On their blog, RIPS Technologies have shared a wrap-up of their security advent calendar shared at the end of last year. The calendar provided a daily challenge related to a PHP security issue that may or may not be commonly known.
In this years PHP Security Advent Calendar we published 24 challenges for the PHP community where security issues were hidden in code snippets for fun and training. The challenges are based on real-world security vulnerabilities that we found with the help of RIPS over the last year in popular PHP applications. In this blog post we are going to discuss the main take-aways from our advent calendar regarding PHP security.
The calendar covered several different types of challenges but they fell into a few overall categories: issues with user input, weak typing, odd behavior of built-in features and the overall diversity of possible bugs.
The root cause for the security issues presented in our challenges are not new. But the diversity and combination of these pitfalls are sheer endless that trick even skilled developers. What looks secure at first sight quickly turns into an exploitable security bug. [...] We would like to thank everyone who participated, discussed, and provided great feedback and we hope our challenges helped in sharpening your security skills in a fun way!