About the Author

Hi, I'm Chris, a web developer and a founding member of Analog. I live and work in Brooklyn, NY.

PHP Security Experiments

Mon, 01 Nov 2004 at 20:46:32 GMT
12 Comments
References

I've been conducting some experiments lately to test a few security hypotheses that I've had as well as feed my curiosity. The success rate of these experiments has been shocking. The most recent experiment is taking place on the Zend forums, although it's over now (I don't want to needlessly spam the place). You'll notice a lot of topics with a subject of PHP Security Experiment, and they're all posted from different IPs (from all over the world). In short, I'm able to send HTTP requests of my choosing from other people's Web agents.

These experiments aren't testing a single piece of software but rather a specific set of vulnerabilities, and I'm chaining them together. I think I could chain them together even more and make them spread like worms. I'll release more details once I figure out how to properly notify the developers of all vulnerable software first (and allow ample time to fix the problems).

I could use some help. If you consider yourself a pretty proficient PHP developer who has a good understanding of the Web, and you'd like to participate, please contact me or leave a comment. I think there is plenty of work and research to be done.

About This Post

PHP Security Experiments was posted on Mon, 01 Nov 2004 at 20:46:32 GMT.

12 Comments

1. Paul M Jones said:

It would be **very** helpful to know the methodology and parameters of your test.

Incidentally, your experimentation could well be perceived as a series of attacks. White-hat though you may be, the manner is still a bit black-hat.

Thanks. :-)
Tue, 02 Nov 2004 at 00:22:33 GMT Link

2. Steph Fox said:

Au contraire, it's very useful to know where these problems lie - though I have to say it'd be better if we knew in advance that this kind of experiment was taking place!

I've actually asked Chris to try this in other areas of the Zend site now...

Tue, 02 Nov 2004 at 14:08:57 GMT Link

3. Chris Shiflett said:

My experiments so far have been very benign. In fact, I have developed my own applications in most cases. This helps me determine what types of safeguards I can successfully circumvent.

I'm constantly in communication with people from Zend, so I know that a few harmless posts aren't seen as a threat in any way. Also, in case it isn't clear, the experiment isn't testing a vulnerability in Zend's forums - the vulnerability is what allows me to post from arbitrary Web agents. Zend purposely allows anonymous posts, so there's nothing to really circumvent.

I'll publish more information once I feel confident that doing so won't be harmful.
Wed, 03 Nov 2004 at 01:09:59 GMT Link

4. Ilia Alshanetsky said:

As long as there are anonymous proxies people will be always capable of "faking" their IP. Heck, AOL users due to the nature of AOL proxies will almost always have different IPs between requests.

Of course faking headers with proxy IP relay information is another easy tactic of masking the "real" source address.
Wed, 03 Nov 2004 at 18:13:11 GMT Link

5. Chris Shiflett said:

That's true, but I'm not actually faking anything. Rather, the attacks trick other people's Web agents (which includes more than browsers) into sending requests of my choosing. This makes it very easy for me to get around safeguards, regardless of what is being checked - cookies, headers, etc.
Wed, 03 Nov 2004 at 18:45:20 GMT Link

6. Chris Shiflett said:

It doesn't work against FUDforum. :-)
Fri, 05 Nov 2004 at 18:17:42 GMT Link

7. Ilia Alshanetsky said:

That's certainly good news :-).
Fri, 05 Nov 2004 at 19:53:41 GMT Link

8. Ilia Alshanetsky said:

So you are using HTTP redirects to make people unknowingly submit GET or POST (via JavaScript) to a 3rd party site and create a new forum post?
Fri, 05 Nov 2004 at 23:46:36 GMT Link

9. Chris Shiflett said:

Not HTTP redirects. It's actually a combination of XSS and CSRF, although I've used various approaches, and a few have worked.

I can email you privately if you want details. I'm just trying to be careful.
Sat, 06 Nov 2004 at 06:07:53 GMT Link

10. Ilia Alshanetsky said:

Please do, I am curious about the methodoly and would definately will try it against FUDforum to see how it handles the situation.

p.s. my e-mail is ilia @ the url :-)
Sat, 06 Nov 2004 at 14:17:05 GMT Link

11. Maxime said:

I am very interested in the way you managed this if you don't mind sending me an e-mail with the methodology to shalombi@msn.com
Wed, 24 Nov 2004 at 13:28:56 GMT Link

12. Tom said:

I have to admit, it does seem that what goes on behind the scenes never was as easy was originally thought. Think I'll restart building everything I've done ;)
Mon, 14 Feb 2005 at 15:12:42 GMT Link

Chris Shiflett wrote:: Thanks for the kind words, Simon. I'm glad you liked the tutorial. In case it's helpful, here'...; Posted in Webstock
Chris Shiflett wrote:: Hi Robin, I plan to post something about it, but it's going to be hard to express everything i...; Posted in Webstock
Simon Mahony wrote:: Hi Chris, I really enjoyed your workshop on the Evolution of Security at Webstock. I think I g...; Posted in Webstock
Robin Gorry wrote:: Hi Chris, I was wondering if you were going to post how Webstock went for you this year. I li...; Posted in Webstock
Jess wrote:: I am using the following service for vulnerability research: http://xss-scanner.com; Posted in Adobe PDF XSS Vulnerability

Browse Comments

Planet

Automate EC2 Instance Setup with user-data Scripts: From Simon Willison
The Jungle Book, Part 3: From Rich Bowen
Four short links: 11 March 2010: From O'Reilly Radar
SVG Wow!: From Ajaxian
Bangkok Unrest: From Matt Mullenweg

Explore the Planet

Fresh Links

Explore Links

Main Menu

About the Author

PHP Security Experiments

About This Post