Blog Post

OSWE Prep: Finding and Exploiting Bugs in PHP Source Code

By Patrick Smith
OSWE Prep: Finding and Exploiting Bugs in PHP Source Code

Source code review is often included as a phase of penetration testing engagements to identify the damage an insider armed with code could cause. The security researcher tries to think like a malicious insider and identify code weaknesses that can be used to launch an attack. Learning the required mindset and skills takes dedication and patience.

That's why I decided, in the course of pursuing OSWE certification, to create a short guide for new security researchers on how to look for certain PHP vulnerabilities. That sounds simple enough, right?

Well, my modest proposal turned into an 90+-page guide, Finding and Exploiting Bugs in PHP Source Code, that Anvil is releasing today. It covers SQL injection, PHP type juggling, and client-side vulnerabilities, and is filled with screenshots, and code snips. The guide demonstrates how to prepare for a source code review, discover vulnerabilities, and exploit those vulnerabilities. And along the way, it provides insight into the attacker mindset.

The guide can be viewed here: Finding and Exploiting Bugs in PHP Source Code


About the Author

Patrick Smith is a Security Engineer at Anvil. He specializes in application penetration testing, particularly in cloud environments. He has a passion for learning; he regularly spends time looking for new ways to approach security problems. Prior to joining Anvil, Patrick studied Computer Science at the University of West Florida and co-founded a cybersecurity startup.

This is Patrick's most ambitious writing project to date. If you are interested in joining a team that encourages all team members to pursue research and learning opportunities, provides support for content development, and publishes results on the company platform, check out Anvil's Careers page.


awstracer - An Anvil CLI utility that will allow you to trace and replay AWS commands.

awssig - Anvil Ventures' Burp extension for signing AWS requests with SigV4.

dawgmon - Dawg the hallway monitor: monitor operating system changes and analyze introduced attack surface when installing software. See the introductory blogpost

Recent Posts