{"id":28513,"date":"2018-04-23T09:46:17","date_gmt":"2018-04-23T07:46:17","guid":{"rendered":"https:\/\/mamchenkov.net\/wordpress\/?p=28513"},"modified":"2018-04-23T09:46:17","modified_gmt":"2018-04-23T07:46:17","slug":"php-preparing-for-the-penetration-testing","status":"publish","type":"post","link":"https:\/\/mamchenkov.net\/wordpress\/2018\/04\/23\/php-preparing-for-the-penetration-testing\/","title":{"rendered":"PHP : Preparing for the Penetration Testing"},"content":{"rendered":"<!-- google_ad_section_start -->\n<p><a href=\"https:\/\/blog.phpdeveloper.org\/\">Chris Cornutt<\/a> wrote &#8220;<a href=\"https:\/\/blog.phpdeveloper.org\/2018\/04\/17\/preparing-for-pentesting-longhorn-php-2018\/\">PREPARING FOR PENTESTING (@ LONGHORN PHP 2018)<\/a>&#8221; blog post for his upcoming talk at the conference.\u00a0 I&#8217;d gladly attend the talk, but the time and place didn&#8217;t work out for me this time.\u00a0 Here are a few useful links from his blog post that might come in handy for anyone evaluating the security of their PHP application and preparing for the penetration testing:<\/p>\n<ul>\n<li><a href=\"https:\/\/www.owasp.org\/images\/7\/72\/OWASP_Top_10-2017_%28en%29.pdf.pdf\">OWASP Top 10 2017<\/a> &#8211; the ten most critical web application security risks<\/li>\n<li><a href=\"https:\/\/portswigger.net\/burp\/communitydownload\">PortSwigger Burp Suite<\/a> (community edition)<\/li>\n<li><a href=\"https:\/\/www.owasp.org\/index.php\/PHP_Security_Cheat_Sheet\">PHP Security Cheat Sheet<\/a><\/li>\n<li><a href=\"https:\/\/www.sitepoint.com\/php-security-blunders\/\">Top 7 PHP Security Blunders<\/a><\/li>\n<li><a href=\"https:\/\/paragonie.com\/blog\/2017\/12\/2018-guide-building-secure-php-software\">The 2018 Guide to Building Secure PHP Software<\/a><\/li>\n<\/ul>\n<p>The above are not a replacement for the talk, but if you are like me and can&#8217;t attend, these should at least get you started in the right direction.<\/p>\n<!-- google_ad_section_end -->\n","protected":false},"excerpt":{"rendered":"<!-- google_ad_section_start -->\n<p>Chris Cornutt wrote &#8220;PREPARING FOR PENTESTING (@ LONGHORN PHP 2018)&#8221; blog post for his upcoming talk at the conference.\u00a0 I&#8217;d gladly attend the talk, but the time and place didn&#8217;t work out for me this time.\u00a0 Here are a few useful links from his blog post that might come in handy for anyone evaluating the &hellip; <a href=\"https:\/\/mamchenkov.net\/wordpress\/2018\/04\/23\/php-preparing-for-the-penetration-testing\/\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">PHP : Preparing for the Penetration Testing<\/span><\/a><\/p>\n<!-- google_ad_section_end -->\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_feature_clip_id":0,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"PHP : Preparing for the Penetration Testing #WebDev #PHP #security #BestPractices","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2},"jetpack_post_was_ever_published":false,"_links_to":"","_links_to_target":""},"categories":[1,18,62,1334],"tags":[3069,38,200,1330],"keyring_services":[],"class_list":["post-28513","post","type-post","status-publish","format-standard","hentry","category-general","category-programming","category-technology","category-web-work","tag-best-practices","tag-php","tag-security","tag-web-development"],"aioseo_notices":[],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack-related-posts":[{"id":28559,"url":"https:\/\/mamchenkov.net\/wordpress\/2018\/05\/08\/composer-plugin-qa-composer-plugin-for-php-quality-assurance-tools\/","url_meta":{"origin":28513,"position":0},"title":"composer-plugin-qa &#8211; Composer Plugin for PHP Quality Assurance Tools","author":"Leonid Mamchenkov","date":"May 8, 2018","format":false,"excerpt":"composer-plugin-qa is a Composer plugin which adds all the most popular PHP quality assurance tools as composer scripts, so that you don't have to install and set them up one by one.\u00a0 The list of tools includes the following: PHPUnit: Testing Framework PHPCOV: CLI frontend for the\u00a0PHP_CodeCoverage Paratest: Parallel testing\u2026","rel":"","context":"In &quot;All&quot;","block_context":{"text":"All","link":"https:\/\/mamchenkov.net\/wordpress\/category\/general\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/mamchenkov.net\/wordpress\/wp-content\/uploads\/2018\/05\/composer-plugin-qa-500x296.jpeg?resize=350%2C200&ssl=1","width":350,"height":200},"classes":[]},{"id":26351,"url":"https:\/\/mamchenkov.net\/wordpress\/2016\/08\/12\/php-backdoors\/","url_meta":{"origin":28513,"position":1},"title":"PHP backdoors","author":"Leonid Mamchenkov","date":"August 12, 2016","format":false,"excerpt":"PHP backdoors repository is a collection of obfuscated and deobfuscated PHP backdoors. (For educational or testing purposes only, obviously.) \u00a0These provide a great insight into what kind of functionality the attackers are looking for when they exploit your application. \u00a0Most of these rotate around file system operations, executing