====== Web Application Security ====== This is a list of common security concerns for web applications that can be or should be solved at the application development level with a focus on PHP solutions. See [[Shared Host or Compromised System]] for information on securing PHP application in shared hosting situations. * [[security:risk:catalog|A Catalog of Security Vulnerabilities]] - Bad Security Smells. * [[security:attack:catalog|A Catalog of Security Attacks]] - Attacks against PHP Applications and how to foil them. * [[security:functions:catalog|A Catalog of Security Sensitive Functions]] - A List of PHP functions and their security implications. * [[security:practice:catalog|A Catalog of Secure Practices]] - Best practices for secure applications. ===== PHP Security Resources ===== * [[http://shiflett.org/php-security.pdf|PHP Security Workbook]] * [[http://www.phpsecure.info|PHPSecure:Security]] * [[http://www.php.net/manual/en/security.php|PHP Manual:Security]] * [[http://www.securereality.com.au/studyinscarlet.txt|A Study in Scarlet]] ([[http://www.securereality.com.au/archives/studyinscarlet-french.txt|French Translation]]) * [[http://www.sklar.com/page/article/owasp-top-ten|PHP and the OWASP Top Ten Security Vulnerabilities]] * [[http://www.onlamp.com/lpt/a/4045|PHP Security, Part 1]] * [[http://www.onlamp.com/lpt/a/4117|PHP Security, Part 2]] * [[http://www.webkreator.com/php/configuration/php-session-security.html|PHP Session security]] * [[http://shiflett.org/articles/the-truth-about-sessions|The Truth about Sessions]] * [[http://phpmag.de/itr/online_artikel/psecom,id,396,nodeid,62.html|Web Security - Angriffsmethoden und ihre Folgen]] (German) * [[http://securephp.damonkohler.com/|SecurePHP - A PHP security wiki]] ===== General Web Application Security Resources ===== * [[http://www.technicalinfo.net/papers/WebBasedSessionManagement.html|Best Practices in Managing HTTP Based Client Sessions]] * [[http://www.owasp.org/documentation/guide|OWASP Guide to Building Secure Web Applications]] * [[http://members.rogers.com/razvan.peteanu/best_prac_for_sec_dev4.pdf|Best Practices for secure development (PDF)]] * [[http://www.wiretrip.net/rfp/txt/whiskerids.html|Anti intrusion detection tactics]] * [[http://www.cgisecurity.com/lib/Threats_Countermeasures.pdf|Improving web application security:threats and countermeasures (PDF)]] * [[http://www.technicalinfo.net/papers/CustomHTMLAUthentication.html|Best Practices on Securing Custom HTML Authentication Procedures]] * [[http://www.technicalinfo.net/papers/URLEmbeddedAttacks.html|Url Encoded Attacks]] * [[http://www.nextgenss.com/papers/NGSJan2004PassiveWP.pdf|Passive Information Gathering - analysis of leaked security information]] * [[http://www.cgisecurity.com/papers/header-based-exploitation.txt|Header Based Exploitation: Web Statistical Software Threats]] * [[http://iso-17799.safemode.org|ISO 17799 Security Development Wiki]] * [[http://www.spidynamics.com/whitepapers/webappwhitepaper.pdf|Security at the next level]] * [[http://project.honeynet.org/papers/enemy/|Know Your Enemy - The Tools and Methodologies of the Script Kiddie]] * [[http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/ThreatCounter.asp|MSDN - Improving Web Application Security]] * [[http://www.technicalinfo.net/index.html|Making Sense of Security]] * [[http://www.theq3.com/images/q3-backup-whitepaper.pdf|Best Practices for Securing Your Backup Data]]