I've been hearing a lot about the vulnerabilities of PHP applications and how hackers are using PHP SuperGlobal...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
variables to execute Web attacks. Can you please explain what PHP SuperGlobal variables are and the risks they pose?
First, a little background: Hypertext Preprocessor (PHP) has been around for more than 10 years and is one of the most important Web application programming languages to date. It was originally designed with functionality and ease of use in mind. However, despite its longevity, PHP has a spotted security track record. Researchers have even created the Hardened PHP Project to help enterprises secure applications and webpages.
While many of PHP's bugs have been identified -- and fixed -- they have exposed many common Web applications to these vulnerabilities and require Web application developers to keep current on the version of PHP in use. Other programming languages, such as Microsoft's Active Server Pages, or ASP, do not have these types of vulnerabilities and therefore do not require developers or system administrators to always use the most current version of the language to keep the application secure -- lowering the cost of development by lessening the need for upgrading and training. Secure development practices still need to be used regardless of the programming language.
In August 2000, PHP SuperGlobal variables were introduced to deprecate PHP register global functionality, as it caused significant security issues in PHP and Web applications. PHP SuperGlobals are built-in variables that are available in a PHP script and store data that can be used throughout the script. The deprecated functionality was widely abused by attackers because of its insecure design.
Application security vendor Imperva Inc. describes the risks SuperGlobal variables pose in its report. One risk is that a SuperGlobal variable could have malicious data entered into it that then was used somewhere in the script in an insecure way that could be exploited by an attacker.
The two key takeaways should be that, as Imperva notes, there is no valid reason for any PHP application to provide SuperGlobal parameters, and any such request of an application to provide them should be blocked. To that end, check to ensure that your Web application firewalls have rules that automatically block these requests, and that they ideally alert when such an event occurs, as it may very well be a sign of a targeted attack.
Ask the Expert!
SearchSecurity expert Nick Lewis is ready to answer your enterprise threat questions -- submit them now! (All questions are anonymous.)
Dig Deeper on Web application and API security best practices
Related Q&A from Nick Lewis
Researchers have developed an ASLR Cache side-channel attack that enables them to eliminate ASLR protections. Expert Nick Lewis explains how ...continue reading
The SQL Slammer worm has re-emerged to attack a vulnerability in Microsoft SQL Server 2000. Expert Nick Lewis explains what enterprises can do to ...continue reading
The Fruitfly Mac malware has decades-old code, but has been conducting surveillance attacks for over two years without detection. Expert Nick Lewis ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.