Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/nbs-system/snuffleupagus
https://github.com/nbs-system/snuffleupagus
Last synced: 27 days ago
JSON representation
- Host: GitHub
- URL: https://github.com/nbs-system/snuffleupagus
- Owner: nbs-system
- License: lgpl-3.0
- Archived: true
- Created: 2020-06-25T14:34:55.000Z (over 4 years ago)
- Default Branch: master
- Last Pushed: 2023-11-08T09:16:00.000Z (about 1 year ago)
- Last Synced: 2024-08-03T16:09:27.883Z (4 months ago)
- Language: C
- Size: 9.13 MB
- Stars: 26
- Watchers: 7
- Forks: 1
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- Contributing: CONTRIBUTING.md
- License: LICENSE
Awesome Lists containing this project
- awesome-systools - snuffleupagus - Killing bugclasses and virtual-patching the rest! (Security / WebServers)
README
# THIS REPO HAS BEEN ARCHIVED, PLEASE VISIT https://github.com/jvoisin/snuffleupagus
Snuffleupagus
Security module for php7 - Killing bugclasses and virtual-patching the rest!.
Key Features •
Download •
Examples •
Documentation •
License •
Thanks
Snuffleupagus is a [PHP 7+](https://secure.php.net/) module designed to
drastically raise the cost of attacks against websites, by killing entire bug
classes. It also provides a powerful virtual-patching system, allowing
administrator to fix specific vulnerabilities and audit suspicious behaviours
without having to touch the PHP code.
## Key Features
* Close to zero performance impact
* Powerful yet simple to write virtual-patching rules
* Killing several classes of vulnerabilities
* [Unserialize-based](https://www.owasp.org/images/9/9e/Utilizing-Code-Reuse-Or-Return-Oriented-Programming-In-PHP-Application-Exploits.pdf) code execution
* [`mail`-based]( https://blog.ripstech.com/2016/roundcube-command-execution-via-email/ ) code execution
* Cookie-stealing [XSS]( https://en.wikipedia.org/wiki/Cross-site_scripting )
* File-upload based code execution
* Weak PRNG
* [XXE]( https://en.wikipedia.org/wiki/XML_external_entity_attack )
* Hardening features
* Automatic `secure` and `samesite` flag for cookies
* Bundled set of rules to detect post-compromissions behaviours
* Global [strict mode]( https://secure.php.net/manual/en/migration70.new-features.php#migration70.new-features.scalar-type-declarations) and type-juggling prevention
* Whitelisting of [stream wrappers](https://secure.php.net/manual/en/intro.stream.php)
* Preventing writeable files execution
* Whitelist/blacklist for `eval`
* Request dumping capability
## Download
We've got a [download
page](https://snuffleupagus.readthedocs.io/download.html), where you can find
packages for your distribution, but you can of course just `git clone` this
repo, or check the releases on [github](https://github.com/nbs-system/snuffleupagus/releases).
## Examples
We're providing [various example rules](https://github.com/nbs-system/snuffleupagus/tree/master/config),
that are looking like this:
```python
# Harden the `chmod` function
sp.disable_function.function("chmod").param("mode").value_r("^[0-9]{2}[67]$").drop();
# Mitigate command injection in `system`
sp.disable_function.function("system").param("command").value_r("[$|;&`\\n]").drop();
```
Upon violation of a rule, you should see lines like this in your logs:
```python
[snuffleupagus][0.0.0.0][disabled_function][drop] The execution has been aborted in /var/www/index.php:2, because the return value (0) of the function 'strpos' matched a rule.
```
## Documentation
We've got a [comprehensive website](https://snuffleupagus.readthedocs.io/) with
all the documentation that you could possibly wish for. You can of course
[build it yourself](https://github.com/nbs-system/snuffleupagus/tree/master/doc).
## Thanks
Many thanks to the [Suhosin project](https://suhosin.org) for being a __huge__
source of inspiration, and to all [our
contributors](https://github.com/nbs-system/snuffleupagus/graphs/contributors).