>>>>> Thanks
>>>>>> -Abbas
>>>>>> On ۷ خرداد ۱۳۹۲, at ۲۱:۰۹, Chetan Wadhwa <tochetanwadhwa at gmail.com>
>>>>>> wrote:
>>>>>>
>>>>>> thanks abbas, i'll definitely start coding
>>>>>>
>>>>>> and one thing i want to ask you that isn't any official mail (or
>>>>>> joining letter type) that i will get from OWASP ??
>>>>>>
>>>>>> I have to show it in my university to get extra time to work in the
>>>>>> LABS of university  !!
>>>>>>
>>>>>>
>>>>>> On Tue, May 28, 2013 at 9:28 AM, Abbas Naderi <abbas.naderi at owasp.org
>>>>>> > wrote:
>>>>>>
>>>>>>> You can start developing code! If you had any questions, ask in the
>>>>>>> mailing list. I get your calls.
>>>>>>> -Abbas
>>>>>>>
>>>>>>> On ۷ خرداد ۱۳۹۲, at ۱۳:۳۱, Chetan Wadhwa <tochetanwadhwa at gmail.com>
>>>>>>> wrote:
>>>>>>>
>>>>>>> yeahhh Abbas , i have done that , how to proceed further plzz
>>>>>>> suggest ....
>>>>>>>
>>>>>>>
>>>>>>> On Mon, May 27, 2013 at 11:59 PM, Abbas Naderi <
>>>>>>> abbas.naderi at owasp.org> wrote:
>>>>>>>
>>>>>>>> Hi again Chetan,
>>>>>>>> Please join the mailing list at
>>>>>>>>
>>>>>>>> Mailing List page here:
>>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp_php_security_project
>>>>>>>>
>>>>>>>> And also browse the GitHub respotiroy at:
>>>>>>>>
>>>>>>>> https://github.com/owasp/phpsec
>>>>>>>>
>>>>>>>> After you joined the mailing list, send an email there introducing
>>>>>>>> yourself and we'll keep it going from there.
>>>>>>>> Thanks a lot
>>>>>>>> -Abbas
>>>>>>>>
>>>>>>>> On ۷ خرداد ۱۳۹۲, at ۱۱:۱۸, Chetan Wadhwa <tochetanwadhwa at gmail.com>
>>>>>>>> wrote:
>>>>>>>>
>>>>>>>> I want to work on PHP Security project, because i have a basic idea
>>>>>>>> about this project and i know wht to do  in this project ???
>>>>>>>>
>>>>>>>>
>>>>>>>> On Mon, May 27, 2013 at 11:15 PM, Abbas Naderi <
>>>>>>>> abbas.naderi at owasp.org> wrote:
>>>>>>>>
>>>>>>>>> Hello Chetan!
>>>>>>>>> Super to hear that! Do you want to work on PHP Security Project,
>>>>>>>>> or the WebGoatPHP?
>>>>>>>>> Please let me know so that I can set you up!
>>>>>>>>> Thanks
>>>>>>>>> -Abbas
>>>>>>>>> On ۷ خرداد ۱۳۹۲, at ۰:۴۷, Chetan Wadhwa <tochetanwadhwa at gmail.com>
>>>>>>>>> wrote:
>>>>>>>>>
>>>>>>>>> > Abbas i have got the GSOC email of not being selected, but i
>>>>>>>>> still want to work for this project !!!
>>>>>>>>> > tell me something about this , that what should i proceed for ???
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> *Chetan Wadhwa*
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> *Chetan Wadhwa*
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> *Chetan Wadhwa*
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> *Chetan Wadhwa*
>>>>
>>>
>>> _______________________________________________
>>> OWASP_PHP_Security_Project mailing list
>>> OWASP_PHP_Security_Project at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp_php_security_project
>>>
>>>
>>>
>>
>> _______________________________________________
>> OWASP_PHP_Security_Project mailing list
>> OWASP_PHP_Security_Project at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp_php_security_project
>>
>>
>
>
> --
> *Abh**ishek Das*
> B. Tech. (2nd year)
> Electrical Engineering
> IIT Roorkee
>  _______________________________________________
> OWASP_PHP_Security_Project mailing list
> OWASP_PHP_Security_Project at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp_php_security_project
>
>
>
> _______________________________________________
> OWASP_PHP_Security_Project mailing list
> OWASP_PHP_Security_Project at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp_php_security_project
>
>


-- 
Regards,
Rahul Chaudhary
Ph - 412-519-9634
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp_php_security_project/attachments/20130529/6c1dba4c/attachment-0001.html>


More information about the OWASP_PHP_Security_Project mailing list