Edit
Lang

Vulnerability Protection

Every now and then a major security flaw is announced or even abused. For sure that's a little bit unpleasant. If you care about security of your web applications, Nette Framework is frankly the best choice for you.

Cross-Site Scripting (XSS)

Cross-Site Scripting is a site disruption method using unescaped input. An attacker may inject his own HTML or JavaScript code and change the look of the page or even gather sensitive information about users. Protection against XSS is simple: consistent and correct escaping of all strings and inputs. Traditionally, it would be enough if your coder made just one slightest error and forgot once, and the whole website could be compromised.

An example of such an injection may be slipping the user an altered URL, which inserts a “malicious” script. If an application does not escape its inputs properly, such a request would possibly execute a script on the client's side. This may for example lead to stolen identity.

http://example.com/?search=<script>alert('XSS attack.');</script>

Nette Framework comes up with a brand new technology of Context-Aware Escaping, which will get you rid of the Cross-Site Scripting risks forever. It escapes all inputs automatically based on given context, so it's impossible for a coder to accidentally forget something. Consider the following template as an example:

<p onclick="alert({$message})">{$message}</p>

<script>
document.title = {$message};
</script>

The {$message} command prints a variable. Other frameworks do often force developers to explicitly declare escaping, and even what type of escaping based on the context. Yet in Nette Framework you don't need to declare anything. Everything is automatic, consistent and just right. If we set the variable to $message = 'Width 1/2"', the framework will generate this HTML code:

<p onclick="alert(&quot;Width 1\/2\&quot;&quot;)">Width 1/2&quot;</p>

<script>
document.title = "Width 1\/2\"";
</script>

Cross-Site Request Forgery (CSRF)

Cross-Site Request Forgery is an attack based on forcing a user to visit the attacker's own webpage, which silently executes a request on a page the victim is currently logged in. It's for instance possible to edit or delete an article without the victim realizing it. Protection against this attack is generating and verifying an authorization token.

Protecting a web form against Cross-Site Request Forgery in Nette Framework is a matter of this oneliner:

$form->addProtection();

That's all it takes to protect a web form. It's strongly recommended to apply this protection to the forms in administrative part of your application.

URL attack, control codes, invalid UTF-8

Different terms all related to attacker's effort to give your application a “malicious” input. The results may vary greatly, from broken XML outputs (i.e. malfunctioned RSS stream) to getting sensitive information from database to getting user passwords. A protection against these attacks is consistent UTF-8 check on byte level. And frankly, you would not do that without a framework, right?

Nette Framework does this for you, automatically. You don't have to configure anything at all and your application will be safe.

Session hijacking, session stealing, session fixation

Session management involves a few types of attacks. The attacker may steal the victim's session ID or forge one and thus gain access to a web application without the actual password. Then the attacker may do whatever the user could, without any trace. The protection lies on proper configuration of both PHP and the web server itself.

Nette Framework configures PHP automatically. Developers thus do not have to worry about how to make a session protected enough and can fully focus on the key parts of the application. This requires the ini_set() function to be enabled.