Eyas
EasySecure Coding
Overview
In this challenge, you'll secure a vulnerable PHP calculator application that uses the dangerous eval() function. The application accepts mathematical expressions from users and evaluates them dynamically, but without proper input validation, it's susceptible to arbitrary code execution.
Your Mission:
- Navigate to
/challenge/to access the vulnerable server - Review the provided rules and guidelines
- Examine the source code at the preview endpoint
- Identify the security vulnerability in
index.php - Implement a secure patch using input validation
- Test your solution to ensure it blocks malicious input while allowing legitimate calculations
Flag format: Flag{}
Lab Details
Prerequisites & Requirements
- Fundamental understanding of web application security principles
- Proficiency in PHP syntax and core functions
- Knowledge of common web vulnerabilities (especially code injection)
- Familiarity with regular expressions (regex)
- Basic understanding of input validation and sanitization concepts
- Experience with HTML forms and POST/GET request handling
What will you learn?
- Implementing secure input validation using regular expressions
- Applying defense-in-depth principles to prevent code injection attacks
- Understanding the difference between sanitization and validation
- Using preg_match() for whitelist-based input filtering
- Secure coding best practices for dynamic code evaluation
- Why eval() should be avoided in production environments
Tools
- Web browser (Chrome, Firefox, or any modern browser)
- Code editor or IDE (VS Code, PHPStorm, Sublime Text, or similar)
- Local PHP development environment (XAMPP, WAMP, or PHP built-in server)
- Access to the challenge environment
- PHP documentation reference (php.net)
Job Positions
Security Analyst
Tags
Input ValidationSanitizationOwasp Top 10Regular Expressions