commands, and\u2026","rel":"","context":"In &quot;All&quot;","block_context":{"text":"All","link":"https:\/\/mamchenkov.net\/wordpress\/category\/general\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":26272,"url":"https:\/\/mamchenkov.net\/wordpress\/2016\/07\/24\/httpoxy-a-cgi-application-vulnerability-for-php-go-python-and-others\/","url_meta":{"origin":28513,"position":2},"title":"httpoxy &#8211; a CGI application vulnerability for PHP, Go, Python and others","author":"Leonid Mamchenkov","date":"July 24, 2016","format":false,"excerpt":"httpoxy is a set of vulnerabilities that affect application code running in CGI, or CGI-like environments. It comes down to a simple namespace conflict: RFC 3875 (CGI) puts the HTTP Proxy header from a request into the environment variables as HTTP_PROXY HTTP_PROXY is a popular environment variable used to configure\u2026","rel":"","context":"In &quot;All&quot;","block_context":{"text":"All","link":"https:\/\/mamchenkov.net\/wordpress\/category\/general\/"},"img":{"alt_text":"httpoxy","src":"https:\/\/i0.wp.com\/mamchenkov.net\/wordpress\/wp-content\/uploads\/2016\/07\/httpoxy-500x130.png?resize=350%2C200&ssl=1","width":350,"height":200},"classes":[]},{"id":27289,"url":"https:\/\/mamchenkov.net\/wordpress\/2017\/02\/03\/preparing-for-the-phpunit-6-and-php-7\/","url_meta":{"origin":28513,"position":3},"title":"Preparing for the PHPUnit 6 and PHP 7","author":"Leonid Mamchenkov","date":"February 3, 2017","format":false,"excerpt":"If you woke up today and found that most of your PHP projects' and libraries' tests break and fail, I have news for you: \u00a0you are doing something wrong. \u00a0How do I know? \u00a0Because I was doing something wrong too... First of all, let me save you all the extra\u2026","rel":"","context":"In &quot;All&quot;","block_context":{"text":"All","link":"https:\/\/mamchenkov.net\/wordpress\/category\/general\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/mamchenkov.net\/wordpress\/wp-content\/uploads\/2017\/02\/travis-phpunit-500x317.png?resize=350%2C200&ssl=1","width":350,"height":200},"classes":[]},{"id":28282,"url":"https:\/\/mamchenkov.net\/wordpress\/2017\/12\/18\/the-2018-guide-to-building-secure-php-software\/","url_meta":{"origin":28513,"position":4},"title":"The 2018 Guide to Building Secure PHP Software","author":"Leonid Mamchenkov","date":"December 18, 2017","format":false,"excerpt":"\"The 2018 Guide to Building Secure PHP Software\" is an excellent guide to writing modern PHP applications with security in mind.\u00a0 It covers a bunch of the usual topics, but provides fresher solutions than most other similar guides.","rel":"","context":"In &quot;All&quot;","block_context":{"text":"All","link":"https:\/\/mamchenkov.net\/wordpress\/category\/general\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/mamchenkov.net\/wordpress\/wp-content\/uploads\/2017\/12\/php-security-2018-500x204.png?resize=350%2C200&ssl=1","width":350,"height":200},"classes":[]},{"id":27844,"url":"https:\/\/mamchenkov.net\/wordpress\/2017\/08\/14\/secure-headers-a-php-library-for-easier-management-of-browser-security-features\/","url_meta":{"origin":28513,"position":5},"title":"Secure Headers &#8211; a PHP library for easier management of browser security features","author":"Leonid Mamchenkov","date":"August 14, 2017","format":false,"excerpt":"Modern browsers offer a variety of security mechanisms for web developers. \u00a0Unfortunately, some of these aren't so easy to manage. \u00a0One needs a deep understanding of the functionality as well as theory behind. \u00a0Secure Headers is a library that makes all that work a lot easier for PHP developers. \u00a0Here\u2026","rel":"","context":"In &quot;All&quot;","block_context":{"text":"All","link":"https:\/\/mamchenkov.net\/wordpress\/category\/general\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"jetpack_sharing_enabled":true,"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/mamchenkov.net\/wordpress\/wp-json\/wp\/v2\/posts\/28513","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mamchenkov.net\/wordpress\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mamchenkov.net\/wordpress\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mamchenkov.net\/wordpress\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/mamchenkov.net\/wordpress\/wp-json\/wp\/v2\/comments?post=28513"}],"version-history":[{"count":0,"href":"https:\/\/mamchenkov.net\/wordpress\/wp-json\/wp\/v2\/posts\/28513\/revisions"}],"wp:attachment":[{"href":"https:\/\/mamchenkov.net\/wordpress\/wp-json\/wp\/v2\/media?parent=28513"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mamchenkov.net\/wordpress\/wp-json\/wp\/v2\/categories?post=28513"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mamchenkov.net\/wordpress\/wp-json\/wp\/v2\/tags?post=28513"},{"taxonomy":"keyring_services","embeddable":true,"href":"https:\/\/mamchenkov.net\/wordpress\/wp-json\/wp\/v2\/keyring_services?post=28513"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}