21 Feb, 2024

PHP Object Injection

PHP Object Injection

PHP Object Injection is a vulnerability in web applications that arises when user-supplied data is not adequately processed or validated before being utilized in the process of deserializing objects in PHP. This vulnerability allows an attacker to manipulate serialized objects, potentially leading to the execution of arbitrary code on the server.

PHP Object Injection (POI) is a vulnerability in web applications that arises due to improper handling of user-supplied data passed in a serialized form. To understand PHP Object Injection, it’s helpful to grasp some basics:

Object Serialization:

In PHP, objects can be converted into a string using a process called serialization. This enables the storage or transmission of objects between different parts of an application.

Vulnerability during Deserialization:

The vulnerability occurs when an application deserializes data coming from an untrusted source, such as user input. An attacker can manipulate serialized data by injecting malicious code or objects.

Potential Attacks:

Attacks using PHP Object Injection can lead to the execution of arbitrary code on the server. An attacker may create or modify objects in a way that performs malicious actions, such as reading or writing files, interacting with a database, and even gaining remote access.

class LoggingClass {
    function __construct($filename, $content) {
        // add .log to the filename so we are really creating a log file!!
        $this->filename = $filename . ".log";
        $this->content = $content;
    // This method is executed for each object at the end of the PHP execution
    function __destruct() {
        // flush the logs
        file_put_contents($this->filename, $this->content);

$data = unserialize($_GET['data']);

Scanners that detect vulnerability

OWASP ZAP (Zed Attack Proxy): OWASP ZAP is a free and open-source security testing  tool for web applications.

Burp Suite: Burp Suite is a popular tool for web application security testing.

Acunetix: Acunetix provides functionality for detecting and addressing vulnerabilities in web applications, including PHP Object Injection.

Netsparker: Netsparker is an automated tool for discovering vulnerabilities in web applications.

AppSpider: AppSpider provides tools for automated web application security testing.

Nxposee: Nexpose is a tool for scanning and analyzing the security of web applications.

Nmap: Nmap is a utility for discovering devices and analyzing network services, also used for security testing.

Average CVSS score for PHP Object Injection

The Common Vulnerability Scoring System (CVSS) is a framework for assessing the severity of vulnerabilities, assigning scores to help prioritize responses to security threats. The CVSS score ranges from 0 to 10, with a higher score indicating a more severe vulnerability. The average CVSS score for PHP Object Injection vulnerabilities can vary widely based on factors such as the specific implementation, the impact of the vulnerability, and the ease of exploitation.

CWE information

CWE-502: Deserialization of Untrusted Data

CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers (‘HTTP Response Splitting’)

CWE-94: Improper Control of Generation of Code (‘Code Injection’)

PHP Object Injection is a critical security vulnerability that arises when applications unserialize user-provided data without proper validation. This vulnerability can lead to the execution of arbitrary PHP code, potentially compromising the integrity and security of the application.

Mitigating PHP Object Injection requires a combination of secure coding practices and input validation:

Input Validation:

Validate and sanitize all user input, especially if it involves serialized data.

Avoid accepting serialized PHP objects from untrusted or user-controlled sources.

Whitelisting Classes:

Use whitelists to explicitly define which classes can be unserialized, preventing the instantiation of arbitrary objects.

Alternative Serialization Formats:

Consider using alternative serialization formats like JSON or XML for data interchange instead of serialized PHP objects.

These formats are less prone to security issues and provide a more controlled and predictable structure.

Secure Deserialization Libraries:

If possible, use secure deserialization libraries that provide additional safeguards against object injection.

Some libraries offer features like signature verification to ensure the integrity of serialized data.

Security Audits and Code Reviews:

Conduct regular security audits and code reviews to identify and address potential instances of PHP Object Injection.

Use static analysis tools to automatically detect vulnerabilities in the codebase.

Educate Developers:

Ensure that developers are aware of the risks associated with PHP Object Injection and provide training on secure coding practices.

Encourage a security-aware mindset throughout the development lifecycle.

Update PHP Versions:

Keep PHP versions up-to-date to benefit from security improvements and patches provided by the PHP community.

Other Services

Ready to secure?

Let's get in touch