
Ask HN: First steps to check the security of PHP web-application? - dlphii
Your development team made a web-application and asked you to look for the security. What should be your first steps (both back-end and front-end). Which patterns to search first?
======
krapp
Basic, basic stuff:

If the app is accessing a database, is it using prepared statements, or
concatenated strings?

... are you sure that, even if you are using prepared statements, someone
didn't concatenate variables into the statements themselves, perhaps to make
column selection or something easier?

If the app is dealing with passwords, is it hashing, rather than encrypting
them (or, heaven forbid, storing them in plaintext) and comparing them using
hash_equals() rather than directly?

Are there any user-supplied variables being echoed to the browser? If so, and
if you're not using a templating engine that does escaping by default, are you
_sure_ every single one is properly escaped?

Do exceptions leak information to the browser rather than being logged?

Is every POST request validated using a CSRF token, and are POST requests rate
limited?

Is every other type of request which requires elevated privileges validated
using some kind of token?

If files are being uploaded to the server, are they being chmodded to be non
executable?

... ok, are the filenames being randomized?

... ok, are the filetypes being validated using the file headers and not the
mime-types?

Do you have a sane Content Security Policy header?

------
paktek123
\- will the app be storing users details ?

\- is the app using any vulnerable packages

\- will app be displaying secure content

\- look at what information in logs

Just some off top of my head.

~~~
dlphii
Thanks. And if you are given a big piece of source code. And no static/dynamic
tools are allowed, only manual review. What should you look at first (PHP
based site, authentication for users, online payment, very dynamic web-site).

~~~
paktek123
I'd start with the basics

\- are any secrets/credentials visible in plain text?

\- how is input handled (escaping HTML etc)

\- how are headers and cookies being handled if any

