PHP unserialization attacks have been well known for some time, but a new exploitation method explained last week at Black Hat USA in Las Vegas demonstrated that the attack surface for PHP deserialization is broader than originally thought. Last year’s massive Equifax breach was reportedly initiated through desserialization. Attackers can take advantage of the way that PHP handles self-extracting files in what’s called a Phar archive. In a paper detailing his findings, Thomas recommends that developers avoid design patterns that can result in easily abused unserialized gadgets.”]