After a few months of hard work, snuffleupagus is now public.
For those that didn’t heard about it, Snuffleupagus is a PHP7+ module designed to drastically raise the cost of attacks against websites. This is achieved by killing entire bug classes and providing a powerful virtual-patching system, allowing the administrator to fix specific vulnerabilities without having to touch the PHP code.
There are several short-term reasons for us to start the project :
- suhosin doesn’t support php7
- php5 is EOL very soon, and we thus need to be able to harden php7 stacks
- While suhosin did a great job, with feedback on the few thousands of lamp servers we manage, we do realize some critical features are missing
But mostly, Snuffleupagus comes as a great complement to naxsi. We do realize that at the waf level, we sometime miss some context information, that makes it harder to take the right decision.
Amongst the inovative aspects of snuffleupagus, a few are worth noticing :