This document discusses dynamic analysis of PHP web applications. It begins by explaining what dynamic analysis is and its benefits and limitations. It then surveys the current state of tools for PHP dynamic analysis, including code instrumentation tools, patches and extensions for PHP interpreters, and external profiling tools. A key focus is on developing a PHP extension for dynamic analysis, as it allows full control and transparency. The document outlines the capabilities of a PHP extension, such as handling function entry and exit, working with opcodes, and hooking dynamically evaluated strings. It introduces PVT, a new PHP dynamic analysis tool implemented as a PHP extension, covering its features and providing statistics on its performance. It concludes with plans for further improving PVT and references.
The speech is timed to the coming release of PHP7 and is intended to review the state of the language and to give a slap for those who still hesitate to make use of available features.
No locked doors, no windows barred: hacking OpenAM infrastructureAndrew Petukhov
One of the main functional components of enterprise applications and Internet portals is an authentication and access control system (AuthC/Z). In this presentation, we describe a popular access control system called ForgeRock OpenAM from the external security point of view. We show the scenarios of full enterprise application compromise through complex attacks which employ both LFI and SSRF.
"Ning's ""Your Own Social Network"" application is 160,000 lines of PHP that powers hundreds of thousands of social networks, each different than the others. This talk discusses the static and dynamic analysis techniques that we use at Ning to understand and optimize our platform, including the PHP tokenizer, regular expressions, the vld and xdebug extensions, and the PHP DTrace provider.
"
The purpose of this presentation is to explain the basic resources to understand how a programmer can create malware, insides about the theme, and brainstorms following practical codes and many exotic ideas for security mitigations for defense.
"If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle." ― Sun Tzu, The Art of War
The speech is timed to the coming release of PHP7 and is intended to review the state of the language and to give a slap for those who still hesitate to make use of available features.
No locked doors, no windows barred: hacking OpenAM infrastructureAndrew Petukhov
One of the main functional components of enterprise applications and Internet portals is an authentication and access control system (AuthC/Z). In this presentation, we describe a popular access control system called ForgeRock OpenAM from the external security point of view. We show the scenarios of full enterprise application compromise through complex attacks which employ both LFI and SSRF.
"Ning's ""Your Own Social Network"" application is 160,000 lines of PHP that powers hundreds of thousands of social networks, each different than the others. This talk discusses the static and dynamic analysis techniques that we use at Ning to understand and optimize our platform, including the PHP tokenizer, regular expressions, the vld and xdebug extensions, and the PHP DTrace provider.
"
The purpose of this presentation is to explain the basic resources to understand how a programmer can create malware, insides about the theme, and brainstorms following practical codes and many exotic ideas for security mitigations for defense.
"If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle." ― Sun Tzu, The Art of War
Binary art - Byte-ing the PE that fails you (extended offline version)Ange Albertini
This is the extended offline version of
an overview of the Portable Executable format and its malformations
presented at Hashdays, in Lucerne, on the 3rd November 2012
direct download link: http://corkami.googlecode.com/files/ange_albertini_hashdays_2012.zip
Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000CTruncer
This talk will initially cover Device Guard, and how it works. After discussing high level methods of attacking Device Guard, we will go into detail on WMImplant, a tool which can be used to operate on Device Guard protected systems.
A beginner level presentation made for c0c0n 2013 to talk about some basic modules of python which can be used in routine penetration testing exercises.
A one hour tutorial on daily work enhancements provided by the PHP debugging extension Xdebug.
Attention: This is a pre-release of the raw slides used in the presentation. A condensed version, including screeshots, might follow later.
Threat Modeling: Applied on a Publish-Subscribe Architectural StyleDharmalingam Ganesan
1. Introduction to threat modeling.
2. Applying threat modeling to identify security vulnerabilities and security threats on a simplified real-world system.
A Battle Against the Industry - Beating Antivirus for Meterpreter and MoreCTruncer
This talk goes over how stagers work in a different manner. Rather than standard function calls, I show how to utilize the same functionality in a slightly different way. It talks about Veil-Evasion, and a signature that was developed for it. Finally, I get into custom code and showcase three pieces of custom code that completely bypass antivirus.
This talk is about why I believe having the ability to write tools and/or scripts can help elevate a Pen Testers game to the next level.
The talk is case study driven by the different scenarios I've encountered on assessments and the scripts or tools that have been developed as a result.
