Since you can get the (redacted) slides here, I won't repeat their content here, except the most prominent features:
- Unserialize-based code execution
- Cookie-stealing XSS
- Weak entropy generation via
- External Entities XXE
- Overly permissives
By allowing the following filters on function execution, by explicit value or regexp:
- Complete path of the filename
- Hash of the filename
- Name of the function
- Return value of the function
- Any parameter of the function, even in nested arrays
- The name of the namespace the function belongs to
- The name of the class the function (yes, methods are functions in php) belongs to
- Log or/and dump the request if a rule matched, allowing you to harvest free vulnerabilities
Either natively as an option, or in the set of default rules:
- Forbidding execution of writeable files
- Calling a program upon script upload to take the decision to quarantine it or not
- Detection of suspicious calls, like
- Detection of
We have more mitigations and bug-classes slaughter planned (sloppy comparisons, SQLI, …), and odds are that we'll publish a paper along with the project.
We're planning to open-source it in a couple of weeks, feel free to shoot us an email at the address mentioned in the slides (or to idle on #websec) if you want to be part of the alpha.
About BerlinSides, as usual, the talks were mostly interesting and varied: an introduction to the hardenedbsd project, exploitation of hardware older than me, partial-emulation assisted fuzzing of embedded device (by someone from the tasteless ctf team), functional programming (with a pen on a real overhead-projector), interesting réflexions on type-safety, … and the mandatory talk about how broken the IoT is.
Kudos to aluc for organizing it every year.