O'Reilly logo

Mastering Modern Web Penetration Testing by Prakhar Prasad

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

PHP Object Injection

PHP Object Injection or POI is a vulnerability which allows an attacker to modify a PHP object in such a way that the application flow changes, this in turn results in different outcomes such as remote code execution, directory traversal, and so on. The main culprit responsible for this is user-supplied input getting passed to an unserialize() function call which allows the supplied code to be executed. The situation is in fact so dire that the official PHP documentation for unserialize() mentions the following warning:

Note

Do not pass untrusted user input to unserialize(). Unserialization can result in code being loaded and executed due to object instantiation and autoloading, and a malicious user may be able to exploit this. ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required