home/lifestyle/vsp-php

Vsp Php

GPTClaudeGemini··1,038 copies·updated 2026-07-14
vsp-php.prompt
# VSP — PHP / Web Vulnerability Taxonomy

Focus on these bug classes (in rough order of historical yield in PHP audits):

## 1. Object Injection (`unserialize`)
- `unserialize($x)` **without** `['allowed_classes' => false]` or an explicit allow-list → RCE via gadget chain
- Watch for `unserialize(` on cache reads (Redis/Memcached), session data, cookies, HTTP params
- Comparison test: grep every `unserialize(` in the codebase. If one lacks the filter but the others have it, that one is the bug.

## 2. Command Injection
- `system()`, `exec()`, `shell_exec()`, `passthru()`, `popen()`, `proc_open()`, backtick operator
- Indirect: `preg_replace('/pattern/e', ...)` (deprecated but still appears), `assert($user_string)`
- Check: is the string built with concatenation from HTTP/file/DB input without `escapeshellarg`/`escapeshellcmd`?

## 3. Path Traversal / Arbitrary File Read-Write
- `file_get_contents`, `fopen`, `file_put_contents`, `include`, `require`, `readfile` with path derived from user input
- Check for missing `realpath` + prefix-check, or weak `str_replace('../', '', $x)` strips
- Watch upload endpoints: `move_uploaded_file`, `->newFile(`, `basename()` on Windows vs Linux

## 4. SSRF
- `file_get_contents($url)`, `curl_exec` with user URL, `fopen` on remote stream
- Check for missing URL-scheme allow-list, no private-range IP check, DNS rebinding window
- Dompdf-style `<img src="http://attacker/">` in user-rendered HTML

## 5. XSS / Output-Context Injection
- `echo $x`, template `{{ $x }}` (if raw), `Response->addHeader('...' . $x . '...')`
- Header injection: unencoded `"` or `\n` in Content-Disposition, Location, Set-Cookie

## 6. SQL Injection
- Raw concatenation in `->query(` / `mysqli_query(` / `PDO->exec(` — **not** prepared statements
- Dynamic table/column names (prepared statements do not protect these)
- ORDER BY and LIMIT with user input

## 7. XXE / XML
- `simplexml_load_string`, `DOMDocument::loadXML`, `SoapClient` — default libxml versions may resolve entities
- Check for `libxml_disable_entity_loader(true)` or `LIBXML_NOENT` flag usage

## 8. CSRF / State-Changing GET
- `$_GET['action']` performing writes
- Missing or weak token check on POST endpoints
- **Reference:** CVE-2025-0990

## 9. Auth / Authz Logic
- `if (isset($_SESSION['admin']))` without further check
- IDOR: resource ID from URL used in query without ownership check
- Type juggling: `==` vs `===`, `hash_equals` missing on HMAC compare

## 10. Deserialization / Format Parsing Gotchas
- `json_decode(..., true)` and then `extract()` — variable-variable injection
- `parse_str`, `extract` with user data
- `call_user_func($user_fn, ...)` where fn name is user-controlled

## PHP-specific VSP reasoning

1. **Input enumeration:** `$_GET`, `$_POST`, `$_COOKIE`, `$_SERVER['HTTP_*']`, `$_FILES`, PSR-7 `$request->getQueryParams()`, `$request->getParsedBody()`, Laravel `$request->input(`, Symfony `$request->get(`, WordPress `$_REQUEST`
2. **Cache/session read = attacker-controlled** if the cache or session backend is ever shared/exposed. Redis/Memcached are network-reachable in many deployments.
3. **Framework-specific sanitizers:** WordPress `sanitize_*` / `wp_kses_*`, Symfony `HTMLPurifier`, Laravel `{{ }}` auto-escape vs `{!! !!}`, Doctrine parameter binding
4. **Type juggling:** `"0e12345" == "0"` is true (PHP scientific notation coercion). Always check for `===`
5. **`null` byte truncation** in older PHP versions: `foo.php\x00.jpg` passed to `is_file` but `include` stops at null — still seen in some legacy code

fill the variables

This prompt has 3 variables. Pro fills them into a ready-to-paste prompt for you — no manual find-and-replace.

{{ $x}{{}{!! !!}
Unlock with Pro →

when to use it

Community prompt sourced from the open-source GitHub repo Keyvanhardani/mythos-research (Apache-2.0). A "Vsp Php" style prompt — adapt the placeholders and specifics to your task. Imported as-is and not independently retested here, so check the output before relying on it.

tags

lifestylecommunitygeneral

source

Keyvanhardani/mythos-research · Apache-2.0