DEV Community: Sergii

PHP REST API Cybersecurity

Sergii — Sat, 17 May 2025 10:21:04 +0000

Hi, current article is a short representation of my course: “PHP REST API Cybersecurity”.

In an increasingly connected world, cybersecurity is no longer just an IT concern – it’s a critical issue that affects businesses, individuals, and entire nations. As the global landscape becomes more interconnected, and tensions between nations rise, cyberattacks are becoming more sophisticated and frequent. It’s not just about protecting against hackers; it’s about understanding how vulnerabilities in systems can be exploited, and how we can defend against them.

While many courses, articles, and conferences focus on ethical hacking and penetration testing, there’s a glaring gap in defensive security. Specifically, how do we protect the applications we build from these attacks? That’s why I’ve created this course – PHP REST API Security – to empower developers to understand both the offensive and defensive aspects of web application security, especially in the context of PHP and REST APIs.

In my 20 years of experience in cybersecurity, I’ve often wondered why there are so many courses on how to hack into systems, but so few that focus on how to protect against those attacks. The defensive side of security is significantly more complex. It’s not just about knowing how to break things—it’s about understanding the intricate details of various technologies, frameworks, and languages, like PHP, and how they work together in an application.

To be a good defender, you need to have a deep understanding of the technology you’re working with. You need to know the ins and outs of programming languages, operating systems, and infrastructure architecture. It’s a multi-faceted, more difficult approach that requires much more effort to master, which is why there are fewer experts in this area.

In this course, I’ve condensed over almost 2 decades of experience into 5 hours of practical learning, designed to help you understand the top vulnerabilities in PHP REST APIs and how to mitigate them effectively.

First several sections focuses on indirect security issues that are essential for every developer to understand. API documentation, error handling, and debugging are all areas that are often overlooked but can have a huge impact on the overall security of your system.

At next step the most popular formats for APIs would be discussed, with a quick dive into why JSON is generally the safest and why XML is far from a good choice. You will learn in details on practice about Denial of service XML attacks such as Quadratic Blowup Attack and Billion Laughs Attack, smoothly going with XML External Entity attacks and finishing with Remote Code Execution (RCE).

Then I am passing over the most popular vulnerabilities and explore how to mitigate them with hands-on examples. The course covers such topics as:

XSS attacks – reflected, stores and file-based types
CSRF
SQL injection – union, blind content and time based vectors
Template injections (SSTI)
Path Traversal
Incredibly tricky theme of PHP deserialization and how it can be used as vulnerability
Command Injection – here I’ll reveal a zero-day case from my recent work. And explain why red teams often have the upper hand over blue teams, and why it’s impossible to be 100% safe – even with perfect security practices.

Every concept is paired with practical coding exercises. For each vulnerability, we’ll recreate attacks, so you can feel them firsthand, then apply the best practices to defend against them. That is far from all, as course also icludes such essential cybersecurity issues as:

Rate limiting
Server-side request forgery (SSRF)
Hidden files
Webhooks
Cross-Origin Resource Sharing (CORS)

There are also detailed sections about authentication and authorization problems, special focus is devoted to the JSON Web Token (JWT) vulnerabilities.

By the end of this course, you’ll have a solid understanding of how to secure PHP REST APIs from top to bottom. Whether you’re a beginner or an experienced developer who wants to fill in the gaps, this course is designed to give you a complete picture.

If you’re ready to step up your security skills and become part of the blue team, click next link: Enroll at PHP REST API security course. At my blog you may also find coupon for discount.

Best regards

AWS OPENSEARCH BENCHMARKS

Sergii — Sun, 14 Jan 2024 07:24:02 +0000

Hi everybody.
Recently, 04.12.2023-05.12.2023. I have a pleasant occasion to perform AWS OpenSearch service performance benchmarks. The reason for that has a rather long story, but I will try to shorten it as much as possible. There is one application that uses Elasticsearch for performing different search operations. I will call it “Search App” below in text. Current application was migrated to AWS Cloud almost 2 years ago. To not complicate the situation, at 1st migration step it was decided to move Search App from 3 “on-premise” servers to the 3 EC2 instances preserving existing docker swarm architecture, with only some small adjustments. The simplified architecture scheme took a next view:

And the 1st step was successfully done. The next migration steps were as listed below:

Replace Elasticsearch cluster with AWS OpenSearch service
Move Search App from EC2 swarm cluster to the AWS Fargate

Our final goal was to get a scalable and serverless solution. Sounds reasonable, doesn’t it?

