If you are a web developer, perhaps this article will be of interest to you since in it we will talk a little about the project snuffleupagus, which provides a module to the PHP interpreter to increase the security of the environment and block the typical errors that lead to vulnerabilities in the execution of PHP applications.
This module It is designed in a very interesting way, as dramatically increases work what has to be done in order to be able to succeed in attacks against websites, by removing entire classes of errors. Also provides a powerful virtual patch system, which allows the administrator to fix specific vulnerabilities and audit suspicious behavior without having to touch the PHP code.
Table of Contents
snuffleupagus is characterized by provides a system of rules which allows to use both standard templates to increase protection and create your own rules to control input data and function parameters.
Also, provides built-in methods to block vulnerability classes such as problems related to data serialization, insecure use of the PHP mail () function, loss of cookie content during XSS attacks, problems due to downloading files with executable code (for example, in phar format), Substitution of constructs Incorrect XML.
The module also lets you allows you to create virtual patches to the website administrator to fix specific problems without changing the application source code vulnerable, which is convenient for use in mass hosting systems where it is impossible to keep all user applications up to date.
The general expenses of resources derived from the operation of the module are estimated as minimum. The module is written in C language, is connected in the form of a shared library in the file "php.ini".
Of the security options offered by Snuffleupagus, the following stand out:
- Automatic inclusion of "safe" and "samesite" flags (protection against CSRF) for cookies, cookie encryption.
- Built-in set of rules to identify traces of attacks and compromising applications.
- Forced global inclusion of the strict "strict" mode which for example blocks the attempt to specify a string while waiting for an integer value as an argument and protection against type manipulation.
- The default blocking of protocol wrappers (for example, the "phar: //" ban) with your explicit permission for the whitelist.
- Prohibition of executing writable files.
- Black and white lists for eval.
- Enabling mandatory validation of the TLS certificate when using curl.
- Add HMAC to serialized objects to ensure that deserialization retrieves the data stored by the original application.
- Request registration mode.
- Block the loading of external files in libxml using links in XML documents.
- Ability to connect external drivers (upload_validation) to verify and scan downloaded files.
- Enforce TLS certificate validation when using curl
- Request download capacity
- A relatively healthy code base
- A complete test package with close to 100% coverage
- Each commit is tested on multiple distributions
Currently this module is in its version 0.5.1 and in it stands out a better support for PHP 7.4 and implemented compatibility with the PHP 8 branch (which is currently under development).
Besides that the default rule set has been updated and to whom new rules have been added for newly discovered vulnerabilities and techniques to attack web applications.
How to install Snuffleupagus on Linux?
Finally for those interested in being able to try this module in pentest tests of your applications in order to improve the security of them or in order to increase the security of your applications.
What they should do is go to the official website of the module and in your download section You will be able to find instructions for some of the different Linux distributions, the link is this.
Though, they can also choose to install from source code, for this they can follow the instructions detailed in this link.
Last but not least, if you want to know more about it, read the documentation or obtain the source code for review, you can do so. from this link.