Does it suggest fixes for the security flaws it finds?

Yes, it provides clear remediation code including proper allowed_classes whitelisting, HMAC signature verification, and manual mapping to typed DTOs.

Can it detect vulnerabilities hidden in Phar files?

Yes, the skill identifies dangerous phar:// wrapper usage and metadata triggers that can lead to deserialization vulnerabilities even without a direct call to the unserialize function.

How does this skill help with OWASP compliance?

It specifically targets OWASP A08:2021 (Software and Data Integrity Failures) by scanning for dangerous serialization patterns and recommending secure alternatives like restricted whitelists or JSON.

What is insecure deserialization in PHP?

Insecure deserialization occurs when untrusted user data is passed to the unserialize() function, allowing an attacker to manipulate object properties and trigger malicious logic through 'gadget chains' in PHP magic methods.

PHP Insecure Deserialization Checker

Name: PHP Insecure Deserialization Checker
Author: dykyi-roman

bydykyi-roman

•

Seguridad y Pruebas

Detects and remediates insecure PHP deserialization vulnerabilities to prevent object injection and remote code execution.

This skill empowers Claude to perform deep security audits on PHP codebases by identifying dangerous unserialization patterns associated with OWASP A08:2021. It scans for untrusted user input reaching unserialize() calls, detects missing or permissive allowed_classes configurations, and identifies potential gadget chains within magic methods like __destruct or __wakeup. Beyond detection, the skill provides actionable remediation paths, such as implementing HMAC signature verification, class whitelisting, or migrating to safer data formats like JSON, ensuring your application is resilient against PHP object injection attacks.

Características Principales

01Detects unserialize() calls using raw $_GET, $_POST, and $_COOKIE data.

02Provides standardized remediation patterns using JSON or signature-verified serialization.

0345 GitHub stars

04Identifies missing or insecure allowed_classes configurations in PHP 7+ environment.

05Analyzes high-risk Phar deserialization and file wrapper vulnerabilities.

06Scans for dangerous magic methods used in gadget chains for potential RCE.

Casos de Uso

01Identifying Remote Code Execution (RCE) vectors in complex object-oriented class hierarchies.

02Validating secure coding practices for data interchange and session management.

03Automating security audits on legacy PHP applications during refactoring or migration.

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add dykyi-roman/awesome-claude-code check-deserialization

For use in Claude.ai and ChatGPT

Download Skill