Security in the mkframework

Introduction

Security is an important point to be aware when you developp a public website which should be target of somme hackers.
To protect yourselft about the most important faults (Xss,Xsrf/Sql injection...) there are some best practice.
Working since long years with a security company who check somme of my applications, il correct the framework and add some of security check on the mkframework.s sur le mkframework pour vous proposer un framework le plus sécurisé possible.

About the Xss/Css/null byte

Xss faults consist on use a web parameter (GET/POST...) to modify the website, the mkframework provide to you a method _root::getParam() in place of the globals $_GET,$_POST
This method filter entries to protect on Xss faults and null byteattaques XSS mais également des attaques de type null byte


  
$id
=_root::getParam('id'); //in place of $id=$_GET['id'];
//idem for POST
$titre=_root::getParam('titre'); //in place of $titre=$_POST['titire'];
    



More informations on Xss/Css: http://fr.wikipedia.org/wiki/Cross-site_scripting


About Xsrf/Csrf

Xsrf is more complex, it provide to submit a web query instead of an other user, to protect you, the mkframework provide to you a plugin: plugin_xsrf.
This plugin generate a token an can check its validity on demand.

note: you can enforce this security with activate the variable "xsrf.session.enabled=1" in section [security] in the configuration file conf/site.ini.php
This feature need an open session (the token is saved in session to check is unicity)

note 2: think to modify the salt which is fill in the construct method of the plugin plugin_xsrf
Fill it with an unique value:

  
public function plugin_xsrf(){
   $this->sSalt='fdsfhoyu679hjfdsAfef';
   (...)
}
    



Tutorial here http://mkdevs.com/tutoriaux.html#token

More informations about Xsrf/Csrf: http://fr.wikipedia.org/wiki/Cross-site_request_forgery


About SQL injection

It mean to use a normal query to execute a different goal (get identifiants, update data in database...)
The mkframework use the "prepared statment" of Pdo to protect you of this faults.


  
//for a query which get an author by id
public function findById($id){
   return $this->findOne('SELECT FOM auteur WHERE id=?',$id);
}
    



More informations on SQL injection http://fr.wikipedia.org/wiki/Injection_SQL

Best practices not implemented in the framework, it is the developper job

Disabled auto-completion on identification fields

We recommend you to you use the attribute autocomplet="off" in you inputs fields


  
<input autocomplete="off" name="user" />
    




Manage bad authentication

To protect you for "brut force attack", you have to limit this kind of attack
- block an account if it fails N try
- suspend an account during a defined time (an force user to wait)
- add a Captcha in fail case, it will limit "brut force" robots
- depending a number of failure/minute: forbidden IP address
note: warn about the account block, it can be use for DDOS attack* (they can loop on every account and block all accounts)

More informations about DDOS http://fr.wikipedia.org/wiki/Attaque_par_d%C3%A9ni_de_service

Conclusion

As you can read, i continue to interest about security and update the framework.