PHP Object Instantiation Attacks

By | 2020-08-19

PHP Object Instantiation attacks are a kind of application security vulnerability in PHP applications. They occur wherever meta-programming is used to instantiate a class from user data. Consider the following example code.

$modelClassname = $_GET['model'];
$model = new $modelClassname();

Clearly, whether there is a working attack vector here depends on what classes are available to be instantiated. The worst vulnerabilities will occur where there is a class with a constructor which could be harmful in some way.

In the original Object Instantiation vulnerability in PHP, the report mentioned a Zend Framework version 1 class named Zend_Amf_Request, which is used for the Flash AMF protocol. It passes POST data to PHP’s serializer, allowing an Object Injection attack on the PHP application. This was used as part of a full end-to-end attack vector on the website being tested.