Linux Blog

Securing PHP Web Applications Review

Filed under: General Linux — TheLinuxBlog.com at 11:43 am on Friday, February 27, 2009

Securing PHP Web Applications

As a somewhat seasoned PHP developer, I’m always looking for ways to improve code and keep up with the latest happenings. When I saw the book, “Securing PHP Web Applications” by Addison-Wesley, I thought I’d give it a look. PHP is known for its wide deployment and rapid development. Unfortunately, with such a large user base, it is not uncommon to see mistakes within development. Often developers are unaware that what they are doing is insecure. This book addresses important security concerns every developer should be aware of.

The first ten chapters are on programming practices of which, if you’re a system administrator, may not interest you. If you are a developer you should know, understand, be able to fix and, of course (the fun part), exploit for demonstration.

Chapters 11, 12 and 13 are essential reading to any system administrator who will be supporting a LAMP or WAMP stack.
The IIS chapter may not apply to those reading this blog since we all know that securing IIS is not necessary when you’re running Linux. The chapters on securing PHP, MySQL, and Apache outline the basic concepts and give some important pointers that may not be obvious to everyone.

Chapter 14 (Introduction to Automated Testing) and Chapter 15 (Introduction to Exploit Testing) have really opened my eyes to methods I have not used before. We’ve all heard of Selenium and PHPUnit but what about CAL9000 and PowerFuzzer? I’ll be off to try them soon. I can always appreciate applications designed to help secure applications. Nessus, Nikto and MetaSploit lack any mention in this book but now that you’ve read this review, you’ll know to look into those as well.

Chapter 16 is on designing secure applications and 17 is on patching, which would have been useful for me to explain to someone as to why they shouldn’t be working on their production site (to make things worse with no version control.)

There are so many products out there that are vulnerable to some of the attacks. We see them everyday in the security lists. I think that any company and developer of PHP based Web Applications should have a keen grasp on the concepts outlined within the pages of this book.

I do not think, however, that “Securing PHP Web Applications” is a book that is necessarily intended for every developer out there. I think its a great book for anyone with an active interest in security that has been developing for a while but would like some pointers on how to secure their web apps or a reference for developers in need.

For more information and a sample chapter, please visit the publisher page: http://www.informit.com/title/0321534344 or if you subscribe to Safari Books Online you can access the complete book here: http://techbus.safaribooksonline.com/9780321534347

Facts About Selenium

Filed under: General Linux,Linux Software — TheLinuxBlog.com at 9:22 pm on Friday, March 28, 2008

Selenium is a chemical element. What you may not know is that Selenium is also a powerful testing tool for web applications. Selenium runs its tests directly in a browser, just like real users do. It is cross platform and the developers plan to have it for the iPhone but thats another story. Selenium can run in one of two modes Core and Remote Control (RC). The RC method has a way of using distributed computing much like the way Samba allows cross compiling over multiple cpu’s. There is an IDE for Selenium that can be used to easily learn Selenium.

Enough Facts About Selenium already!

What exactly can you do with Selenium?

Well, the answer is simple. Pretty much anything that you can do with a browser Selenium can do. Its primary purpose is for developers to use as a quality assurance tool. For QA purposes you can create a test cases, run them and verify that the end result is what you expected. You can create test cases in Java, Ruby, Python, Perl, PHP or .NET.

I had a little trouble getting the Selenium driver for PHP installed so here is the how to:

sudo su
pear channel-update pear.php.net
pear install Testing_Selenium-beta
pear install PHPUnit
exit

The above allowed me to communicate with the Selenium Remote Control that I downloaded with PHP. Here is an example from their website that I have modified so that it works:

  <?php
 
set_include_path(get_include_path() . PATH_SEPARATOR . './PEAR/');
require_once 'Testing/Selenium.php';
require_once 'PHPUnit/TestCase.php';
 
class GoogleTest
{
private $selenium;
 
public function setUp()
{
$this->selenium = new Testing_Selenium("*firefox", "http://www.google.com");
$this->selenium->start();
}
 
public function tearDown()
{
$this->selenium->stop();
}
 
public function testGoogle()
{
$this->selenium->open("/");
$this->selenium->type("q", "hello world");
$this->selenium->click("btnG");
$this->selenium->waitForPageToLoad(10000);
$this->testCase("/Google Search/", $this->selenium->getTitle());
echo "<hr>";
$this->testCase("/Yeahh Search/", $this->selenium->getTitle());
 
}
 
public function testCase($regEx, $string) {
 
preg_match($regEx, $string, $matches);
 
print_r($matches);
 
}
 
}
 
$google = new GoogleTest();
 
$google->setUp();
$google->testGoogle();
$google->tearDown();
?>

Before attempting to run this you must make sure that you downloaded Selenium RC and that it is running. Selenium runs on Java so make sure that Java is installed download selenium from here, unzip and run the following in the directory that it is extracted to:

cd selenium-remote-control-1.0-beta-1
cd selenium-server-1.0-beta-1
java -jar selenium-server.jar -interactive

Once this is running you can start scripting with PHP to get Selenium to do anything that you want. Once you are done make sure that you exit the Selenium server by running the “exit” at the prompt.

I’m sorry about the format of this post, its been a while since I have used Selenium and I’m quite excited about it. If you have any questions about Selenium post them here and I will try to answer them for you.