Cakephp 安全 [英] Cakephp Security

问题描述

我是 Web 应用安全的新手.我正在用 Cakephp 开发一个应用程序，我的一个朋友告诉我关于跨站请求伪造 (CSRF) 和跨站脚本 (XSS) 攻击等.不知道还有多少.

I am new to Security of Web apps. I am developing an application in Cakephp and one of my friends told me about the Cross-site request forgery (CSRF) and cross-site scripting (XSS) attacks etc. not sure how many more are there.

我需要一些帮助来理解如何让 Cakephp 保护我的网络应用程序免受这些攻击.我们的预算很低，目前我们无法聘请安全顾问.我们仍在开发该应用程序，并计划在本月底发布.所以想要处理可以帮助我不被黑客入侵的初始东西;)

I need some help in understanding how to make Cakephp defend my web app against these. we are low budget and we cant hire a security consulant as of now. We are still developing the app and plan to release in by the end of the month. so wanna take care of the initial stuff that can help me stand un hacked ;)

推荐答案

没有(也不可能有)一种工具可以部署，然后再也不必考虑安全性.部署像 CakePHP 的 Sanitize::clean 这样的反 XSS"黑客将通过阻止有效输入来妨碍用户，同时仍然不一定使应用程序安全.输入过滤黑客充其量只是一种混淆措施，而不是修复安全漏洞.

There is not (and cannot be) one tool you can deploy and then never have to think about security again. Deploying ‘anti-XSS’ hacks like CakePHP's Sanitize::clean will get in users' way by blocking valid input, whilst still not necessarily making the app secure. Input filtering hacks are at best an obfuscation measure, not a fix for security holes.

要拥有安全的 Web 应用程序，您必须从头开始编写安全的 Web 应用程序.这主要意味着，当您将字符串从一个上下文放入另一个上下文时，要注意细节.特别是:

To have a secure web application, you must write a secure web application, from the ground up. That means, primarily, attention to detail when you are putting strings from one context into another. In particular:

• 任何时候您将字符串写入 HTML 文本内容或属性值时，对它进行 HTML 转义 (htmlspecialchars()) 以避免 HTML 注入导致 XSS.这不仅仅是可能包含攻击的用户输入问题，而是将纯文本放入 HTML 的正确方法.

• any time you write a string to HTML text content or attribute value, HTML-escape it (htmlspecialchars()) to avoid HTML-injection leading to XSS. This isn't just a matter of user input that might contain attacks, it's the correct way to put plain text into HTML.

在您使用 HTML 辅助方法的地方，它们应该默认处理这些元素的 HTML 转义(除非您关闭 escape)；非常不幸的是，CakePHP 教程包含了将未转义的字符串回显到 HTML 帮助程序之外的文本的 HTML 中的不良做法.

Where you are using HTML helper methods, they should take care of HTML-escaping of those elements by default (unless you turn off escape); it is very unfortunate that the CakePHP tutorial includes the bad practice of echoing unescaped strings into HTML for text outside of HTML helpers.

任何时候使用字符串值创建 SQL 查询时，SQL 对其进行转义(使用适合您的数据库的函数，例如 mysql_real_escape_string).

any time you create SQL queries with string values, SQL-escape it (with an appropriate function for your database such as mysql_real_escape_string).

如果您使用 CakePHP 的 ORM 而不是编写自己的 SQL，则不必担心这一点.

If you are using CakePHP's ORM and not writing your own SQL you don't have to worry about this.

避免使用用户输入(例如文件上传名称)来命名文件系统上的文件(改为生成干净的唯一 ID)或作为 system() 命令的任何部分.

avoid using user input (eg file upload names) to name files on the filesystem (generate clean unique IDs instead) or as any part of a system() command.

包含 Security 组件以添加表单提交令牌方案这将阻止 CakePHP 生成的表单上的 XSRF.

include the Security component to add a form submission token scheme that will prevent XSRF on forms generated by CakePHP.

这篇关于Cakephp 安全的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！