Deserialization of Untrusted Data
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-502: Deserialization of Untrusted Data |
| OWASP | A08:2017 - Insecure Deserialization |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | Medium |
Description#
Using PHP’s extract() function directly on data from user input (like $_GET, $_POST, or $_FILES) can let attackers overwrite variables in your code, leading to unexpected or unsafe behavior. To prevent this, avoid using extract() with user data, or always use the EXTR_SKIP flag to prevent existing variables from being overwritten.
Impact#
If exploited, an attacker could inject or overwrite variables in your application, potentially bypassing security checks, altering program logic, or gaining unauthorized access to sensitive operations. This can lead to security breaches, data manipulation, or even full system compromise.