Vulnerability Protection

Every now and then a major security flaw is announced or even abused. For sure that's a little bit unpleasant. If you care about the security of your web applications, Nette Framework is frankly the best choice for you.

Cross-Site Scripting (XSS)

Cross-Site Scripting is a site disruption method using unescaped input. An attacker may inject his own HTML or JavaScript code and change the look of the page or even gather sensitive information about users. Protection against XSS is simple: consistent and correct escaping of all strings and inputs. Traditionally, it would be enough if your coder made just one slightest error and forgot once, and the whole website could be compromised.

An example of such an injection may be slipping the user an altered URL, which inserts a “malicious” script. If an application does not escape its inputs properly, such a request would possibly execute a script on the client's side. This may, for example, lead to stolen identity.

http://example.com/?search=<script>alert('XSS attack.');</script>

Nette Framework comes up with a brand new technology of Context-Aware Escaping, which will get you rid of the Cross-Site Scripting risks forever. It escapes all inputs automatically based on a given context, so it's impossible for a coder to accidentally forget something. Consider the following template as an example:

<p onclick="alert({$message})">{$message}</p>

<script>
document.title = {$message};
</script>

The {$message} command prints a variable. Other frameworks do often force developers to explicitly declare escaping, and even what type of escaping based on the context. Yet in Nette Framework you don't need to declare anything. Everything is automatic, consistent and just right. If we set the variable to $message = 'Width 1/2"', the framework will generate this HTML code:

<p onclick="alert(&quot;Width 1\/2\&quot;&quot;)">Width 1/2&quot;</p>

<script>
document.title = "Width 1\/2\"";
</script>

Cross-Site Request Forgery (CSRF)

A Cross-Site Request Forgery attack is that the attacker lures the victim to visit a page that silently executes a request in the victim's browser to the server where the victim is currently logged in, and the server believes that the request was made by the victim at will. Server performs a certain action under the identity of the victim but without the victim realizing it. It can be changing or deleting data, sending a message, etc.

Protecting a web form against Cross-Site Request Forgery in Nette Framework is a matter of this oneliner:

$form->addProtection();

That's all it takes to protect a web form. It's strongly recommended to apply this protection to the forms in an administrative part of your application.

URL Attack, Control Codes, Invalid UTF-8

Different terms all related to the attacker's effort to give your application a “malicious” input. The results may vary greatly, from broken XML outputs (i.e. malfunctioned RSS stream) to getting sensitive information from an database to getting user passwords. Protection against these attacks is consistent UTF-8 check on byte level. And frankly, you would not do that without a framework, right?

Nette Framework does this for you, automatically. You don't have to configure anything at all and your application will be safe.

Session Hijacking, Session Stealing, Session Fixation

Session management involves a few types of attacks. The attacker may steal the victim's session ID or forge one and thus gain access to a web application without the actual password. Then the attacker may do whatever the user could, without any trace. The protection lies in proper configuration of both PHP and the web server itself.

Nette Framework configures PHP automatically. Developers thus do not have to worry about how to make a session protected enough and can fully focus on the key parts of the application. This requires the ini_set() function to be enabled.

Improve this page