laravel 5.1的安全性如何? [英] How secure is laravel 5.1?

问题描述

在阅读了有关SQL注入的信息后，我想知道在Laravel中创建应用程序的安全性如何以及如何测试您的安全性是否符合当今的标准?

After reading about SQL injection I wonder how secure it is to create apps in Laravel and how to test if your security meets today's standards?

推荐答案

我已经开发了一些Laravel应用程序，并发现它们在我眼中非常安全.

I've developed a few Laravel applications and found them to be pretty secure in my eyes.

我运行了各种渗透测试，OWASP ZAP扫描程序，sqlsus和5+工具，包括bbqsql和类似的东西用于DB Pen测试，nmap用于端口扫描，然后将ZAP切换到攻击模式以执行各种XSS和CSRF，但没有发现Laravel本身的漏洞-我修补了服务器本身的几处漏洞.

I ran a variety of penetration tests, OWASP ZAP scanner, sqlsus and 5+ tools including bbqsql and similar things for DB pen tests, nmap for port scanning, then switched ZAP to attack mode to perform various XSS and CSRFs and found no vulnerabilities from Laravel itself - just a couple of things from my server itself which I patched up.

重要的一点是，没有一个应用程序是100％安全的，因为它在很大程度上取决于您的操作方式.

It's important to say that no application is 100% secure as it depends a lot on how you do things.

但是，Laravel通过保护您免受以下侵害，确实发挥了出色的作用:

However, Laravel does do a pretty good job out of the box by protecting you from:

• SQL注入:如果使用口才的查询，这些将使您安全.但是，如果您使用DB::raw()查询，您将很容易受到攻击，因为这些查询可能会导致您注入漏洞.

• SQL injection: if you use Eloquent queries these will keep you safe. But you will be vulnerable if you use DB::raw() queries as these can open you up to injection.

CSRF:Laravel使用CSRF令牌来处理此问题，它会检查每个POST请求，因此请确保使用它们，从本质上说，这可以保护您免受更改请求性质的人的攻击，例如，防止来自POST到GET.

CSRF: Laravel takes care of this with CSRF tokens that it checks on each POST request so make sure you use them, essentially this protects you from someone changing the nature of the request, i.e from POST to GET.

XSS:首先清理用户输入.不能使用刀片语法{!! !!}来转义变量，刀片语法{!! !!}可以在HTML代码中解析为<?= e($foo) ?>，而{{ }}可以转义数据.

XSS: First sanitise user input. Variables are not escaped using the blade syntax {!! !!}, which resolves to <?= e($foo) ?> inside your HTML code, whereas {{ }} escapes the data.

这是Laravel安全性的简短概述.一旦开始使用文件上传等功能，这可能会变得有些棘手，另外还会在PHP中做一些不安全的事情.

This is a pretty short overview of Laravel security. Once you start opening yourself up with file uploads etc it can be a little bit more tricky, additionally doing unsafe things in PHP.

本文此处可能是一本有趣的文章，以上内容再深入一点.

This article here, might be an interesting read to go a little more in depth with the above.

简而言之，我发现Laravel通过使用Eloquent并在需要时清理输入内容以及正确使用刀片语法和CSRF令牌.

In short, I've found Laravel to be secure from all the attacks I've ever run by using Eloquent and sanitising input where required, along with the correct use of blade syntax and the CSRF token.

这篇关于laravel 5.1的安全性如何?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！