http://wiki.hashphp.org/index.php?title=Security&feed=atom&action=history
Security - Revision history
2024-03-28T11:45:32Z
Revision history for this page on the wiki
MediaWiki 1.25.3
http://wiki.hashphp.org/index.php?title=Security&diff=278&oldid=prev
TML: removed a reference to tarsnap's scrypt - it's a completely unproven (and highly suspect, IMO) algorithm
2011-07-27T04:29:23Z
<p>removed a reference to tarsnap's scrypt - it's a completely unproven (and highly suspect, IMO) algorithm</p>
<table class='diff diff-contentalign-left'>
<col class='diff-marker' />
<col class='diff-content' />
<col class='diff-marker' />
<col class='diff-content' />
<tr style='vertical-align: top;'>
<td colspan='2' style="background-color: white; color:black; text-align: center;">← Older revision</td>
<td colspan='2' style="background-color: white; color:black; text-align: center;">Revision as of 04:29, 27 July 2011</td>
</tr><tr><td colspan="2" class="diff-lineno" id="L5" >Line 5:</td>
<td colspan="2" class="diff-lineno">Line 5:</td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>Never trust user input (cookies are user input too!).</div></td><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>Never trust user input (cookies are user input too!).</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>Hash passwords using salt to prevent rainbow attacks. Use a slow hashing algorithm, such as <del class="diffchange diffchange-inline">bcrypt </del>(time tested) <del class="diffchange diffchange-inline">or scrypt (even stronger, but newer) ([http://www.tarsnap.com/scrypt.html 1], [http://it.slashdot.org/comments.pl?sid=1987632&amp;cid=35149842 2]), </del>for storing passwords. ([http://codahale.com/how-to-safely-store-a-password/ How To Safely Store A Password])</div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>Hash passwords using salt to prevent rainbow attacks. Use a slow hashing algorithm, such as <ins class="diffchange diffchange-inline">blowfish</ins>(time tested) for storing passwords. ([http://codahale.com/how-to-safely-store-a-password/ How To Safely Store A Password])</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>Don't try to come up with your own fancy authentication system: it's such an easy thing to get wrong in subtle and untestable ways and you wouldn't even know it until <em>after</em> you're hacked.</div></td><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>Don't try to come up with your own fancy authentication system: it's such an easy thing to get wrong in subtle and untestable ways and you wouldn't even know it until <em>after</em> you're hacked.</div></td></tr>
</table>
TML
http://wiki.hashphp.org/index.php?title=Security&diff=277&oldid=prev
TML at 04:27, 27 July 2011
2011-07-27T04:27:35Z
<p></p>
<table class='diff diff-contentalign-left'>
<col class='diff-marker' />
<col class='diff-content' />
<col class='diff-marker' />
<col class='diff-content' />
<tr style='vertical-align: top;'>
<td colspan='2' style="background-color: white; color:black; text-align: center;">← Older revision</td>
<td colspan='2' style="background-color: white; color:black; text-align: center;">Revision as of 04:27, 27 July 2011</td>
</tr><tr><td colspan="2" class="diff-lineno" id="L28" >Line 28:</td>
<td colspan="2" class="diff-lineno">Line 28:</td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>Read [http://amzn.com/0470170778 The Web Application Hacker's Handbook].</div></td><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>Read [http://amzn.com/0470170778 The Web Application Hacker's Handbook].</div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;"></ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;"></ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">===Notes===</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">{{Reflist}}</ins></div></td></tr>
</table>
TML
http://wiki.hashphp.org/index.php?title=Security&diff=5&oldid=prev
Caffinated: Imported initial security page
2011-07-26T07:37:57Z
<p>Imported initial security page</p>
<p><b>New page</b></p><div>It's a lot to digest but the [http://www.owasp.org/index.php/Category%3aOWASP_Guide_Project OWASP development guide] covers Web Site security from top to bottom.<br />
<br />
Know about [http://en.wikipedia.org/wiki/SQL_injection SQL injection] and how to prevent it.<br />
<br />
Never trust user input (cookies are user input too!).<br />
<br />
Hash passwords using salt to prevent rainbow attacks. Use a slow hashing algorithm, such as bcrypt (time tested) or scrypt (even stronger, but newer) ([http://www.tarsnap.com/scrypt.html 1], [http://it.slashdot.org/comments.pl?sid=1987632&amp;cid=35149842 2]), for storing passwords. ([http://codahale.com/how-to-safely-store-a-password/ How To Safely Store A Password])<br />
<br />
Don't try to come up with your own fancy authentication system: it's such an easy thing to get wrong in subtle and untestable ways and you wouldn't even know it until <em>after</em> you're hacked.<br />
<br />
Know the [https://www.pcisecuritystandards.org/ rules for processing credit cards]. ([http://stackoverflow.com/questions/51094/payment-processors-what-do-i-need-to-know-if-i-want-to-accept-credit-cards-on-m See this question as well])<br />
<br />
Use [http://www.mozilla.org/projects/security/pki/nss/ssl/draft302.txt SSL], [http://en.wikipedia.org/wiki/Https HTTPS] for login and any pages where sensitive data is entered (like credit card info).<br />
<br />
How to resist session hijacking.<br />
<br />
Avoid [http://en.wikipedia.org/wiki/Cross-site_scripting cross site scripting] (XSS).<br />
<br />
Avoid [http://en.wikipedia.org/wiki/Cross-site_request_forgery cross site request forgeries] (XSRF).<br />
<br />
Keep your system(s) up to date with the latest patches.<br />
<br />
Make sure your database connection information is secured.<br />
<br />
Keep yourself informed about the latest attack techniques and vulnerabilities affecting your platform.<br />
<br />
Read [http://code.google.com/p/browsersec/wiki/Main The Google Browser Security Handbook].<br />
<br />
Read [http://amzn.com/0470170778 The Web Application Hacker's Handbook].</div>
Caffinated