About the Author

Hi, I'm Chris, a web developer and a founding member of Analog. I live and work in Brooklyn, NY.

PHP Security Experiments

Mon, 01 Nov 2004 at 20:46:32 GMT
12 Comments
References

I've been conducting some experiments lately to test a few security hypotheses that I've had as well as feed my curiosity. The success rate of these experiments has been shocking. The most recent experiment is taking place on the Zend forums, although it's over now (I don't want to needlessly spam the place). You'll notice a lot of topics with a subject of PHP Security Experiment, and they're all posted from different IPs (from all over the world). In short, I'm able to send HTTP requests of my choosing from other people's Web agents.

These experiments aren't testing a single piece of software but rather a specific set of vulnerabilities, and I'm chaining them together. I think I could chain them together even more and make them spread like worms. I'll release more details once I figure out how to properly notify the developers of all vulnerable software first (and allow ample time to fix the problems).

I could use some help. If you consider yourself a pretty proficient PHP developer who has a good understanding of the Web, and you'd like to participate, please contact me or leave a comment. I think there is plenty of work and research to be done.

About This Post

PHP Security Experiments was posted on Mon, 01 Nov 2004 at 20:46:32 GMT.

12 Comments

1. Paul M Jones said:

It would be **very** helpful to know the methodology and parameters of your test.

Incidentally, your experimentation could well be perceived as a series of attacks. White-hat though you may be, the manner is still a bit black-hat.

Thanks. :-)
Tue, 02 Nov 2004 at 00:22:33 GMT Link

2. Steph Fox said:

Au contraire, it's very useful to know where these problems lie - though I have to say it'd be better if we knew in advance that this kind of experiment was taking place!

I've actually asked Chris to try this in other areas of the Zend site now...

Tue, 02 Nov 2004 at 14:08:57 GMT Link

3. Chris Shiflett said:

My experiments so far have been very benign. In fact, I have developed my own applications in most cases. This helps me determine what types of safeguards I can successfully circumvent.

I'm constantly in communication with people from Zend, so I know that a few harmless posts aren't seen as a threat in any way. Also, in case it isn't clear, the experiment isn't testing a vulnerability in Zend's forums - the vulnerability is what allows me to post from arbitrary Web agents. Zend purposely allows anonymous posts, so there's nothing to really circumvent.

I'll publish more information once I feel confident that doing so won't be harmful.
Wed, 03 Nov 2004 at 01:09:59 GMT Link

4. Ilia Alshanetsky said:

As long as there are anonymous proxies people will be always capable of "faking" their IP. Heck, AOL users due to the nature of AOL proxies will almost always have different IPs between requests.

Of course faking headers with proxy IP relay information is another easy tactic of masking the "real" source address.
Wed, 03 Nov 2004 at 18:13:11 GMT Link

5. Chris Shiflett said:

That's true, but I'm not actually faking anything. Rather, the attacks trick other people's Web agents (which includes more than browsers) into sending requests of my choosing. This makes it very easy for me to get around safeguards, regardless of what is being checked - cookies, headers, etc.
Wed, 03 Nov 2004 at 18:45:20 GMT Link

6. Chris Shiflett said:

It doesn't work against FUDforum. :-)
Fri, 05 Nov 2004 at 18:17:42 GMT Link

7. Ilia Alshanetsky said:

That's certainly good news :-).
Fri, 05 Nov 2004 at 19:53:41 GMT Link

8. Ilia Alshanetsky said:

So you are using HTTP redirects to make people unknowingly submit GET or POST (via JavaScript) to a 3rd party site and create a new forum post?
Fri, 05 Nov 2004 at 23:46:36 GMT Link

9. Chris Shiflett said:

Not HTTP redirects. It's actually a combination of XSS and CSRF, although I've used various approaches, and a few have worked.

I can email you privately if you want details. I'm just trying to be careful.
Sat, 06 Nov 2004 at 06:07:53 GMT Link

10. Ilia Alshanetsky said:

Please do, I am curious about the methodoly and would definately will try it against FUDforum to see how it handles the situation.

p.s. my e-mail is ilia @ the url :-)
Sat, 06 Nov 2004 at 14:17:05 GMT Link

11. Maxime said:

I am very interested in the way you managed this if you don't mind sending me an e-mail with the methodology to shalombi@msn.com
Wed, 24 Nov 2004 at 13:28:56 GMT Link

12. Tom said:

I have to admit, it does seem that what goes on behind the scenes never was as easy was originally thought. Think I'll restart building everything I've done ;)
Mon, 14 Feb 2005 at 15:12:42 GMT Link

Upcoming Events

Brooklyn Beta

21 - 22 Oct 2010

At The Invisible Dog, Brooklyn, New York.

New Comments

Mario Arroyo wrote:: The article is really very good and the users comments and external links to another articles jus...; Posted in
Raphael Almeida wrote:: I realy like hiphop music, but this is very crazy! We'll use it in user group PHP conference at ...; Posted in PHP Anthem
Mal wrote:: Having used smarty for many years, this has never been a problem for me, but after building a web...; Posted in PHP Stripping Newlines
Satya wrote:: Thanks for the info. I have posted the news here on my page: http://www.facebook.com/pages/Web-Sc...; Posted in PHP Anthem
John wrote:: Oh, you need to press "save your password".; Posted in Mozilla Account Manager

Browse Comments

Planet

Onerous terms: From Dion Almaer
Remember non-vendor-prefixed CSS 3 properties (and put them last): From Roger Johansson
FCC.gov poised for an overdue overhaul: From O'Reilly Radar
A Quick Intro to mongosniff: From Kristina Chodorow
Toward a local syzygy: aligning deals, check-ins and places: From O'Reilly Radar

Explore the Planet

Fresh Links

Explore Links

Main Menu

About the Author

PHP Security Experiments

About This Post