• Stars
    star
    130
  • Rank 277,575 (Top 6 %)
  • Language
    PHP
  • License
    Other
  • Created over 11 years ago
  • Updated over 4 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A multitool library offering access to recommended security related libraries, standardised implementations of security defences, and secure implementations of commonly performed tasks.

SecurityMultiTool

A multitool library offering access to recommended security related libraries, standardised implementations of security defences, and secure implementations of commonly performed tasks.

The purpose of the library is to serve as both a useful set of utilities and to act as a set of reference implementations which can be learned from. It may be used by applications regardless of whether they are web application framework based or not. The use of a web application framework does not guarantee your security.

Yet Another Security Library?

There are actually few security related metapackages available in PHP and many are outdated and/or insecure. Feeding this problem is a lack of concrete information about best practices in PHP. SecurityMultiTool extracts source code, patterns and best practices from a variety of sources to offer a singular point of reference. The source code will be opinionated. For example, SecurityMultiTool\Html\Sanitizer uses HTMLPurifier and does not allow for that dependency to be substituted (because there is NO other secure HTML sanitizer in PHP!).

You may choose to use SecurityMultiTool as a dependency in your projects. You can use it as a useful set of examples of what you should be doing. You can use it as a benchmark to check if your own code and its dependencies are straying from the recommended path. You can copy and paste the code to fit your needs (and I won't go beserk if you don't attribute me). You can pass around URLs to the code, if useful, to recommend improved practices to others.

I'm more than happy to accept PRs for new features with the understanding that they should be rigorously tested, provably secure and in compliance with secure practices.

Current Features

The following features are available and tested as of 18 March 2013:

  1. HTML Output Escaping (SecurityMultiTool\Html\Escaper)
  2. HTML Sanitization (SecurityMultiTool\Html\Sanitizer)
  3. Random Number/Bytes Generator (SecurityMultiTool\Random\Generator)
  4. HTTP Strict-Transport-Security & X-CSRFToken Headers (SecurityMultiTool\Http\Header)
  5. HTTPS Detector (SecurityMultiTool\Http\HttpsDetector)
  6. Sanitized Markdown and BBCode Parsers (SecurityMultiTool\Markdown|BBcode\Parser)
  7. Anti Timing-Attack String Comparison (SecurityMultiTool\String\FixedTimeComparison)

The following libraries are dependencies installed with SecurityMultiTool which you may use independently of SecurityMultiTool:

There is a lot more to come!

Reporting Security Vulnerabilities

If you locate a potential vulnerability in the source code, you should report it directly to [email protected]. I undertake to resolve any such reports within 30 days of receipt and I will confirm receipt of any report within 3 days. Any resolving source code will be made available to the reporter for review prior to it being committed to this repository. You are free to publicly disclose any vulnerability, once fixed or after any period you require when sending a report, as you should already know.

More Repositories

1

phpsecurity

Python
445
star
2

mutagenesis

A PHP 5.3+ Mutation Testing framework
PHP
100
star
3

ZFPlanet

A simple Blog Planet for aggregating selected feeds
PHP
59
star
4

xss

Examples from The Hitchhiker's Guide To Cross-Site Scripting (XSS)
PHP
45
star
5

wibble

Experiment for: Zend Framework HTML Sanitiser/Manipulator
PHP
36
star
6

ZFBlog

A blogging application developed as part of the "Zend Framework: Surviving The Deep End" book
PHP
27
star
7

hasty

Execute multiple HTTP requests in parallel using PHP Streams
PHP
23
star
8

zfproposals

Pádraic's Zend Framework Proposals
PHP
13
star
9

runkit-old

Patched PHP runkit extension supporting PHP 5.2 and static methods in classes.
C
10
star
10

Tweet-Lite

A small OAuth enabled Twitter App in PHP written to demonstrate Zend_Oauth_Consumer
10
star
11

mockery-docs

Documentation for the PHP Mockery framework on readthedocs.org
Python
7
star
12

Stickler

A collection of simplistic source code scanners and configuration tools designed to detect common security vulnerabilities and other potential issues.
PHP
7
star
13

wibble-benchmarks

Simple benchmark comparing the Wibble, HTMLPurifier and HtmLawed HTML Sanitisers for speeeeeeeeeeeed!
PHP
6
star
14

php-cvrf

An XML reader/writer for the Common Vulnerability Reporting Framework (CVRF) format.
6
star
15

packman

Prototype packager for PHP source code packages (I omit PEAR deliberately)
PHP
4
star
16

zfcache

Zend Framework Cache Proposals
PHP
3
star
17

zfhubbub

Pubsubhubbub for Zend Framework - Testing/Tweaking Copy
PHP
3
star
18

twigvszf

Benchmarks comparing Twig vs Zend_View templating solutions
PHP
2
star
19

wordpress-pubsubhubbub

Implements a Pubsubhubbub Real-Time Publisher informing Planet Earth of your blog updates now, not later, with support for multiple Hubs and the most recent emerging practices.
PHP
2
star
20

SecureSoapClient

A secure by default SoapClient extension for PHP
PHP
1
star