Revision history of Security
View | Show source | 12. 4. 2012, 12:40 by Jan Tvrdík – removed duplicite
Changed lines 1–65:
********************************
.[perex]
What time is reported security hole in another important site is a hole or abused. This is annoying. If you care about securing your Web applications, Nette Framework is surely the best option.
Cross-site scripting (XSS)
--------------------------
Cross-site scripting is a method of distortion Website abusive untreated outcomes. The attacker then able to foist their own site code and the site may modify or even to obtain sensitive information about visitors. Against XSS can defend a consistent and fair treatment of all strings. It is enough to make your coder just this once and only once failed, and the entire site can be instantly compromised.
Nette Framework comes with a revolutionary technology * Context-aware escaping *, which will forever rid of the risk of cross-site scripting. All output is automatically treats, and so can not happen, that the encoder has forgotten something. Example? The encoder creates the template:
/--html
<p onclick="alert({$message})">{$message}</p>
<script>
document.title = {$message};
</script>
\--
Writing `{$message}` means printing variables. In other frameworcích need any invitation to treat and even explicitly in any place else. Nette Framework is the need to treat anything, everything is done automatically, correctly and consistently. If we substitute the variable `$message = 'Width 1 / 2"'`, framework will generate HTML code:
/--html
<p onclick="alert("Width 1\/2\"")">Šířka 1/2"</p>
<script>
document.title = "Width 1\/2\"";
</script>
\--
Cross-site request forgery (CSRF)
---------------------------------
Cross-site request forgery is an attack whereby it will force users to visit a site that secretly executes an attack on a web application where the user is logged on. It can, for example, alter or delete the article without the user noticed. Against attack, can prevent the generation and verification of the authorization token.
Nette Framework defend against an attack form cross-site request forgery easier so that it could not be easier. Suffice it to a single command:
/--php
$form->addProtection();
\--
and the form is protected!
URL attack, control codes, invalid UTF-8
----------------------------------------
Various concepts related to the attacker's attempt to foist your web application *malicious* input. Consequences can be very diverse, ranging from damage to output XML (eg RSS feeds broken) through the acquisition of sensitive information from a database or passwords. Defense is consistent treatment of all inputs at the level of individual bytes. And honestly, who of you does, and that framework does it?
Nette Framework is doing and also fully automatic. You do not set up anything, and all entries will be treated.
Session hijacking, session stealing, session fixation
-------------------------
The management session is linked to several types of attacks. The attacker either disposes of his or podstrčí user session ID and thus gains access to Web applications without knowing the password. Then the application can perform anything without the user knowing. Defense rests in a properly configured server and PHP.
Nette PHP Framework configures automatically. The programmer does not have to think about how the session properly secure and can concentrate fully on creating the application.
to:
{{redirect:
doc:Vulnerability
Protection}}
View | Show source | 21. 12. 2011, 10:40 by Jan Tvrdík – heading fix
Changed line 1:
Perfect Web
application
security
to:
Perfect Web
Application
Security
View | Show source | 6. 5. 2010, 3:14 by David Grudl – Page created
Page created