I've been hearing a lot about the vulnerabilities of PHP applications and how hackers are using PHP SuperGlobal
variables to execute Web attacks. Can you please explain what PHP SuperGlobal variables are and the risks they pose?
First, a little background: Hypertext Preprocessor (PHP) has been around for more than 10 years and is one of the most important Web application programming languages to date. It was originally designed with functionality and ease of use in mind. However, despite its longevity, PHP has a spotted security track record. Researchers have even created the Hardened PHP Project to help enterprises secure applications and webpages.
While many of PHP's bugs have been identified -- and fixed -- they have exposed many common Web applications to these vulnerabilities and require Web application developers to keep current on the version of PHP in use. Other programming languages, such as Microsoft's Active Server Pages, or ASP, do not have these types of vulnerabilities and therefore do not require developers or system administrators to always use the most current version of the language to keep the application secure -- lowering the cost of development by lessening the need for upgrading and training. Secure development practices still need to be used regardless of the programming language.
In August 2000, PHP SuperGlobal variables were introduced to deprecate PHP register global functionality, as it caused significant security issues in PHP and Web applications. PHP SuperGlobals are built-in variables that are available in a PHP script and store data that can be used throughout the script. The deprecated functionality was widely abused by attackers because of its insecure design.
Application security vendor Imperva Inc. describes the risks SuperGlobal variables pose in its report. One risk is that a SuperGlobal variable could have malicious data entered into it that then was used somewhere in the script in an insecure way that could be exploited by an attacker.
The two key takeaways should be that, as Imperva notes, there is no valid reason for any PHP application to provide SuperGlobal parameters, and any such request of an application to provide them should be blocked. To that end, check to ensure that your Web application firewalls have rules that automatically block these requests, and that they ideally alert when such an event occurs, as it may very well be a sign of a targeted attack.
Ask the Expert!
SearchSecurity expert Nick Lewis is ready to answer your enterprise threat questions -- submit them now! (All questions are anonymous.)
Dig deeper on Web Application Security
Related Q&A from Nick Lewis, Enterprise Threats
Expert Nick Lewis explains how to keep call center employees from getting duped by social engineering scams and pretexting.continue reading
Researchers reportedly succeeded in extracting decryption keys using sound-based attacks. Is this a threat enterprises should worry about?continue reading
The amount of malware using peer-to-peer communications has increased dramatically. Enterprise threats expert Nick Lewis explains how to detect P2P ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.