Doing a talk on 'Security in PHP' and live demo on web attacks and safeguard tips this Saturday. Any tips fellow Ranters...?

Just curious. What kind of topics are you going to cover?

Will it be broadcast publicly? Sounds interesting.

I know the complete solution but you won't like it...

use password_hash mcrypt with the highest cost that your server can run under 0.1 seconds. write a rehash script that will change the cost on login just in case you get bigger servers later on.

if you use sessions always drop the session used to login and create a new one to prevent session fixation attacks.

time based one time passwords should be optional but offered.

implement an incremental failed login delay for ip, account, and totp if enabled. most likely in this order 3 incorrect 5 minutes, 5 incorrect 30 minutes, 10 incorrect 2 hours.

store a fingerprint of the browser/os when they login where if it changes they will have to relogin.

redirect to https

with all of this you should have a very secure php application, the only attack vectors at this point would be incorrect file permissions or a exploit in the server itself

@jckimble that should be most of it besides the obvious of input sanitation

@jckimble or just silly xss as it already is with php

@lig1 yeah I was going on the road of pure php but you can go as far as setting cors headers, ssl cert fingerprint, etc. really I could come up with a 5 hour talk on security from the ground up with php but I doubt anybody would want to give it much less sit through it

@supernova @jumpshot44
I am part of Null community for security experts. Topics are sql injection, CSRF, brute force, php code embedded in image vulnerability, etc. It won't broadcast online but you can download the ppt from here
https://null.co.in/events/...
Event is on 8th so they will upload the ppt by 9th or 10th October.

@playmast3r sounds like what I replied covers most of that, as for embedded php code in image. use php gd functions to redraw the uploaded image to get rid of the extra crap. but you probably already knew that with you being a null community security expert

@jckimble the learning never stops. Thanks for advice and suggestions...

@playmast3r yeah there's always something new to learn in this field, if their wasn't my adhd would have kicked in and made me change fields by now. but just a quick tip to pass along, write secure code first if you think you will go back to add security later you won't do it. I'm very security conscience to the parnoid level but I see it as if a client is using something I wrote I should atleast make sure on my end I did everything I could to make sure their info doesn't get to the wrong people.

Tell them an attack is inevitable, pull out your hair and run out screaming. Lol
Seriously you can draft out something from codeigniter https://codeigniter.com/userguide3/...

@devjoe hahaha.... They will ban me from community. But I have said something similar in conclusion, that no matter how secure is your system, users/humans are the weakest link in your security, suspectable to Phishing and social engineering attacks...