-
Notifications
You must be signed in to change notification settings - Fork 5
Expand file tree
/
Copy pathRecommend4SecureCoding.txt
More file actions
115 lines (103 loc) · 4.32 KB
/
Recommend4SecureCoding.txt
File metadata and controls
115 lines (103 loc) · 4.32 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
Function Vul(validate user input):
⋗ wp_kses_bad_protocol
⋗ wpdb->query
⋗ wpdb->get_var
⋗ wpdb->get_row
⋗ wpdb->get_col
⋗ wpdb->get_results
⋗ wpdb->replace
⋗ esc_sql
⋗ escape
⋗ esc_like
⋗ like_escape
⋗ is_admin ===> does not check if the user is authenticated as administrator, only checks if page displayed is in the admin section, can lead to auth bypass if misused.
⋗ is_user_admin ===> does not check if the user is authenticated as administrator, only checks if page displayed is in the admin section, can lead to auth bypass if misused.
⋗ current_user_can ===> used for checking authorisation. This is what should be used to check authorisation.
⋗ add_action( 'wp_ajax_nopriv_ ===> permits non-authenticated users to use the AJAX function
⋗ wp_redirect ===> function can be used to redirect to user supplied URLs. If user input is not sanitised or validated this could lead to Open Redirect vulnerabilities.
⋗ wp_nonce_field ===> adds CSRF token to forms
⋗ wp_verify_nonce ===> checks the CSRF token validity server side
⋗ check_admin_referer ===> checks the CSRF token validity server side and came from admin screen
⋗ CURLOPT_SSL_VERIFYHOST ===> if set to 0 then does not check name in host certificate
⋗ CURLOPT_SSL_VERIFYPEER ===> if set to FALSE then does not check if the certificate (inc chain), is trusted. A Man-in-the-Middle (MitM) attacker could use a self-signed certificate.
⋗ update_option ===> if user input is sent unvalidated, it could allow an attacker to update arbitrary WordPress options.
⋗ do_action ===> if user input is sent unvalidated, it could allow an attacker to update arbitrary WordPress actions
⋗ random
⋗ inputstream, fileoutputstream ===> put function into try..catch
⋗ strncpy, memcpy, printf, strlen, sscanf, fopen
⋗ mysql_real_escape_string
⋗ addslashes
⋗ string.Format
⋗ disable_functions
⋗ callock ===> malloc is safe
⋗ match_at
⋗ _php_iconv_mime_decode
⋗ phar_create_or_parse_filename
⋗ ftp_getrc_msg
⋗ phar_detect_phar_fname_ext
⋗ php_wddx_push_element
⋗ php_unicode_tolower_full
⋗ phar_parse_pharfile
⋗ smtp_command_parse_parameters
⋗ efree
⋗ HTMLInputElement
⋗ HTMLEncode
⋗ jQuery.htmlPrefilter
⋗ dangerouslySetInnerHTML ===> reactjs + xss
⋗ fs.realpath.native
⋗ merge() ===> angularjs + xss
⋗ json.stringify
⋗ redirect_to ===> ruby gem, RCE
⋗ actionpack-page_caching ===> ruby gem, RCE
⋗ Curl_http_compile_trailers ===> double free
⋗ SOCK_RAW sockets ===> SOCK_RAW sockets reachable from Webkit process allows triggering double free in IP6_EXTHDR_CHECK
⋗ header_append ===> Integer overlow in "header_append" function
⋗ node-serialize ===> Node.JS - 'node-serialize' Remote Code Execution
Displaying/hiding SQL errors(validate user input):
⋗ <?php $wpdb->show_errors(); ?>
⋗ <?php $wpdb->hide_errors(); ?>
⋗ <?php $wpdb->print_error(); ?>
Command Execution(validate user input):
⋗ system()
⋗ exec()
⋗ passthru()
⋗ shell_exec()
PHP Code Execution(validate user input):
⋗ eval()
⋗ assert()
⋗ preg_replace() ===> dangerous "e" flag deprecated since PHP >= 5.5.0 and removed in PHP >= 7.0.0.
Android Manifest (do not use options):
⋗ debuggable
⋗ allowBackup
⋗ cleartext
⋗ DOWNLOAD_WITHOUT_NOTIFICATION
⋗ SYSTEM_ALERT_WINDOW
⋗ BIND_ACCESSIBILITY_SERVICE
Mobile WebViews (do not use functions):
⋗ setWebContentsDebuggingEnabled(true)
⋗ clearCache(true)
⋗ EnableSafeBrowsing
⋗ addJavascriptInterface
iOS plist info (do not use option):
⋗ NSAllowsArbitraryLoads
⋗ NSExceptionAllowsInsecureHTTPLoads
⋗ NSAllowsArbitraryLoadsForMedia
⋗ NSAllowsArbitraryLoadsInWebContent
⋗ NSExceptionAllowsInsecureHTTPLoads
⋗ NSExceptionMinimumTLSVersion
Default File(store version):
⋗ md, log, txt
⋗ license, readme
Lib Vul(out of date version): version from js file
Debug(store sensitive information):
⋗ console.log
⋗ log.error
⋗ printStackTrace
⋗ elmah.axd ===> Adjust web.config to deny access to this entity without proper authorization.
Encrypt(do not use cipher suite):
⋗ md5, sha1, base64
⋗ hashcode
⋗ http://
⋗ cbc mode
Configuration:
⋗ localstorage ===> do not store token, sensitive information