Binary art - Byte-ing the PE that fails you (extended offline version)Ange Albertini
This is the extended offline version of
an overview of the Portable Executable format and its malformations
presented at Hashdays, in Lucerne, on the 3rd November 2012
direct download link: http://corkami.googlecode.com/files/ange_albertini_hashdays_2012.zip
Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000CTruncer
This talk will initially cover Device Guard, and how it works. After discussing high level methods of attacking Device Guard, we will go into detail on WMImplant, a tool which can be used to operate on Device Guard protected systems.
A beginner level presentation made for c0c0n 2013 to talk about some basic modules of python which can be used in routine penetration testing exercises.
A one hour tutorial on daily work enhancements provided by the PHP debugging extension Xdebug.
Attention: This is a pre-release of the raw slides used in the presentation. A condensed version, including screeshots, might follow later.
Threat Modeling: Applied on a Publish-Subscribe Architectural StyleDharmalingam Ganesan
1. Introduction to threat modeling.
2. Applying threat modeling to identify security vulnerabilities and security threats on a simplified real-world system.
A Battle Against the Industry - Beating Antivirus for Meterpreter and MoreCTruncer
This talk goes over how stagers work in a different manner. Rather than standard function calls, I show how to utilize the same functionality in a slightly different way. It talks about Veil-Evasion, and a signature that was developed for it. Finally, I get into custom code and showcase three pieces of custom code that completely bypass antivirus.
This talk is about why I believe having the ability to write tools and/or scripts can help elevate a Pen Testers game to the next level.
The talk is case study driven by the different scenarios I've encountered on assessments and the scripts or tools that have been developed as a result.
Analysis of the 2016 Unified Tertiary Matriculation
Examination (UTME) covers -
Application by Faculty
Application by Course of Study
Application by School ownership
Application by School Type
Application by School Location
Trends of UTME application over the years
Построение процесса безопасной разработки - Стачка 2016Valery Boronin
Безопасность - критически важный элемент любого программного решения. Элемент, который, рано или поздно, но заставит вспомнить о себе. Скупой платит дважды, а в данном случае – минимум четырежды. Безопасность и качество кода – связаны напрямую. Поэтому положение дел и с тем и с другим редко находят достаточно хорошим даже в самых успешных проектах – всегда хочется бОльшего. А где-то бывает просто необходим качественный переход и точечными мерами кардинально ситуацию уже не исправить, нужен системный подход.
Вот почему наладить процесс обеспечения и повысить уровень зрелости безопасности разработки, повысить качество кода – хотят многие руководители и разработчики. Как это сделать системно и в согласии? Какие риски для одних, какие трудозатраты для других? И стоит ли овчинка выделки? Об этом и поговорим.
2016/05/10: загружена версия для оффлайна.
Talk about how to design code that helps one to avoid some of the issues identified on OWASP top 10. Domain Driven Security is one of the main tools to achieve this.
Social Intelligence 2.0 ist ein ganzheitliches Kommunikationsmodell, welches die Elemente Philosophie, Partizipation, Kompetenz und Inhalt verbindet und mit internen wie externen Akteuren mittels digitaler Kommunikationskanäle nachhaltig gestaltet.
Das Social-Intelligence-Modell bietet Unternehmen im B2C- wie B2B-Bereich einen strategischen Rahmen, um Kommunikationswege und -prozesse auf Basis digitaler Kommunikationskanäle nachhaltig zu gestalten und zu optimieren. Der Austausch über Soziale Netzwerke spielt hierbei eine entscheidende Rolle und geht von der Annahme aus, dass Social Media weiter wachsen und differenzierter wird.
The Business Analyst Role Within Solution Driven Projects IIBA UK Chapter
Slides from a presentation given by Stuart Peek to a meeting of IIBA UK's South West branch on 22 October 2014.
Many Business Analysts cherish the opportunity to be involved in strategic thinking with business stakeholders. However, what happens when a Business Analyst is engaged in solution-driven projects with little involvement in those early stages? Furthermore, how can a Business Analyst support business change without even a BRD to put their name to? The role of a Business Analyst may differ slightly within these environments, but that does not reduce the value they add. Indeed, solid application of Business Analysis skills is fundamental to enabling success. Attendees will benefit from experience and learnings of the speaker in this field, and be more prepared should they encounter similar scenarios.
