8

I know about following security attacks on php applications (html,php,js).

  1. XSS

  2. SQL Injection

  3. CSFR

  4. Session Hijacking /Fixation

  5. Code Injection

  6. Remote file injection

    Should i know about any other or have i missed any?

aWebDeveloper
  • 403
  • 1
  • 3
  • 10
  • 2
    I made the title of your question more specific, almost this whole site is about "security attacks" ;-) –  Jan 27 '11 at 10:19
  • 1
    Every mentioned attack is independent of the implementing language. Just the details change. When searching for more input, do not search for PHP in particular. In the second step, when you search for solutions on how to avoid these attacks, you can narrow them down to PHP. – Christian Jan 27 '11 at 11:50
  • @Christian there actually attacks that are specific to PHP, e.g. Remote File Inclusion, while not nonexistant in other platforms, is mostly a PHP issue. Though this is true in most cases. – AviD Jan 28 '11 at 08:40
  • @AviD RFI in PHP is a thing of the past (mostly), about the time that allow_url_include php.ini setting was introduced, defaulting to false. That was like 4 years ago. – Krzysztof Kotowicz Sep 19 '11 at 12:45
  • 1
    Ah, @Krzysztof, don't we wish that was the case... And that everyone only used up-to-date platforms.... :) – AviD Sep 19 '11 at 12:49

4 Answers4

9

Yes, there's definitely a lot more. I suggest that you start by reading about the OWASP Top 10. Every web developer needs to be familiar with each of those categories of threats.

In addition, here are some good introductions to web security:

P.S. Some other categories to make sure you know about: path traversal, session management, secure password storage, clickjacking, phishing, site-wide SSL.

D.W.
  • 98,860
  • 33
  • 271
  • 588
  • 2
    Please note that these are a good place to *start*, and it is far from complete. After you're up to speed on the basics, you should look for more advanced topics... – AviD Jan 28 '11 at 08:41
  • Looks like web security tutorials don't exist anymore in the Google Code University course catalog. Alternative link: [Wayback Machine](http://web.archive.org/web/20121107143515/http://code.google.com/edu/security/index.html) – Jürgen Thelen Jul 13 '13 at 08:51
8

SANS publish a list of Top 25 Dangerous Software Errors every year. Some (or more) of these will be relevant to your application.

There may be other vulnerabilities in your product that are not covered in the SANS or OWASP lists, but these are a great place to start. Because they're so common, attackers (including script kiddies) and researchers will be able to find and exploit any vulnerabilities found here very quickly. It's also a great exercise to try and identify these vulns in your code, work out how you will solve them, whether you've got (or need) any tools to help and how you'll fit such work into your development cycle to ensure the vulns don't get reintroduced.

At some point you'll need to strike out on your own, and examine your application specifically. That's the only way you'll find issues specific to your domain, by looking at how your users use your app and how "your" attackers abuse it.

  • 1
    Please note that these are a good place to *start*, and it is far from complete. After you're up to speed on the basics, you should look for more advanced topics... – AviD Jan 28 '11 at 08:42
  • 1
    Great point, @AviD, I think it's worth incorporating into the answer so I'll do so. –  Jan 28 '11 at 10:44
0

Maybe you might want to have a look at this post.

Rory Alsop
  • 61,474
  • 12
  • 117
  • 321
labmice
  • 1,338
  • 1
  • 9
  • 11
0

i see some more points (not mentioned in owasp top 10 either)