Get started Bring yourself up to speed with our introductory content.

Mitigating the enterprise risks posed by PHP SuperGlobal variables

Learn the risks PHP SuperGlobal variables present to PHP applications and how to mitigate them in an enterprise environment.

I've been hearing a lot about the vulnerabilities of PHP applications and how hackers are using PHP SuperGlobal variables to execute Web attacks. Can you please explain what PHP SuperGlobal variables are and the risks they pose?

First, a little background: Hypertext Preprocessor (PHP) has been around for more than 10 years and is one of the most important Web application programming languages to date. It was originally designed with functionality and ease of use in mind. However, despite its longevity, PHP has a spotted security track record. Researchers have even created the Hardened PHP Project to help enterprises secure applications and webpages.

While many of PHP's bugs have been identified -- and fixed -- they have exposed many common Web applications to these vulnerabilities and require Web application developers to keep current on the version of PHP in use. Other programming languages, such as Microsoft's Active Server Pages, or ASP, do not have these types of vulnerabilities and therefore do not require developers or system administrators to always use the most current version of the language to keep the application secure -- lowering the cost of development by lessening the need for upgrading and training. Secure development practices still need to be used regardless of the programming language.

In August 2000, PHP SuperGlobal variables were introduced to deprecate PHP register global functionality, as it caused significant security issues in PHP and Web applications. PHP SuperGlobals are built-in variables that are available in a PHP script and store data that can be used throughout the script. The deprecated functionality was widely abused by attackers because of its insecure design.

Application security vendor Imperva Inc. describes the risks SuperGlobal variables pose in its report. One risk is that a SuperGlobal variable could have malicious data entered into it that then was used somewhere in the script in an insecure way that could be exploited by an attacker.

The two key takeaways should be that, as Imperva notes, there is no valid reason for any PHP application to provide SuperGlobal parameters, and any such request of an application to provide them should be blocked. To that end, check to ensure that your Web application firewalls have rules that automatically block these requests, and that they ideally alert when such an event occurs, as it may very well be a sign of a targeted attack.

Ask the Expert!
SearchSecurity expert Nick Lewis is ready to answer your enterprise threat questions -- submit them now! (All questions are anonymous.)

This was last published in May 2014

Dig Deeper on Web application and API security best practices

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.