You will learn:
- The importance of Business Analysts in solution driven projects
- How Business Analysts needs to adapt
- How Business Analysts should engage with stakeholders
- The dangers of omitting Business Analysts
- The business benefits enabled by effectively utilising Business Analysts
Tracing MariaDB server with bpftrace - MariaDB Server Fest 2021Valeriy Kravchuk
Bpftrace is a relatively new eBPF-based open source tracer for modern Linux versions (kernels 5.x.y) that is useful for analyzing production performance problems and troubleshooting software. Basic usage of the tool, as well as bpftrace one liners and advanced scripts useful for MariaDB DBAs are presented. Problems of MariaDB Server dynamic tracing with bpftrace and some possible solutions and alternative tracing tools are discussed.
Dynamic tracing of MariaDB on Linux - problems and solutions (MariaDB Server ...Valeriy Kravchuk
Linux with kernels 2.6+. provides different ways to add user probes to almost every other line of code dynamically, and collect the resulting trace and profiling data in a safe and efficient way. This session discusses basic use of ftrace, perf, bcc tools and bpftrace utility, highlights typical problems MariaDB DBAs and developers may hit while trying to apply them, as well as solutions to some of them.
DevConf 2016
"Развитие ветки PHP-7", Дмитрий Стогов (Zend Technologies)
Я расскажу о внутреннем устройстве PHP-7.0, изменениях готовящихся в PHP-7.1 и планах на PHP-7.2.
Linux kernel tracing superpowers in the cloudAndrea Righi
The Linux 4.x series introduced a new powerful engine of programmable tracing (BPF) that allows to actually look inside the kernel at runtime. This talk will show you how to exploit this engine in order to debug problems or identify performance bottlenecks in a complex environment like a cloud. This talk will cover the latest Linux superpowers that allow to see what is happening “under the hood” of the Linux kernel at runtime. I will explain how to exploit these “superpowers” to measure and trace complex events at runtime in a cloud environment. For example, we will see how we can measure latency distribution of filesystem I/O, details of storage device operations, like individual block I/O request timeouts, or TCP buffer allocations, investigating stack traces of certain events, identify memory leaks, performance bottlenecks and a whole lot more.
Doing Quality Assurance in PHP projects sometimes looks like a dark art! Picking the right tools, making all tools work together, analysing your code and even then deliver all the required features of the software project can be quite challenging.
This talks aims to help lowering the entry barrier for doing QA on your project, sharing the experience, knowledge and some tricks that brings QA back from the dark arts to the every day of a PHP programmer.
We will review tools like Jenkins, PHPUnit, phpcs, pdepend, phpcpd, etc and how we can chain them together to make sure we are building a great software.
More on bpftrace for MariaDB DBAs and Developers - FOSDEM 2022 MariaDB DevroomValeriy Kravchuk
bpftrace is a relatively new open source tracer for modern Linux (kernels 5.x.y) that may help to troubleshoot performance issues in production as well as to get insights on how software really works. I use it for a couple of years and would like to present more details on how to do it efficiently, including but not limited to adding user probes to different lines of the code inside functions, checking values of local variables and using bpftrace as a code coverage tool.
Why I like PHPStorm
Advantages of Using Docker
Client, Docker Host, Registry
Docker Usage
Solr Docker File
Every Day Docker Commands
Docker Search
One Line Scripts
Portainer
Kinematic
Docker Compose
Grafana
Coding style guide
PHPCS/MD
Documentation Rules
Xdebug
Postman
Slides for a presentation on advanced PHP (object-orientation, frameworks, security and debugging) given for the CS25010 web development module at Aberystwyth University.
2018 cosup-delete unused python code safely - englishJen Yee Hong
The talk is about doing cleanup and refactor for legacy Python code base in a safer way. I introduced several existing tools for this task and demonstrated how (surprisingly) Python ast module can also help in this case.
中文摘要:
不管是 open source 專案還是工作上,經過長時間開發累積,source code 內可能會殘留許多不再需要的 code,造成維護以及 refactor 的困難,也造成新手 trace code 時的障礙。
對 C/C++ 這類編譯式語言來說,開啟編譯器最佳化能自動清除 dead code,但對於 Python 這類動態語言,則沒有公認完美的方法。
本議程分享一些相關經驗,佐以利用 Python AST 的簡易自製工具,討論如何從較複雜的 python source tree 中,安全的清除不再需要的 code。
Code: https://github.com/PCMan/python-find-unused-func
2019: A Local Hacking Odyssey - MITM attack against password manager @ BSides...Soya Aoyama
How many sites do you use? Is the password long enough and secure? Do not tell me you reused it. Unfortunately, we have not a memory good enough to remember so many passwords long and secure. For this reason, there are several companies providing password management applications. However, are they really secure?