So, the 2d step was performed at the next iteration. As existing dockerized 3 node Elasticsearch cluster was limited at docker level to the 6GB RAM with JVM set to the 4GB, the solution was taken to use simplified 2 node OpenSearch cluster with m6g.large.search instance type (2 CPU, 8 GB RAM) to provide initial tests (yes, it was not HA, but at least less expensive). And in 2 weeks all was done – infrastructure with terraform, recreating index mappings, indexing tests, application unit and integration tests, and some other preparation – all problems were solved. So, we switched Search App at OpenSearch cluster.

But our happiness didn’t last long. In several hours we had to switch back to the existing Elasticsearch cluster, which we preserved “just in case” ;)

So, what has happened? The deal is that we did not test one functionality. Here is a short description of how it works. Users can choose/set different options at their account for getting daily reports, including concrete hour. There is a cron at the beginning of every hour, which gathers users, whose report should be sent, and pushes according user’s ID at the SQS queue. Workers take user IDs from queues, create reports using data from Elasticsearch and send according info at user’s email. Here is simplified diagram for the whole process image:

Some hours are much more popular than others. As a result, in peaks over then 10K users have to get reports. The search query by itself is rather complicated – it includes different advanced filters, including geolocation operations, and term’s aggregation based on filtered results. Moreover, as users’ settings are extremely different, the cardinality of search requests is very high – so cache is not helpful in the current case. That creates non typical overload peaks at Elasticsearch, but the existing cluster, despite increase in memory, CPU utilization and search latency, was able to deal with that without any bigger problems. But not OpenSearch. It appeared to be not resistant to the short peaks and refused to process queries with sending 429 errors – Too many requests. If you are interested in details – please visit my course ”AWS devops: Elasticsearch at AWS using terraform and ansible”. I will not reveal details here, the most essential is the final result – the decision “refuse from migration at OpenSearch” was taken. Yep, unfortunately.

But almost 2 years have passed, all infrastructure has been moved to AWS Cloud. The company, owner of Search App, grew up and became a serious player. As a result AWS appeared with questions about how they can help and what problems the company would like to resolve – question of OpenSearch migration was opened again. Here, I want to say “BIG THANK YOU” to the people (Robert, Julia, Francisco), who provided me useful instructions and AWS credits for perfoming additional tests. I will not put their surnames here, though I hope they recognize themselves during the reading of the current article.
So, my plan was the next. Deploy OpenSearch cluster using different instances type and:

gather performance metrics using OpenSearch Benchmark utility
imitate sending reports overload at Elasticsearch/OpenSearch clusters and test it’s behaviour
compare AWS OpenSearch clusters with existing Elasticsearch EC2 3 node cluster – docker memory limit 6Gb, jvm – 4GB, t3.large (2 CPU, 8 GB)
compare AWS OpenSearch clusters with scaled up Elasticsearch EC2 3 node cluster – docker memory limit 14Gb, jvm – 12GB, t3.xlarge (4 CPU, 16 GB)

OpenSearch Benchmark utility appeared to be easy to use. The most problematic was the part related with imitating real overloading while generating reports. I had to take 10K users (anonimize their all personal data but preserve their settings), modify cron code to ignore time preferences and modify workers code – to send search requests and generate reports without sending them to email. Finally, I indexed Elasticsearch with real production data and created an Elasticsearch snapshot from that at S3 to have the ability to dump it at different Opensearch clusters in a fast and convenient way.

Results appeared to be rather interesting. You may read about here at my blog: "AWS OpenSearch benchmarks"

Have a pleasant reading

AWS OPENSEARCH BENCHMARKS

Sergii — Sun, 14 Jan 2024 07:24:02 +0000

And the 1st step was successfully done. The next migration steps were as listed below:

Replace Elasticsearch cluster with AWS OpenSearch service
Move Search App from EC2 swarm cluster to the AWS Fargate

Our final goal was to get a scalable and serverless solution. Sounds reasonable, doesn’t it?

But our happiness didn’t last long. In several hours we had to switch back to the existing Elasticsearch cluster, which we preserved “just in case” ;)

gather performance metrics using OpenSearch Benchmark utility
imitate sending reports overload at Elasticsearch/OpenSearch clusters and test it’s behaviour
compare AWS OpenSearch clusters with existing Elasticsearch EC2 3 node cluster – docker memory limit 6Gb, jvm – 4GB, t3.large (2 CPU, 8 GB)
compare AWS OpenSearch clusters with scaled up Elasticsearch EC2 3 node cluster – docker memory limit 14Gb, jvm – 12GB, t3.xlarge (4 CPU, 16 GB)

Results appeared to be rather interesting. You may read about here at my blog: "AWS OpenSearch benchmarks"

