Johannes Dahse: "State-of-the-art PHP Exploitation Techniques" HD

PHP remains the most popular server-side language on the Web and the most favored language for Web attacks. The security vulnerabilities and attack techniques become more sophisticated though. For example, the vulnerability types PHP Object Instantiation and Phar Deserialization are comparatively unknown to traditional types like XSS and SQLi. In this technical talk we look at a couple of critical security bugs found in popular open source PHP applications, such as WordPress, WooCommerce and Shopware. We will focus on fundamental design flaws and new state-of-the-art exploitation techniques that are used by attackers to compromise web servers through these issues which can occur in any other application as well. Short bio: Johannes exploits security vulnerabilities in web applications since 10 years. He finished his Ph.D. in IT security at the Ruhr-University Bochum in 2016. Before, he pioneered new static code analysis techniques in order to assist his work as a security consultant. Johannes is a co-founder and the CEO of RIPS Technologies, a Bochum-based IT security company that delivers automated code analysis solutions for web applications, and an active speaker at academic and industry conferences.