OWASP Top Ten: What you need to know

posted in Tutorials and tagged , on by .

If you’re concerned about application security and how to write more secure code, then you’ve probably heard of Open Web Application Security Project (OWASP). Developers use the OWASP Top 10 list of common and exploitable security vulnerabilities to protect their applications and users. The list is based on over five hundred thousand vulnerabilities and is referenced by many standards, books, and organizations including NISTDISA and the World Wide Web Consortium (W3C).

Let’s look at a popular vulnerability on OWASP’s Top 10 list to learn what it means for PHP.

A3 – Cross-Site Scripting (XSS)

The most common type of security flaw in web applications is cross-site scripting. XSS occurs when unvalidated user data is included in a request to a client’s browser, allowing an attacker to execute malicious activities. There are two main types of XSS attack: “stored” attacks persist on the server for later distribution and “reflected” attacks are initiated through data provided by web client.

Here’s an example:

If this was a form, an attacker could submit the following to generate a popup in the browser:

This is a pretty benign issue but take a look at this code:

If this input was submitted, an attacker could steal a cookie from an authenticated user by passing the cookie’s contents to the evil.php script for malicious use.

Some things you can do to protect against this type of attack:

  • Get user input directly from the correct location ($_POST, $_GET, etc.) and filter the input:

  • For output, escape data to prevent browsers from applying meaning to sequences of special characters (e.g., use htmlspecialchars())

Now here`s an example for you – how would you close the security hole here?

This is from our PHP security training course, covering OWASP, best practice security measures, and ways to identify the most common vulnerabilities.

If you’re looking to boost your secure coding skills, right now we’re offering 25% off our security course for anyone, including teams. This expires at the end of the month so register now to start creating more secure apps!

The following two tabs change content below.
    Roy figured that the best way to learn something is to try and explain it to someone else. After years of explaining things while standing up, he decided the better approach was to do it while sitting down. Beside a poster of a famous starship. Learning from projects in defense, mobile, and game development, Roy figured out one more thing: real code isn't dead but it could be made better.

    About Roy Sarkar

    Roy figured that the best way to learn something is to try and explain it to someone else. After years of explaining things while standing up, he decided the better approach was to do it while sitting down. Beside a poster of a famous starship. Learning from projects in defense, mobile, and game development, Roy figured out one more thing: real code isn't dead but it could be made better.