Have a pleasant reading

How to deploy HA Elasticsearch cluster using AWS ECS and terraform

Sergii — Fri, 21 Jul 2023 09:02:00 +0000

Hi, Elasticsearch fans

If you are interested at "How to deploy HA Elasticsearch cluster using AWS ECS and terraform", then welcome to series of articles related to it:

Have a pleasant reading :)

How to work with Elasticsearch 8 using Spring Boot 3 and Spring Data Elasticsearch 5.x

Sergii — Fri, 26 May 2023 15:05:34 +0000

Hi, Java-Spring Boot-Elasticsearch fans

Despite that Elasticsearch was upgraded from 7th to 8th version almost 2 years ago, Spring Boot and Elasticsearch package was adjusted to it relatively recently. When I had to upgrade my project to Elasticsearch 8 version with using spring boot 3 and last spring data Elasticsearch version - I've met a lot of difficulties. Mostly because of 2 main reasons:

too many changes appeared at how Elasticsearch queries are built since Spring Data Elasticsearch 5.x version
lack of good examples at internet, which impressed me a lot

As result I decide to share here some examples, which can be helpful for somebody at his upgrade path

1.Example with range query

Here how it was at previous version Spring Data Elasticsearch versions (3d and 4th):

Here how it looks since Spring Data Elasticsearch 5.x :

2.Example with bool query to create OR condition with match queries

Here how it was at previous version Spring Data Elasticsearch versions (3d and 4th):

Here how it looks since Spring Data Elasticsearch 5.x :

The main thing that was changed is the approach of getting builders. Previously we had universal QueryBuilders class from which we got builders for different types of Elasticsearch queries. From 5x version builders are moved inside Elasticsearch “query” classes. If you are interested at more examples, please visit according article at my blog: "How to work with Elasticsearch 8 using Spring Boot 3"

HOW TO DEPLOY A HIGH AVAILABLE CLUSTER AT AWS OPENSEARCH USING TERRAFORM

Sergii — Fri, 21 Apr 2023 09:26:59 +0000

Hi, devops fans
If you are interested at how to deploy HA OpenSearch cluster at AWS in details using terraformm then welcome to series of articles related to it:

Have a pleasant reading :)

Terraform bastion module using autoscaling group

Sergii — Fri, 17 Feb 2023 19:32:49 +0000

Hi, devops fans

As continuation of post related to "How to deploy high available Elasticsearch cluster at AWS OpenSearch using terraform" a new articles appeared:

Terraform bastion module using autoscaling group

Have a pleasant reading

Terraform AWS network module

Sergii — Sat, 07 Jan 2023 10:03:46 +0000

Hi, devops fans

As continuation of post related to "How to deploy high available Elasticsearch cluster at AWS OpenSearch using terraform" a new articles appeared:

Terraform network module – part 1

Terraform network module – part 2

Have a pleasant reading

Initial terraform environment and pre-init terraform module

Sergii — Mon, 26 Dec 2022 18:16:11 +0000

Hi, devops fans

As continuation of post related to "How to deploy high available Elasticsearch cluster at AWS OpenSearch using terraform" a new articles appeared:

What is OpenSearch? If OpenSearch and Elasticsearch are compatible?

Initial terraform environment and pre-init terraform module

How to deploy high available Elasticsearch cluster at AWS OpenSearch using terraform

Sergii — Sun, 04 Dec 2022 13:35:38 +0000

Hi, devops fans. Here I am opening the series of articles devoted to the theme of how to deploy high available Elasticsearch cluster using AWS service, which is called OpenSearch, and terraform. The first article you already may read here. New articles would be added gradually, so if you are interested at current topic, please visit my blog regularly or subscribe to my newsletter. But if you are not ready to wait – then I propose you to view all that material at my on-line course at udemy. Here is the link to the course.

Elasticsearch basics: Elasticsearch head plugin, Postman and first DSL queries

Sergii — Fri, 14 Oct 2022 16:30:49 +0000

At my blog I am constantly getting questions which are related to elastisearch basics. That is why I decided to add several articles around that theme. Here is the 1st one article devoted to "Elasticsearch basics: Elasticsearch head plugin, Postman and first DSL queries". Have a pleasant reading.

Elasticsearch Basics: indexing and getting the 1st document

Sergii — Fri, 30 Sep 2022 11:23:34 +0000

At my blog I am constantly getting questions which are related to elastisearch basics. That is why I decided to add several articles around that theme. Here is the 1st one article devoted to "Elasticsearch Basics: document oriented nature, indexing and getting first document using curl and REST API, Elasticsearch data layer architecture". Have a pleasant reading.