PHP Hurts Programmers (and other tales)

PHP Hurts Programmers (and other tales)

Find out some of the sneaky ways the web’s favourite language-to-hate can give unsuspecting users just enough rope to hang themselves with. Take a slightly deeper dive into a few real-world bugs, and see how to (hopefully) avoid them in your own code.

Links from the end:

PHP The Right Way - http://www.phptherightway.com/
PHP: A fractal of bad design

https://eev.ee/blog/2012/04/09/php-a-fractal-of-bad-design/
WordPress vulnerability discussed:
https://blog.sucuri.net/2017/02/content-injection-vulnerability-wordpress-rest-api.html
Simple Machine Forums vulnerability discussed:
https://www.alertlogic.com/blog/writing-exploits-for-exotic-bug-classes-php-type-juggling/
ExpressionEngine vulnerability
https://foxglovesecurity.com/2017/02/07/type-juggling-and-php-object-injection-and-sqli-oh-my/
OWASP Resources
Both of these are “work in progress” / drafts
https://www.owasp.org/index.php/PHP_Security_Cheat_Sheet
https://www.owasp.org/index.php/PHP_Configuration_Cheat_Sheet
https://www.owasp.org/index.php/PHP_Object_Injection
PHP Configuration Checker (php.ini)
https://github.com/sektioneins/pcc
All about shell escaping & php
https://gist.github.com/Zenexer/40d02da5e07f151adeaeeaa11af9ab36
List of static analysis tools for PHP
https://github.com/exakat/php-static-analysis-tools
Gary Bernhardt’s “WAT” talk
https://www.destroyallsoftware.com/talks/wat

3f43ed53e6d1edfd2a7fd9a9b6f96313?s=128

Keith Humm

March 29, 2017
Tweet