This practice is in line with the well-established trend of hackers aiming at commonly used third-party components to get the best return on investment.
“Because compromised hosts can be used as botnet slaves to attack other servers, exploits against PHP applications can affect the general security and health of the entire web,” said Amichai Shulman, CTO at Imperva.
“The effects of these attacks can be great as the PHP platform is by far the most popular web application development platform, powering more than 80% of all websites, including Facebook and Wikipedia. Clearly, it is time for the security community to devote more attention to this issue.”
Return on investment
According to the report, hackers are increasingly capable of packaging higher levels of sophistication into simpler scripts. PHP SuperGlobals are a prime target that yields a high return on investment.
PHP SuperGlobals are several predefined variables in PHP available in all scopes throughout a script.
The PHP SuperGlobal parameters are gaining popularity in the hacking community because they incorporate multiple security problems into an advanced web threat. This can be used to break application logic, compromise servers and result in fraudulent transactions and data theft, researchers said.
Read more about web application security
- Using free Web application security scanning tools to secure Web apps
- An introduction to Web application threat modeling
- Web application testing: Three lessons
- Why securing internal applications is as important as Web-facing apps
- Slideshow: Five common Web application vulnerabilities and mitigations
- Web-based application testing versus desktop application testing
- Five common Web application vulnerabilities and how to avoid them
They note that PHP applications do not protect against the modification of variables from external sources, such as query parameters or cookies.
In one month, Imperva’s research team noted an average of 144 attacks per sample application that contained attack vectors related to SuperGlobal parameters.
These attacks appeared in the form of request burst floods, with peaks of between 20 and 90 hits per minute on an application, with some attacks lasting more than five months.
Researchers said SuperGlobal variable manipulation is becoming popular and that some of the biggest vulnerability scanners are specifically looking for this vulnerable vector.
Researchers found a vulnerability in the popular PhpMyAdmin (PMA) utility used to manage MySQL databases in PHP environments.
Security researchers' recommendations
They said that, because it is often bundled with other applications using the popular MySQL database, having this vulnerable utility present on the server – even if it is not being used by the administrator – exposes the server to code execution attacks and, as a consequence, to full server takeover.
The report therefore recommends an “opt out” security model.
The report concludes that only a positive security mechanism that specifies the allowed parameter names for each resource can prevent an attacker from taking advantage of the external variable manipulation weakness, which gives anyone the ability to send out external parameters with the same name of internal variables, and thus override their values.
Researchers recommend that SuperGlobal parameters in requests should be blocked as there is no reason for them to be present.
Finally, the report notes that, although the PHP method is a powerful way of carrying out attacks on targets, the method has pitfalls.
According to the researchers, an application security system that can detect and mitigate a single stage of the attack can render the entire attack useless.