I've been hearing a lot about the vulnerabilities of PHP applications and how hackers are using PHP SuperGlobal variables to execute Web attacks. Can you please explain what PHP SuperGlobal variables are and the risks they pose?
First, a little background: Hypertext Preprocessor (PHP) has been around for more than 10 years and is one of the most important Web application programming languages to date. It was originally designed with functionality and ease of use in mind. However, despite its longevity, PHP has a spotted security track record. Researchers have even created the Hardened PHP Project to help enterprises secure applications and webpages.
While many of PHP's bugs have been identified -- and fixed -- they have exposed many common Web applications to these vulnerabilities and require Web application developers to keep current on the version of PHP in use. Other programming languages, such as Microsoft's Active Server Pages, or ASP, do not have these types of vulnerabilities and therefore do not require developers or system administrators to always use the most current version of the language to keep the application secure -- lowering the cost of development by lessening the need for upgrading and training. Secure development practices still need to be used regardless of the programming language.
In August 2000, PHP SuperGlobal variables were introduced to deprecate PHP register global functionality, as it caused significant security issues in PHP and Web applications. PHP SuperGlobals are built-in variables that are available in a PHP script and store data that can be used throughout the script. The deprecated functionality was widely abused by attackers because of its insecure design.
Application security vendor Imperva Inc. describes the risks SuperGlobal variables pose in its report. One risk is that a SuperGlobal variable could have malicious data entered into it that then was used somewhere in the script in an insecure way that could be exploited by an attacker.
The two key takeaways should be that, as Imperva notes, there is no valid reason for any PHP application to provide SuperGlobal parameters, and any such request of an application to provide them should be blocked. To that end, check to ensure that your Web application firewalls have rules that automatically block these requests, and that they ideally alert when such an event occurs, as it may very well be a sign of a targeted attack.
Ask the Expert!
SearchSecurity expert Nick Lewis is ready to answer your enterprise threat questions -- submit them now! (All questions are anonymous.)
Dig Deeper on Web application and API security best practices
Related Q&A from Nick Lewis
Cloud penetration testing presents new challenges for information security teams. Here's how a playbook from the Cloud Security Alliance can help ... Continue Reading
Island hopping attacks create enterprise risk by threatening their business affiliates. Here's how to create an incident response plan to mitigate ... Continue Reading
Many cloud providers are tight-lipped about internal security control details. Learn how to evaluate cloud security providers with certifications and... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.