Php Unsafe Reflection Dynamic Call
Description
Detects unsafe uses of PHP reflection features where dynamic/variable class names or method calls could allow code injection. This vulnerability could enable attackers to execute arbitrary PHP code by controlling the class or method names passed to reflection APIs.
Detection Strategy
• Check for dynamic class name lookups passed to ReflectionClass constructor
• Identify variable or array access expressions used in reflection contexts
• Validate if the dynamic values could be influenced by user-controlled input
• Report vulnerability when reflection uses untrusted dynamic values that could enable code execution
Vulnerable code example
<?php
// Get user input from request parameter
$userInput = $_GET['class'];
// VULNERABLE: Direct instantiation with user-controlled class name
$obj = new $userInput(); // User can instantiate any accessible class
// VULNERABLE: Using ReflectionClass with untrusted input...✅ Secure code example
<?php
// Define whitelist of allowed classes with their fully qualified names
$allowedClasses = [
'UserProfile' => '\App\Models\UserProfile',
'Article' => '\App\Models\Article',
'Comment' => '\App\Models\Comment'
];
...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.