cat slave diary

Month: March 2008

  • HttpOnly Update

    Jim asked a great question – what is the current state of the nation for HttpOnly? I’m glad he asked!

    Pass – read/write cookie protection

    • IE 7.0
    • Firefox >= 2.0.0.5
    • Firefox 3.0 beta
    • Camino 1.5.4

    Barely Pass – read only cookie protection

    • IE 6.0
    • Opera 9.50 beta

    Fail – no cookie protection

    • Safari 3.1
    • Firefox < 2.0.0.5
    • Opera 9.2.6 (currently shipping stable version)

    Coverage of HttpOnly Support

    According to my Google Analytics account, 93.6% of browsers support HttpOnly for preventing being read. The worst offender is Apple, with a marketshare of 5.3% on my heavily trafficked site. They have no support whatsoever. In fact, they’ve had a bug outstanding for some time that no one is assigned. BAD APPLE!

    Conclusion

    Most sites do not use cookies for anything other than the session ID. This is best practice. In these instances, there is NO REASON for them to read or write the cookie using JavaScript. Although there are ways around HttpOnly (some work better than others, depending on your browser), it is worthwhile for frameworks and app server vendors to send this tag automatically. Those very few folks who really need to be pwned should have the ability to turn this protection off.

  • ESAPI for PHP is go

    I’m working (slowly) on porting ESAPI to PHP. This will be great!

    So just in case I keep on having a life after hours, Jeff kindly created an ESAPI for PHP project. If you care about PHP security, come help us finish the port. It’s only 3900 lines of code, and I’ve ported like a 1000 of them already.  

    Why ESAPI? 

    Well, it’s a ready to use secure coding package. The ESAPI library is not about avoiding attacks, it’s about software engineering for web app security. ESAPI deliberately targets around 80% of security features of the average application (whatever your application is!) with the reference implementation, and for that 80% it does security 100% right so you don’t have to.

    ESAPI covers nearly the entire OWASP Top 10, and some other issues besides:

    • User object*
    • Authentication* membership management classes – we have coded createUser, and friends, login, logout (with safe session and cookie termination), disable account, generateStrongPassword, automatic password hashing including salts, etc. 
    • Access control*
    • Access Reference Maps* – direct to indirect object reference maps. No longer do you need to jump through hoops to protect primary keys, files and other things that people can trivially tamper. Instead of filename=report.pdf, you can now trivially turn this into filename=4fd8Xz
    • Encrypted configuration*. No more clear text passwords in config.php
    • Encrypted and integrity protected cookies*
    • Encrypted and integrity protected hidden fields*
    • Hard core encoding utilities*, such as HTML, JSON, XML and LDAP encodings that only do whitelisting
    • Easy to use Encryption support … with only access to SHA256 and AES other quality algorithms. No MD5 or DES here.
    • Easy to use strong random number support … no more weak random values
    • Executor* – safely call the operating system
    • Integrated intrusion detection* – security events are automatically generated and logged
    • Integrated Logging* – using log4php by default
    • CSRF token management* 
    • Thresholds* – automatically set rates for certain actions to help prevent brute forcing
    • Validation libraries* that help you do white listing by default 
    • Test suite to prove coverage and test all functionality 

    Things with a star (*) are simply missing from PHP today, which is surprising considering EVERY SINGLE web application MUST have them. This is despite 5698 functions being defined in PHP today.  

    If the PHP core folks want to talk about adopting these in PHP by default, OWASP would be more than happy to donate the code and re-license as appropriate. All PHP applications deserve this level of security.

    So, please feel free to join us.