SirGod Posted September 26, 2017 Report Posted September 26, 2017 Snuffleupagus is a PHP 7+ module designed to drastically raising the cost of attacks against website, by killing entire bug classes, and also providing a powerful virtual-patching system, allowing administrator to fix specific vulnerabilities and audit suspicious behaviours without having to touch the PHP code. Snuffleupagus has a lot of features that can be divided in two main categories: bug-classes killers and virtual-patching. The first category provides primitives to kill various bug families (like arbitrary code execution via unserialize for example) or rise the cost of exploitation, the second one is a highly configurable system to patch functions in php itself. Link: https://snuffleupagus.readthedocs.io/ 1 Quote
Nytro Posted September 26, 2017 Report Posted September 26, 2017 Da, interesant, cuvinte mari... "We’re kind of killing it by filtering the $, |, ;, ` and & chars in our default configuration, making it a lot harder for an attacker to inject arbitrary commands." -> Si daca aceste caractere sunt folosite in mod constient de developer? Modulul poate crea probleme. La urma urmei, nu prea ai cum sa "kill a bug class" cat timp limbajul iti permite acel "bug class". De exemplu, in Java, pentru a rula un proces de sistem cu "ProcessBuilder", trebuie sa ii dai ca parametri un List<String>, adica un vector unde primul element e comanda (e.g. ls, cat etc.) iar fiecare parametru urmator e un argument. Nu tine cont ca acel parametru contine spatii sau caractere speciale, e tratat ca un argument, ofera un fel de de "Prepared Statements" pentru executia de procese. "The goto payload for XSS is often to steal cookies. Like Suhosin, we are encrypting the cookies with a secret key, the IP of the user and its user-agent. This means that an attacker with an XSS won’t be able to use the stolen cookie, since he (often) can’t spoof the IP address of the user." -> Oare face doar """encryptie""", care e mult prea mult spus daca e vorba doar de adresa IP si de user-agent, sau verifica si adresa IP pe server? "This feature can’t be deployed on websites that already stored serialized objects (ie. in database)" -> Cred ca acesta e cel mai comun caz, din pacate. Abordarea este interesanta, instalezi un modul si ai scapat de probleme. Insa din motive logice, nu este si nu o sa fie niciodata de ajuns. Problema pleaca de mai sus, daca ii permiti unui user sa faca rahaturi, si nu il fortezi sa scrie cod sigur, o sa ai probleme. 1 Quote
SirGod Posted September 26, 2017 Author Report Posted September 26, 2017 Da, nu e mare branza. Totusi ca si modul de PHP nu prea pot face ceva solutie generala si eficienta. Nu e facut sa fie folosit enterprise sau oricine altcineva care vrea securitate. Eu ii vad locul pe ceva siteuri mici care nu isi permit sa angajeze developeri sau sa faca pentest si vor ceva rapid, usor de instalat si ce ofera un oarece sentiment (fals) de securitate. 1 Quote