I have executed a man-in-the-middle attack against a certain password management application. Surprisingly, the password was exchanged in plain text between .exe and .dll, and it was very easy to steal it. The program I created is generic and, under certain conditions, can steal information between all .exe and .dll in Windows. In this talk, I will demonstrate the actual attack, and provide technical explanations to enable this attack. And finally, I suggest ways to protect other apps from this attack.
The why and how of moving to PHP 5.5/5.6Wim Godden
With PHP 5.6 out and many production environments still running 5.2 or 5.3, it's time to paint a clear picture on why everyone should move to 5.5 and 5.6 and how to get code ready for the latest version of PHP. In this talk, we'll look at some handy tools and techniques to ease the migration.
Extending MariaDB with user-defined functionsMariaDB plc
Learn how to write user-defined functions (UDFs) as stored functions or C/C++ extensions. While MariaDB Server provides a wide range of built-in functions defined in the SQL specification, some applications can benefit from custom-built, server-side functions. Want to build a function to calculate the Tanimoto coefficient between two chemical compounds or genes? In this advanced session, MariaDB's Andrew Hutchings and Sylvain Arbaudie will get you started writing UDFs that could give you a leg up on the competition.
Practical tips for dealing with projects involving legacy code. Covers investigating past projects, static analysis of existing code, and methods for changing legacy code.
Presented at PHP Benelux '10
Workflow story: Theory versus Practice in large enterprises by Marcin PiebiakNETWAYS
Uphill battle against large enterprise it environments and IT corporate culture. How those difficulties turned out opportunities and clever implementations. Interesting modules, integrations and workflow pieces.
Similar to Dynamic PHP web-application analysis (20)
2. Who am I?
○ independent computer security researcher -
bug-hunter
○ in past doing web application security
analysis and pentesting
○ author of several articles in russian IT-
security printed magazine "Xakep"
○ senseless browser bug slayer
2
3. Outline
i. About dynamic analysis
ii. Dynamic analysis today
iii. PHP extension capabilities
iv. PVT extension
3
4. So, what was dynamic
analysis about?
i. About dynamic analysis
5. Dynamic analysis
DA is a properties inspection of running
application:
1. prepare environment & run application
2. collect run-time data
3. analyse data
In general used for: profiling, code coverage,
tracing, etc.
5
6. Why dynamic analysis?
○ operate with real data values - is known
which function which arguments has, return
values, etc.
○ avoid static analysis false positives (more
efficient is a combination of DA & SA)
○ easier to analyse obfuscated code
6
7. Why not dynamic analysis?
○ single dynamic analysis can not cover all
code paths
○ can be slow - depends on implementation,
computing powers, LoC
○ may depend on environment - OS, bits, PHP
versions, etc.
○ may be dangerous to execute code without
knowing what results will be (e.g.
malicious)
7
8. DA tools implementations (general)
● code instrumentation
○ source code
○ compile-time
○ execution/run-time
● patches and extensions for compiler or
interpreter
● external (e.g. system) tools
8
9. DA tools implementations (PHP)
● code instrumentation
○ source code (web-application)
○ compile-time
○ execution/run-time
● patches and extensions for compiler or
interpreter
● external (e.g. system) tools
9
10. State of PHP dynamic
analysis as of today
ii. Dynamic analysis today
11. Tools - code instrumentation
○ PHP Vulnerability Hunter
autosectools.com/PHP-Vulnerability-Scanner
Author: John Leitch
○ Saner*
iseclab.org/papers/oakland-saner.pdf
Authors: Davide Balzarotti, Marco Cova, Vika Felmetsger, Nenad Jovanovic, Engin Kirda,
Christopher Kruegel, Giovanni Vigna
○ WAFA*
research.cs.queensu.ca/~cordy/Papers/ACD_WSE09_WAFA.pdf
Authors: Manar H. Alalfi, James R. Cordy, Thomas R. Dean
○ PHP Aspis
https://github.com/jpapayan/aspis
Authors: Dr Peter Pietzuch, Dr Matteo Migliavacca, Ioannis Papagiannis
11
* Tool was not found in public access
12. Tools - PHP interpreters
○ Taint support for PHP
https://wiki.php.net/rfc/taint
Author: Wietse Venema
12
14. Tools - PHP interpreters
○ Taint support for PHP
https://wiki.php.net/rfc/taint
Author: Wietse Venema
○ CORE Grasp
grasp.coresecurity.com/
Author: CoreLabs
○ PHPrevent*
cs.virginia.edu/nguyen/phprevent/
Authors: Anh Nguyen-Tuong, Salvatore Guarnieri, Doug Greene, Jeff Shirley, David Evans
* Tool was not found in public access 14
18. Tools - miscellaneous
Xdebug +(KCachegrind, PHPUnit, php-code-
coverage, NetBeans IDE), XHProf, pfff
As well there should exist unknown tools -
small, private and unreleased.
