Results 1 to 3 of 3

Thread: PHP Security API

  1. #1
    Join Date
    Mar 2007

    PHP Security API

    I am looking for a good php security api that I can use to help prevent XSS. I have found the OWASP ESAPI. The problems with the OWASP is it doesn't have good documentation and I think it may be way over the top. It is about 20mb of files. I couldn't even really try it because the installation instructions are out of date and couldn't get it to work.

    Does anyone have any suggestions of a good PHP security API?
    "Hippies.They're everywhere. They wanna save the earth, but all they do is smoke pot and smell bad."-Cartman

  2. #2
    Join Date
    Jul 2010
    There are a LOT more attack vectors than XSS.

    There is no "tool" or API that can be substituted for experience. I encourage you to take a proactive approach and attack someone else's site (WITH THEIR PERMISSION FIRST!). Once you learn the attack vectors for XSS, go back and audit your own code. htmlentities() is a very simple countermeasure in most cases. Don't just use 1 layer of security. If someone gets your database credentials, they can easily launch stored XSS attacks if you don't validate that data.

    That being said, there are some tools. "XSS ME" is an addon for firefox, It was included in the backtrack version 3 OS, so I doubt it is junk. I have also heard great things about OWASP in academic circles, but not in the past 2 years. If you get it to work, please post back with some results.

  3. #3
    Join Date
    Mar 2010
    Proper sanitation and filtering of ANY POSSIBLE user input stops the majority of attacks that most sites run up against. Possible user input means anything that a user can possibly alter (obvious ones being GET, POST, and COOKIE values). XSS can be partially prevented using white list filtering (say what the data can be, like an int only) or black list filtering (if your users aren't entering code you can filter <>'"`$&#37;...etc out), and then simply using htmlentities() takes the remaining data and prevents it from being interpreted as code.
    But i agree with eval here, no API can truly protect you from these security issues. You should design your application from the ground up to resist such attacks with different layers of security.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
HTML5 Development Center