Security Guidelines

    We respect the Open Web Application Security Project (OWASP)and follow their recommendations as much as possible.

    The following comes from,identifying the top vulnerabilities for web applications.For each, we provide a brief description, the OWASP recommendations, and thenthe CodeIgniter provisions to address the problem.

    An injection is the inappropriate insertion of partial or complete data viathe input data from the client to the application. Attack vectors include SQL,XML, ORM, code & buffer overflows.

    • Presentation: set correct content type, character set & locale
    • Submission: validate fields and provide feedback
    • Controller: sanitize input; positive input validation using correct character set
    • Model: parameterized queries

    CodeIgniter provisions

    • provides for input field filtering & content metadata
    • Form validation library

    A2 Weak authentication and session management

    OWASP recommendations

    • Presentation: validate authentication & role; send CSRF token with forms
    • Design: only use built-in session management
    • Controller: validate user, role, CSRF token
    • Model: validate role
    • Tip: consider the use of a request governor

    CodeIgniter provisions

    • library
    • HTTP library provides for CSRF validation
    • Easy to add third party authentication

    A3 Cross Site Scripting (XSS)

    Insufficient input validation where one user can add content to a web sitethat can be malicious when viewed by other users to the web site.

    OWASP recommendations

    • Presentation: output encode all user data as per output context; set input constraints
    • Controller: positive input validation
    • Tips: only process trustworthy data; do not store data HTML encoded in DB

    CodeIgniter provisions

    • esc function
    • Form validation library

    Insecure Direct Object References occur when an application provides directaccess to objects based on user-supplied input. As a result of this vulnerabilityattackers can bypass authorization and access resources in the system directly,for example database records or files.

    • Presentation: don’t expose internal data; use random reference maps
    • Controller: obtain data from trusted sources or random reference maps

    CodeIgniter provisions

    • Form validation library
    • Easy to add third party authentication

    A5 Security Misconfiguration

    Improper configuration of an application architecture can lead to mistakesthat might compromise the security of the whole architecture.

    OWASP recommendations

    • Presentation: harden web and application servers; use HTTP strict transport security
    • Controller: harden web and application servers; protect your XML stack
    • Model: harden database servers

    CodeIgniter provisions

    • Sanity checks during bootstrap

    A6 Sensitive Data Exposure

    OWASP recommendations

    • Presentation: use TLS1.2; use strong ciphers and hashes; do not send keys or hashes to browser
    • Controller: use strong ciphers and hashes
    • Model: mandate strong encrypted communications with servers

    CodeIgniter provisions

    • Session keys stored encrypted

    Sensitive data must be protected when it is transmitted through the network.Such data can include user credentials and credit cards. As a rule of thumb,if data must be protected when it is stored, it must be protected also duringtransmission.

    • Presentation: ensure that non-web data is outside the web root; validate users and roles; send CSRF tokens
    • Controller: validate users and roles; validate CSRF tokens
    • Model: validate roles

    CodeIgniter provisions

    • Public folder, with application and system outside
    • HTTP library provides for CSRF validation

    A8 Cross Site Request Forgery (CSRF)

    CSRF is an attack that forces an end user to execute unwanted actions on a webapplication in which he/she is currently authenticated.

    OWASP recommendations

    • Presentation: validate users and roles; send CSRF tokens
    • Controller: validate users and roles; validate CSRF tokens
    • Model: validate roles

    CodeIgniter provisions

    A9 Using Components with Known Vulnerabilities

    Many applications have known vulnerabilities and known attack strategies thatcan be exploited in order to gain remote control or to exploit data.

    OWASP recommendations

    • Don’t use any of these

    CodeIgniter provisions

    • Third party libraries incorporated must be vetted
    • Presentation: don’t use URL redirection; use random indirect references
    • Controller: don’t use URL redirection; use random indirect references
    • Model: validate roles

    CodeIgniter provisions

    • provides for …