snuffleupagus: Security module for php7 and php8

snuffleupagus

Security module for php7 and php8 – Killing bugclasses and virtual-patching the rest!

Snuffleupagus is a PHP 7+ and 8+ module designed to drastically raise the cost of attacks against websites, by killing entire bug classes. It also provides a powerful virtual-patching system, allowing administrators to fix specific vulnerabilities and audit suspicious behaviours without having to touch the PHP code.

Key Features

• No noticeable performance impact
• Powerful yet simple to write virtual-patching rules
• Killing several classes of vulnerabilities
  • Unserialize-based code execution
  • mail-based code execution
  • Cookie-stealing XSS
  • File-upload based code execution
  • Weak PRNG
  • XXE
• Several hardening features
  • Automatic secure and samesite flag for cookies
  • Bundled set of rules to detect post-compromissions behaviours
  • Global strict mode and type-juggling prevention
  • Whitelisting of stream wrappers
  • Preventing writeable files execution
  • Whitelist/blacklist for eval
  • Enforcing TLS certificate validation when using curl
  • Request dumping capability
• A relatively sane code base:
  • A comprehensive test suite close to 100% coverage
  • Every commit is tested on several distributions
  • An clang-format-enforced code style
  • A comprehensive documentation
  • Usage of coverity

Download & Use

©2017-2018 NBS System, 2019-2021 Julien (jvoisin) Voisin