{"guid":"69326d17-20c7-4993-a8e1-3d3fa7c26b1f","title":"Extract: A PHP Foot-Gun Case Study","subtitle":null,"slug":"god2025-56486-extract-a-php-foot-gun-cas","link":"https://c3voc.de","description":"Do you always read the documentation before using a function in your languages' standard library? This talk explores the attack surface of a special feature in PHP which is easy to misuse with unforseen consequences. The `extract` function allows to replace the value of local variables named after the keys in an array. Calling it with user-controlled input allows the attacker to change arbitrary variables in the program. The documentation warns against the dangers of using it with untrusted data, but our large-scale analysis on 28.325 PHP projects from GitHub shows, that this warning is ignored.\nThe talk walks through the process of identifing `extract`-based vulnerabilities and how they might have ended up the way they are by looking at the surrounding code. After introducing different levels of attacker-control guided by concrete exploits, listeners gain an intuition on what to look out for while reviewing code.\nAttending this talk, the audience will learn:\n\nRich ways users have control over input in PHP.\nHow to exploit insecure calls to `extract` given multiple real-world case-studies from the dataset of open source projects from GitHub.\nTips on how to avoid this and similar threats in new and legacy code.\nPossible changes to PHP itself for risk reduction.\n\nLicensed to the public under https://creativecommons.org/licenses/by-sa/4.0/","original_language":"eng","persons":["Jannik Hartung","Martin Johns","Simon Koch"],"tags":["56486","2025","god2025","Track 1","god2025-eng","god2025","Day 1"],"view_count":181,"promoted":false,"date":"2025-11-26T14:30:00.000+01:00","release_date":"2025-11-26T00:00:00.000+01:00","updated_at":"2026-03-05T19:30:06.766+01:00","length":1477,"duration":1477,"thumb_url":"https://static.media.ccc.de/media/events/god/2025/56486-69326d17-20c7-4993-a8e1-3d3fa7c26b1f.jpg","poster_url":"https://static.media.ccc.de/media/events/god/2025/56486-69326d17-20c7-4993-a8e1-3d3fa7c26b1f_preview.jpg","timeline_url":"https://static.media.ccc.de/media/events/god/2025/56486-69326d17-20c7-4993-a8e1-3d3fa7c26b1f.timeline.jpg","thumbnails_url":"https://static.media.ccc.de/media/events/god/2025/56486-69326d17-20c7-4993-a8e1-3d3fa7c26b1f.thumbnails.vtt","frontend_link":"https://media.ccc.de/v/god2025-56486-extract-a-php-foot-gun-cas","url":"https://api.media.ccc.de/public/events/69326d17-20c7-4993-a8e1-3d3fa7c26b1f","conference_title":"German OWASP Day 2025","conference_url":"https://api.media.ccc.de/public/conferences/god2025","related":[],"recordings":[{"size":14,"length":1477,"mime_type":"audio/opus","language":"eng","filename":"god2025-56486-eng-Extract_A_PHP_Foot-Gun_Case_Study_opus.opus","state":"new","folder":"opus","high_quality":false,"width":0,"height":0,"updated_at":"2025-11-26T15:58:32.238+01:00","recording_url":"https://cdn.media.ccc.de/events/god/2025/opus/god2025-56486-eng-Extract_A_PHP_Foot-Gun_Case_Study_opus.opus","url":"https://api.media.ccc.de/public/recordings/93584","event_url":"https://api.media.ccc.de/public/events/69326d17-20c7-4993-a8e1-3d3fa7c26b1f","conference_url":"https://api.media.ccc.de/public/conferences/god2025"},{"size":45,"length":1477,"mime_type":"video/mp4","language":"eng","filename":"god2025-56486-eng-Extract_A_PHP_Foot-Gun_Case_Study_sd.mp4","state":"new","folder":"h264-sd","high_quality":false,"width":720,"height":576,"updated_at":"2025-11-26T16:12:46.712+01:00","recording_url":"https://cdn.media.ccc.de/events/god/2025/h264-sd/god2025-56486-eng-Extract_A_PHP_Foot-Gun_Case_Study_sd.mp4","url":"https://api.media.ccc.de/public/recordings/93592","event_url":"https://api.media.ccc.de/public/events/69326d17-20c7-4993-a8e1-3d3fa7c26b1f","conference_url":"https://api.media.ccc.de/public/conferences/god2025"},{"size":48,"length":1477,"mime_type":"video/webm","language":"eng","filename":"god2025-56486-eng-Extract_A_PHP_Foot-Gun_Case_Study_webm-sd.webm","state":"new","folder":"webm-sd","high_quality":false,"width":720,"height":576,"updated_at":"2025-11-26T16:07:03.637+01:00","recording_url":"https://cdn.media.ccc.de/events/god/2025/webm-sd/god2025-56486-eng-Extract_A_PHP_Foot-Gun_Case_Study_webm-sd.webm","url":"https://api.media.ccc.de/public/recordings/93589","event_url":"https://api.media.ccc.de/public/events/69326d17-20c7-4993-a8e1-3d3fa7c26b1f","conference_url":"https://api.media.ccc.de/public/conferences/god2025"},{"size":121,"length":1477,"mime_type":"video/webm","language":"eng","filename":"god2025-56486-eng-Extract_A_PHP_Foot-Gun_Case_Study_webm-hd.webm","state":"new","folder":"webm-hd","high_quality":true,"width":1920,"height":1080,"updated_at":"2025-11-26T15:58:41.671+01:00","recording_url":"https://cdn.media.ccc.de/events/god/2025/webm-hd/god2025-56486-eng-Extract_A_PHP_Foot-Gun_Case_Study_webm-hd.webm","url":"https://api.media.ccc.de/public/recordings/93586","event_url":"https://api.media.ccc.de/public/events/69326d17-20c7-4993-a8e1-3d3fa7c26b1f","conference_url":"https://api.media.ccc.de/public/conferences/god2025"},{"size":22,"length":1477,"mime_type":"audio/mpeg","language":"eng","filename":"god2025-56486-eng-Extract_A_PHP_Foot-Gun_Case_Study_mp3.mp3","state":"new","folder":"mp3","high_quality":false,"width":0,"height":0,"updated_at":"2025-11-26T15:58:35.978+01:00","recording_url":"https://cdn.media.ccc.de/events/god/2025/mp3/god2025-56486-eng-Extract_A_PHP_Foot-Gun_Case_Study_mp3.mp3","url":"https://api.media.ccc.de/public/recordings/93585","event_url":"https://api.media.ccc.de/public/events/69326d17-20c7-4993-a8e1-3d3fa7c26b1f","conference_url":"https://api.media.ccc.de/public/conferences/god2025"},{"size":117,"length":1477,"mime_type":"video/mp4","language":"eng","filename":"god2025-56486-eng-Extract_A_PHP_Foot-Gun_Case_Study_hd.mp4","state":"new","folder":"h264-hd","high_quality":true,"width":1920,"height":1080,"updated_at":"2025-11-26T15:47:54.268+01:00","recording_url":"https://cdn.media.ccc.de/events/god/2025/h264-hd/god2025-56486-eng-Extract_A_PHP_Foot-Gun_Case_Study_hd.mp4","url":"https://api.media.ccc.de/public/recordings/93579","event_url":"https://api.media.ccc.de/public/events/69326d17-20c7-4993-a8e1-3d3fa7c26b1f","conference_url":"https://api.media.ccc.de/public/conferences/god2025"}]}