PHP Object Injection

Object injection is a type of attack that allows arbitrary data to be written to variables in PHP classes.  This is a versatile attack that can potentially allow a broad range of compromises to the confidentiality or integrity of data as well as unauthorized access to server resources.  Object injection exploits functionality inherent to PHP classes as well as a supported method of storing variable data called serialization.  This article will provide a walkthrough of an object injection attack but first, a brief overview of its enabling components. Continue reading “PHP Object Injection”