[Info-vax] OS implementation languages
Chris Townley
news at cct-net.co.uk
Sat Sep 9 21:47:18 EDT 2023
On 10/09/2023 02:06, Arne Vajhøj wrote:
> On 9/9/2023 7:22 PM, Chris Townley wrote:
>> On 09/09/2023 22:35, Arne Vajhøj wrote:
>>> On 9/9/2023 11:16 AM, Arne Vajhøj wrote:
>>>> PHP does not have many of the common general flaws like
>>>> buffer overflow and memory leak.
>>>>
>>>> PHP got all the features needing for secure web applications.
>>>>
>>>> Some old features that were questionable from a security
>>>> perspective has been removed. Classic example is register_globals
>>>> that been off by default since version 4.2 (21 years ago) and
>>>> was finally removed in version 5.4 (8 years ago).
>>>>
>>>> The most widely used frameworks has added features to make it
>>>> easy to avoid common web security problems. Example: Laravel
>>>> always check for token to prevent CSRF.
>>>
>>> And CSRF is a real problem.
>>>
>>> On OWASP top ten it made:
>>>
>>> 2007 - 5th
>>> 2010 - 5th
>>> 2013 - 8th
>>> 2017 - missing
>>> 2021 - 10th
>>> 2023 API - 7th
>>>
>>> Modern web frameworks like PHP Laravel, ASP.NET MVC, RoR,
>>> JSF etc. has builtin anti forgery token support to prevent
>>> CSRF.
>>
>> CSRF - what is it?
>
> Cross Site Request Forgery
>
> Simple (slightly oversimplified) example:
>
> * you login to your bank and the bank web server provide
> you with a session cookie that your browser use for
> all requests in that session
> * you need to do a money transfer so you fill out a
> form with amount + from account + to account
> * that form get submitted to the bank as a POST request
> * without closing the browser you go to www.verybadsite.com
> * they show you a form with USD amount and expecting them
> to show equivalent GBP amount
> * but the form has 3 invisible fields: amount +
> from account + to account filled out with an amount +
> your account + their account and the POST URL is the banks
> * when you hit submit the transfer goes to the bank
> and your super friendly browser send the cookie
> with the request and the super friendly bank web server
> has kept the session valid
>
> https://en.wikipedia.org/wiki/Cross-site_request_forgery
>
> Arne
Thanks. A bit like some of the recent YouTube issues
I wasn't aware of the abbreviation
--
Chris
More information about the Info-vax
mailing list