Is lightopenID safe to use in a project you intend to publish, since the current version is 0.4
You might want to ask this question on security.stackexchange.com.
It is very difficult to say weather software is "safe to use". I am sure that lightOpenID isn't malware as I took a look at the source code and I use it in some of my projects.
I don't know how many people are actually using it in a project, but it is starred by 55 users. This might be an indicator that there are no obvious bugs which could be exploited.
The project version doesn't mean anything as far as I know. It is officially hosted at github. I am not quite sure, but I think the project owner doesn't even use version numbers on github.
Even if lightOpenID is save, you will have to implement some code by your own (e.g. the database part). This might bring some security holes into the system. As lightOpenID is very lightweight, I guess there can't be many security holes. But this is a very optimistic point of view without having checked the code for exploits or bugs.
If you need a secure OpenID solution I'd suggest janrain. Google recommended them as a secure solution for OpenID. But this way you will give the data of your users away and it's possible that you have to pay for it.
Related
I have an AJAX (jquery) based website. It has lots of ajax calls.
Anyways, I have to check whether my website is hack proof, sessions are properly maintained, etc, i mean anything that can be considered as a security flaw and patch it.
Can anyone suggest me any tools using which I can do all kinds of hack on my website to find out vulnerability?
Thanks.
EDIT:
Why will someone want to vote this question down?
I can recommend to you the Burp Suite. User friendly, many features, well documented. Also discussed in some web application security books, e.g. The Web Application Hacker's Handbook. It has both free and paid version. The free one is quite useful as well.
It is written in Java so you can use it on many platforms.
check http://sectools.org/tag/web-scanners/
I have a experience on Joomla, Drupal, wordpress and small cms configuration. But one of my client is asking about the security level in the above cms. I never thought about the security risks and it's really very new to me. On which basis i can choose which is best CMS when considering about the security level and minimum risks? And what kind of security we can provide to the server make the application highly secured?
All the big CMS products you mentioned should be okay. Look at who else is using them; this is a great way to judge how good the product really is. For example, Drupal is used by the White House. This fact gives me a lot of confidence in Drupal.
The important thing is to make certain that you keep up-to-date with any security fixes that are released.
The vast majority of security problems in all these products come from non-core modules that you might install. If you're really worried about security, I suggest keeping the number of modules you use to an absolute minimum.
Where you do need to use an external module, do thorough investigations to find out how good it is: how often is it updated? are there any known bugs with it which may be security issues? how widely used is it? And as I mentioned above with the core CMS, who is using it?
You should also ensure that your web server is secure. It's not just your CMS that will provide routes in for a hacker. Close all un-necessary ports and services. Make sure that everything possible is encrypted (use SFTP, definitely not FTP). If you're using a PHP-based CMS such as Drupal, use a security-hardened PHP version (Suhosin) rather than the basic version.
Finally, you should accept that no matter how good your software and no matter how vigilant you are, you could still get hacked. Worse, you could get hacked without even knowing about it. Even the best software has flaws which can be exploited. For this reason, you should aim to have several layers of security before anyone can get to any genuinely sensitive data.
I am looking for a forum script in PHP.
Some time ago I installed phpBB but I had to remove it since my site was hacked and attacks cam from some security problems in this script.
So I am looking for a popular php forum script that has NO SECURITY FAILS like phpbb.
Any recommendations ?
Thanks
Did you use phpBB2, well phpBB3 is much stronger and has tighter security than phpBB2. I've used phpBB3 for so long and find it the most perfect forum software which is also open-source. I wouldn't go for vBulletin since I find it so overrated and has too much things built in and it's a huge forum software.
So my suggestion is go for phpBB3 if you went for phpBB2, it's always important to stay up to date with the latest revisions.
Or perhaps use Vanilla.
You always need to keep you're software fully patched to the latest versions, otherwise they are all unsafe.
There is really no such thing as a fully secure forum. All popular forum scripts have some or the other exploits. You may want to move to a commercial solution like vBulletin, IPB etc. instead. Or you may want to use some obscure little known forum (just search for PHP forum in google). Or if you are really paranoid, they why don't you try hosted forums? They are safe and the security is their headache and not yours:
http://www.google.com/search?q=hosted+forums
Some time ago I created this LAMP based web. At the time I wrote my own user authentication and access control system. It checks whether the user logged in with a correct password, and whether or not he/she has the correct permission level to access given page. State information is handled via PHP sessions while usernames, salted, hashed passwords and user level are stored in a MySQL back end. All the user inputs are sanitized and etc. Users must access the site wtith SSL.
The problem is that I'm starting to second guess myself and am becoming paranoid about security. So I'm looking for ways to improve it.
Can you give me suggestions for:
some comprehensive lists of security tests I could implement and run against it
best practices for implementing this sort of system
Is there a robust open source framework or library set that you could recommend using instead a home grown one? The conventional wisdom is that it is usually better to adopt a mature, tested system than write your own from scratch. What would you recommend?
1) Since you already wrote your own from scratch I would not throught it away and waste your time and effort to integrate a new external open source framework.
Code written by others might not be necessary better than your one, moreover you might not completly understand how to integrate it properly therefor you might add even more secuirty holes to your application.
2) This is a good and short 3 pages guide (unfortunately it's in italian, but you can use Google translator toolbar to translate the all pages)
Anyway from what you say you don't seem to be a newby to PHP programming, i would reccomend:
sanitizing input (but you said you did)
using at least addslshes (or mysql_real_escape_string) when playing with the DB
php.ini config: REGISTER_GLOBALS should be Off
careful about how you set the ERROR_REPORTING, it might prints out private data when encounters an error
The Zend framework has authentication built into it although Zend tends to be a bit bloated. It is possible to use only bits and pieces of Zend but I've never tried using just the Authentication bit.
There are also a couple of authentication libraries in PEAR - PEAR::Auth which is in a stable release and PEAR::LiveUser which is in beta and was last released (as beta) in 2008.
I hope that gives you a good start.
I've heard that there are some free applications that will check the vulnerability of a PHP website, but I don't know what to use. I'd like a free program (preferably with a GUI) for Windows that will analyze my site an give me a report.
Anyone know of a solution?
Top 10 Web Vulnerability Scanners from Insecure.org (listing from 2006). Their number one, Nikto2, can be found here.
There are only certain security holes you can check for with any program. You can check your PHP configuration, Apache configuration, passwords, common bugs, etc. but you can't really check programatically for logic errors which might cause security holes.
Your best bet would be to do a thorough code review of the website. Or, better yet, have several other people do a thorough code review of the website, looking for security holes.
Netsparker Community Edition does that and it's free (GUI + Windows).
I recently found Detectify which seems to make a decent scan and has nice UI. They work on donation basis which means you should decide how much you can spend.
We cover OWASP Top 10. That means we find a wide variety of flaws, including SQL, LDAP, XPATH and NoSQL injections, Cross Site Scripting flaws, broken session management, remote code and command execution, etc.
I'm a little late to the party, but since you specifically asked for easy to use and not-too-technical scanners, take a look at Golem Technologies website security scanner - the full scan isn't free, but they have a demo scan which checks about 10% of a site and will catch a lot of the common vulnerabilities.
This is another one, but as previously stated, nothing beats a professional eye-over:
http://www.websitedefender.com