The successor to Suhosin is protecting sites from the inside

PHP is the most popular programming language for web applications. But PHP websites are also among the most targeted by hackers and account for many security incidents.

Snuffleupagus, an open source security module, aims to raise the costs of attacking PHP websites.

Developed by web hosting company NBS System, Snuffleupagus acts as an added layer of defense for PHP applications, intercepting malicious requests that exploit vulnerabilities in the underlying PHP code.

Why Snuffleupagus?

Sysadmins and webmasters have a plethora of tools at their disposal to protect web applications against attacks, including web application firewalls (WAF) and intrusion detection systems (IDS).

But while those tools are useful in their own right, they can’t inspect every detail of PHP applications. Snuffleupagus works directly in the code of PHP applications, which gives it granular visibility and control into the security of the website.

“We wanted something for PHP, to kill low-hanging bug classes in a generic way, so we wouldn’t have to worry about them anymore,” said Julien Voisin, lead developer of Snuffleupagus, in written comments to The Daily Swig, stressing that WAFs can’t detect and fix every vulnerability.

“Sometimes you want to have more granularity, like setting rules for when a function in a file is called with a specific parameter configuration,” Voisin said.

“This isn’t possible if you’re operating at the HTTP level, because you only see web requests, and have no clue about what the application is doing with them.”

Virtual patching

Snuffleupagus enables sysadmins and security teams to harden websites without the need to bother web developers or compromise the development process.

One of the benefits is that Snuffleupagus can push virtual patches on all machines without requiring clients to update their websites or content management systems.

Therefore, even if a client is running an outdated and vulnerable version of a PHP application, Snuffleupagus will still be able to protect it against unpatched vulnerabilities.

“Operating directly inside of PHP makes a big difference,” Voisin said. “For example, Magento doesn’t provide details about vulnerabilities, so previously we had to obtain the patches, understand the changes, understand what vulnerability was fixed, find all the vectors to trigger it, and write WAF rules accordingly.

“With Snuffleupagus, we look at the changes the patches made, and roughly replicate them in Snuffleupagus.”


Before Snuffleupagus, server admins could use Suhosin, a security tool that protected PHP servers against known and unknown vulnerabilities. But Suhosin is outdated and doesn’t work with PHP7.

(Earlier this year, the developers of Suhosin unveiled the Suhosin-NG project, which will be based on Snuffleupagus and aims to bring the project up to speed with the latest PHP build. This is still in development.)

Voisin has detailed how Snuffleupagus can protect PHP servers against a wide range of vulnerabilities in a blog post.

Since Snuffleupagus focuses on PHP code, it will not protect websites against client-side vulnerabilities such as cross-site scripting (XSS) attacks. It also won’t help against logical errors in the application’s code.

Snuffleupagus is also exclusive to PHP, which means it won’t be of use to Perl, Python, and other server platforms. It will, however, still apply to millions of websites.

According to BuiltWith, more than 39 million sites run on PHP, including 44% of the top 10,000 websites. Most popular CMS technologies, such as WordPress, Joomla, and Drupal, are based on PHP.

READ MORE Phar out: PHP deserialization techniques offer rich pickings for security researchers