Jump to content
SirGod

Snuffleupagus - PHP 7 security module

Recommended Posts

Posted

Snuffleupagus is a PHP 7+ module designed to drastically raising the cost of attacks against website, by killing entire bug classes, and also providing a powerful virtual-patching system, allowing administrator to fix specific vulnerabilities and audit suspicious behaviours without having to touch the PHP code.

 

Snuffleupagus has a lot of features that can be divided in two main categories: bug-classes killers and virtual-patching. The first category provides primitives to kill various bug families (like arbitrary code execution via unserialize for example) or rise the cost of exploitation, the second one is a highly configurable system to patch functions in php itself.

 

Link: https://snuffleupagus.readthedocs.io/

  • Upvote 1
Posted

Da, interesant, cuvinte mari...

 

"We’re kind of killing it by filtering the $, |, ;, ` and & chars in our default configuration, making it a lot harder for an attacker to inject arbitrary commands."

 

-> Si daca aceste caractere sunt folosite in mod constient de developer? Modulul poate crea probleme. La urma urmei, nu prea ai cum sa "kill a bug class" cat timp limbajul iti permite acel "bug class". De exemplu, in Java, pentru a rula un proces de sistem cu "ProcessBuilder", trebuie sa ii dai ca parametri un List<String>, adica un vector unde primul element e comanda (e.g. ls, cat etc.) iar fiecare parametru urmator e un argument. Nu tine cont ca acel parametru contine spatii sau caractere speciale, e tratat ca un argument, ofera un fel de de "Prepared Statements" pentru executia de procese.

 

"The goto payload for XSS is often to steal cookies. Like Suhosin, we are encrypting the cookies with a secret key, the IP of the user and its user-agent. This means that an attacker with an XSS won’t be able to use the stolen cookie, since he (often) can’t spoof the IP address of the user."

 

-> Oare face doar """encryptie""", care e mult prea mult spus daca e vorba doar de adresa IP si de user-agent, sau verifica si adresa IP pe server? 

 

"This feature can’t be deployed on websites that already stored serialized objects (ie. in database)"

 

-> Cred ca acesta e cel mai comun caz, din pacate.

 

Abordarea este interesanta, instalezi un modul si ai scapat de probleme. Insa din motive logice, nu este si nu o sa fie niciodata de ajuns. Problema pleaca de mai sus, daca ii permiti unui user sa faca rahaturi, si nu il fortezi sa scrie cod sigur, o sa ai probleme. 

  • Upvote 1
Posted

Da, nu e mare branza. Totusi ca si modul de PHP nu prea pot face ceva solutie generala si eficienta. Nu e facut sa fie folosit enterprise sau oricine altcineva care vrea securitate. Eu ii vad locul pe ceva siteuri mici care nu isi permit sa angajeze developeri sau sa faca pentest si vor ceva rapid, usor de instalat si ce ofera un oarece sentiment (fals) de securitate. 

  • Upvote 1

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...