Security in the mkframework
Introduction
Security is an important point to be aware when you developp a public website which should be target of somme hackers.To protect yourselft about the most important faults (Xss,Xsrf/Sql injection...) there are some best practice.
Working since long years with a security company who check somme of my applications, il correct the framework and add some of security check on the mkframework.s sur le mkframework pour vous proposer un framework le plus sécurisé possible.
About the Xss/Css/null byte
Xss faults consist on use a web parameter (GET/POST...) to modify the website, the mkframework provide to you a method _root::getParam() in place of the globals $_GET,$_POSTThis method filter entries to protect on Xss faults and null byteattaques XSS mais également des attaques de type null byte
$id=_root::getParam('id'); //in place of $id=$_GET['id'];
//idem for POST
$titre=_root::getParam('titre'); //in place of $titre=$_POST['titire'];
More informations on Xss/Css: http://fr.wikipedia.org/wiki/Cross-site_scripting
About Xsrf/Csrf
Xsrf is more complex, it provide to submit a web query instead of an other user, to protect you, the mkframework provide to you a plugin: plugin_xsrf.This plugin generate a token an can check its validity on demand.
note: you can enforce this security with activate the variable "xsrf.session.enabled=1" in section [security] in the configuration file conf/site.ini.php
This feature need an open session (the token is saved in session to check is unicity)
note 2: think to modify the salt which is fill in the construct method of the plugin plugin_xsrf
Fill it with an unique value:
public function plugin_xsrf(){
$this->sSalt='fdsfhoyu679hjfdsAfef';
(...)
}
Tutorial here http://mkdevs.com/tutoriaux.html#token
More informations about Xsrf/Csrf: http://fr.wikipedia.org/wiki/Cross-site_request_forgery
About SQL injection
It mean to use a normal query to execute a different goal (get identifiants, update data in database...)The mkframework use the "prepared statment" of Pdo to protect you of this faults.
//for a query which get an author by id
public function findById($id){
return $this->findOne('SELECT FOM auteur WHERE id=?',$id);
}
More informations on SQL injection http://fr.wikipedia.org/wiki/Injection_SQL
Best practices not implemented in the framework, it is the developper job
Disabled auto-completion on identification fields
We recommend you to you use the attribute autocomplet="off" in you inputs fields
<input autocomplete="off" name="user" />
Manage bad authentication
To protect you for "brut force attack", you have to limit this kind of attack- block an account if it fails N try
- suspend an account during a defined time (an force user to wait)
- add a Captcha in fail case, it will limit "brut force" robots
- depending a number of failure/minute: forbidden IP address
note: warn about the account block, it can be use for DDOS attack* (they can loop on every account and block all accounts)
More informations about DDOS http://fr.wikipedia.org/wiki/Attaque_par_d%C3%A9ni_de_service