Explore a conference talk on Snuffleupagus, an open-source PHP security module designed to address vulnerabilities in PHP 7 applications. Learn about its features for passively eliminating PHP-specific bug classes and implementing virtual-patching at the PHP level. Discover how this tool allows for precise, false-positive-free, and low-overhead vulnerability patching without modifying application code. Gain insights into PHP security, including topics such as disabling functions, filtering content, handling PHP eval, and addressing XML external entities. Understand the performance impact and benefits of using Snuffleupagus in secure web hosting environments.
Snuffleupagus - Killing Bugclasses in PHP 7, Virtual-Patching the Rest
Overview
Syllabus
Intro
What we already do
PHP
PHP Documentation
ThroughScene
Snuffleupagus
Babar
PHP eval
Disable function
Disable function call
Complex rules
Drop call to internalfunc
Filter unviable content
Code examples
PHP features
System function
Male
Roaming
Cookies
Documentation
Analyzing documentation
PHP special object
How we are killing it
XML external entities
Demos
Authentication bypass
Post variable
Remote code
Blacklisting
Deadening
Performance Impact
Sloppy Comparison
Release Party
PHP Energy
Reddit
Taught by
Cooper
