[PLUG] Preventing Probes Like This

Tim tim-pdxlug at sentinelchicken.org
Mon Aug 25 17:21:32 UTC 2008


Hi Bill,

> But apparently just using php for web pages is 
> sort of like giving a monkey the keys to the banana plantation.

Yes, exactly.

> Hackers are like mosquitoes; we'll never get rid of them, they'll suck 
> you dry if they can, and I guess if you want to play on the 'net, you've 
> got to expect to have to defend yourself. I suppose if somebody wrote a 
> book on the many ways that systems can be hacked, it would just breed 
> more kiddies and not enough newbies would read it before they got hacked.

Those books are already out there and you are right, far too few
programmers read into these things.  Consider checking out owasp.org for
some free secure programming advice.

It is possible to write a secure PHP app that does complicated things.
Don't get me wrong.  I was a PHP developer for a number of years.
The problem with it, as I see it, is that nearly every interface and API
built into the language is insecure by default... the easiest way to use
it is the unsafe way.  You have to put extra effort in to make it
secure, which means newbies invariably mess it up.  The plethora of
"helpful" suggestions by random users on the PHP manual websites doesn't
help either, since fully 2/3rds of them are complete crap.

Other platforms have a more secure-by-default mentality where the
easiest way to use an API also happens to be the secure way. 

If you're not an aspiring security nerd and don't want to have to learn
about every type of vulnerability under the sun, I strongly suggest
trying out other open source web development platforms.  Java/J2EE stuff
is a good way to go if you want to build a solid app and don't mind
taking your time doing it.  You'd definitely want to use a data
validation framework, such as struts, with this.

I personally use mod_python for quite a bit of stuff, but it's not the
easiest to get started with either since you probably will want to write
your own handler and page templating. 

Ruby on rails is popular, though I'm not very familiar with it.

> Oh well, I suppose it's just one more brick in the wall... I guess I'll 
> amend that redirect trick and block any attempt at using index.php with 
> a '?' after it.

Once again, that's just a bandaid.  Use it until you make your app
secure, but don't make a habit of it.

HTH,
tim



More information about the PLUG mailing list