18
19. Our choice - PHP extension
○ transparent to web-application - no
influence on code and execution path
○ full control over web-application - dump
values of variables, trace functions, taint
variables, etc.
19
20. Developing PHP extension?
○ no actual documentation - blog-posts,
outdated book and couple of chapters:
○ Expert PHP and MySQL - Andrew Curioso, Ronald Bradford, Patrick
Galbraith, 2010 (Chapter)
○ Extending and Embedding PHP - Sara Golemon, 2006
○ Advanced PHP Programming - George Schlossnagle, 2004 (Chapter)
○ may be intimidating to follow PHP changes
○ up-to-date source of information are
another extensions source code (Suhosin,
bytekit, XDebug)
○ http://lxr.php.net/ - PHP source code search via OpenGrok
20
21. What is a PHP extension
capable of?
iii. PHP extension capabilities
23. Handle function entry and exit
Register every executing function and have
access to all data functions works with:
○ trace execution path and generate call
graph later
○ understand application architecture
○ explore application executed paths and detect
yet unexplored areas
○ intercept identifiers when passing data
to any function
23
24. Handle function entry and exit
// execute_internal() doesn't catch nested internal function calls (calllbacks)
static void foobar_execute_internal(zend_execute_data *execute_data_ptr, int return_value_used
TSRMLS_DC)
{
[...]
// Here Zend internal functions gets executed
// Work with stuff like opcodes, variables, handle function entries.
execute_internal(execute_data_ptr, return_value_used TSRMLS_CC);
// Here is possible to handle function exits.
}
static void foobar_execute(zend_op_array *op_array TSRMLS_DC)
{
[...]
// Here user functions gets executed
// Work with stuff like opcodes, variables, handle function entries.
old_execute(op_array TSRMLS_CC);
// Here is possible to handle function exits.
}
24
25. Implement functions and classes
Implementing own PHP internal classes and
functions allow to extend PHP functionality for
different use:
○ fighting with bottlenecks, optimize
execution time
○ utilize OS-specific functionality
○ extend web-application capabilities
○ provide debugging and profiling facilities
25
26. Work with opcode
PHP allows complete control over every
opcode:
○ dump opcodes on the fly and observe
them later for low-level analysis (e.g. for
obfuscated code)
○ set opcode handler for complete control
over application
26
28. Hook dynamically evaluated strings
Catch every dynamically executed string and
log it - see what happens inside of
○ eval(), create_function()
○ assert(),
○ preg_replace() with "e"
28
30. Set Zend extension callbacks
Zend provides possibility to set various
handlers for more fine-grained control:
○ statement handler, allows:
○ single stepping through code
○ profiling
○ implement stepping debugger
○ function entry/exit handlers
○ op_array manipulation
30
34. New PHP dynamic analysis tool
Named PVT - PHP Vulnerability Tracer:
○ the idea of PVT is to provide tools to assist
in web-application security audit
○ the aim of PVT is to be transparent to web-
application, fully-automated, easy to use
and highly customizable - achieved via
being PHP extension.
34
35. PVT - Swiss knife
○ draws dynamic code execution graphs
(allows code navigation)
○ hooks all eval'd strings
○ catches your marker in arguments of
function or just every argument in every
function
○ can dump chosen or all variables
○ opcode dumper for low-level analysis
○ settings for each module
35
36. PVT - Swiss knife
* namings may change later 36
37. Sounds good?
○ may be slow as hell if you switch too many
modules or run it on heavy web-application
○ works only on Linux*
○ works only on PHP 5.2/5.3
○ may be not very comfortable in use - logs
are plain text files, needs dot, requires Perl
...
37
38. Statistics
Statistics shown are for Wordpress 3.4. (opening simple pages like index.php)
Title Time, seconds
1 Without PVT 0.14
2 All modules switched On 16.67
3 dump_ops = On 9.45
4 All modules On except dump_ops 6.45
5 catch_marker = On 4.79
6 dump_vars = On 1.18
7 trace_func = On 0.64
8 eval_hook = On 0.16
38
40. In perspective
○ speed optimization (priority)
○ add variable tracing
○ connect logs and graph
○ data tainting (?)
○ opcode graphs
○ convenient logs management
○ find and eliminate bugs
You can help with ideas and bug reports!
40