PHPcon Poland 2019
I have attended the PHPcon Poland 2019 conference in Szczyrk. This is sa mall but beautiful surrounded by mountains. The scenery was perfect.
The conference had a lot of good presentations but I selected those:
- Strict programming in PHP
- How your PHP application can get hacked, and how to prevent that from happening?
- Event Sourcing with PROOPH
- 6 Things I Learned as a Lead Developer
- git log: 10 most useful commands to learn everything about a project
- Twelve principles for building high-availability systems
- Agile clean architecture
- Adventures in MySQL – 10 Awesome features you’re probably not using
- Making architecture explicit
I couldn’t attend other talks that I was interested in and that is my only complain to the organisers where they put technical talks at the same time to be followed by two not very technical talks. That should be split so those who were only interested in tech stuff could attend more talks.
While all the talks were good and interesting there was one which was outstanding and I will focus on it only.
It was a presentation by Antti Rössi: “How your PHP application can get hacked, and how to prevent that from happening?”.
It was an eye opener for me. Antti one day was surprised that most of the software houses don’t have a separate position for a software security officer. Developers themselves maintain the security of their code. That is a problem because it is really hard to follow both software security and code development in IT.
The main message from the talk was that developer have learn how to think as hackers. And hackers only think how to brak your application in the way you didn’t even imagine.
Disclaimer: this is for educational use only.
One of the examples was to use perfectly safe and harmful php method to return a file size. Seems like there is not much you can do with that. Wrong!
The hacker can use it to execute malicious code because object is deserialised when using PHP magic methods. This is how PHP works. With that info you just allow the code to read your nice picture of a cat with embedded malicious code that gets injected into your application. This could allow you, for example to edit Laravel console kernel file where cron tasks are stored and add a code to run nc (netcat). Pretty scary already but it gets worse. With NC hacker can set up a connection to your server which has the same privileges as the calling process. If it happens that your cron runs as root on the server this is what hacker will get. Good night and goodbye, you have been totally hacked. Another sad news is all of that can by achieved by a 12 years old kid with not much knowledge in IT by just using the tools that are publicly available.
You can protect yourself from this happening by using validation and sanitisation. “Do not trust user input of any format”. Remember that and you can sleep well at night again.