So just in case I keep on having a life after hours, Jeff kindly created an ESAPI for PHP project. If you care about PHP security, come help us finish the port. It’s only 3900 lines of code, and I’ve ported like a 1000 of them already.
Well, it’s a ready to use secure coding package. The ESAPI library is not about avoiding attacks, it’s about software engineering for web app security. ESAPI deliberately targets around 80% of security features of the average application (whatever your application is!) with the reference implementation, and for that 80% it does security 100% right so you don’t have to.
ESAPI covers nearly the entire OWASP Top 10, and some other issues besides:
- User object*
- Authentication* membership management classes – we have coded createUser, and friends, login, logout (with safe session and cookie termination), disable account, generateStrongPassword, automatic password hashing including salts, etc.
- Access control*
- Access Reference Maps* – direct to indirect object reference maps. No longer do you need to jump through hoops to protect primary keys, files and other things that people can trivially tamper. Instead of filename=report.pdf, you can now trivially turn this into filename=4fd8Xz
- Encrypted configuration*. No more clear text passwords in config.php
- Encrypted and integrity protected cookies*
- Encrypted and integrity protected hidden fields*
- Hard core encoding utilities*, such as HTML, JSON, XML and LDAP encodings that only do whitelisting
- Easy to use Encryption support … with only access to SHA256 and AES other quality algorithms. No MD5 or DES here.
- Easy to use strong random number support … no more weak random values
- Executor* – safely call the operating system
- Integrated intrusion detection* – security events are automatically generated and logged
- Integrated Logging* – using log4php by default
- CSRF token management*
- Thresholds* – automatically set rates for certain actions to help prevent brute forcing
- Validation libraries* that help you do white listing by default
- Test suite to prove coverage and test all functionality
Things with a star (*) are simply missing from PHP today, which is surprising considering EVERY SINGLE web application MUST have them. This is despite 5698 functions being defined in PHP today.
If the PHP core folks want to talk about adopting these in PHP by default, OWASP would be more than happy to donate the code and re-license as appropriate. All PHP applications deserve this level of security.
So, please feel free to join us.