In the newly published Imperva 'Hacker Intelligence Initiative Report' the in-the-wild modification and exploitation of PHP SuperGlobal variables has been investigated. This particular external variable modification weakness has been described as being where a PHP application does "not properly protect against the modification of variables from external sources, such as query parameters or cookies". Imperva has seen evidence of SuperGlobal variables being used as a launchpad for remote code execution, remote file inclusion and security filter evasions attacks.

The report itself should be something of a must-read for anyone developing PHP applications who wants to get a grip on how these can be manipulated by those exploiting the SuperGlobal parameters. Not least as it would appear that PHP SuperGlobal parameters are gaining an increased popularity within the hacking community courtesy of being able to incorporate multiple security problems into an advanced threat used to break application logic, compromise servers and ultimately result in data theft. The Imperva research team note that in just one month it saw an average of 144 attacks per application with attack vectors related to these SuperGlobal parameters. They also witnessed attack campaigns which lasted five months or more, with 'request burst floods' as high as 90 hits per minute on a single given application.

Highlights from the report, which can be downloaded for free here, include:

  • Key exposures in third-party infrastructure demonstrate need for an “opt out” security model. The report found a vulnerability in the very popular PhpMyAdmin (PMA) utility, used to manage MySQL databases in PHP environments. Because it is often bundled with other applications using the popular MySQL Database, having this vulnerable utility present on the server, even if it is not being used by the administrator, exposes the server to code execution attacks, and as a consequence, to full server takeover. Therefore, an “opt out” security model is recommended.
  • Positive security models are best. Only a positive security mechanism that specifies the allowed parameter names for each resource can prevent an attacker from taking advantage of the external variable manipulation weakness, which gives anyone the ability to send out external parameters with the same name of internal variables, and thus override the value of the latter.
  • Hackers are sophisticated. Imperva researchers observed that attackers are capable of mounting complex attacks and packaging them into simple-to-use tools. However, while an impressive demonstration of attack strength, the PHP method has pitfalls. An application security solution that can detect and mitigate a single stage of the attack can render the entire attack useless.
  • SuperGlobal parameters in requests should be blocked. There is no reason for these parameters to be present in requests; therefore, they should be banned.

"The effects of these attacks can be great as the PHP platform is by far the most popular web application development platform, powering more than 80 percent of all websites, including Facebook and Wikipedia" Amichai Shulman, CTO at Imperva says, continuing "clearly, it is time for the security community to devote more attention to this issue."

Edited by happygeek: unstuck

As Editorial Director and Managing Analyst with IT Security Thing I am putting more than two decades of consulting experience into providing opinionated insight regarding the security threat landscape for IT security professionals. As an Editorial Fellow with Dennis Publishing, I bring more than two decades of writing experience across the technology industry into publications such as Alphr, IT Pro and (in good old fashioned print) PC Pro. I also write for SC Magazine UK and Infosecurity, as well as The Times and Sunday Times newspapers. Along the way I have been honoured with a Technology Journalist of the Year award, and three Information Security Journalist of the Year awards. Most humbling, though, was the Enigma Award for 'lifetime contribution to IT security journalism' bestowed on me in 2011.

3 Years
Discussion Span
Last Post by Gaetane

Unfortunately this is not new. The problem is that a lot of people are using these without thinking ahead, thus causing security risks. Here's an article from 2003 on the subject.


Truth be told, many security problems are not new - the appearance of the results of bad practise in the wild is cyclical and it seems that the SuperGlobals are in the spotlight again right now.

Edited by happygeek

Votes + Comments

surely if you use things like mysql_real_escape_string and addslashes to your mysql queries this would limit the effect of hackers editing superglobals to access data?


I think its not easy to hack PHP web site.Depend on programmer how to done php code in this website php scripting level is very then chance to hackers hack this site.

But some time if you use post method hack cant be identify page name and which type of post variables used.In get method hackers easily identify the user sending data by using get method.So in this time hackers can easily hack php web site.

But no problem always keep backup of your database and importants files.


Try to use best PHP platform of web developement for php website.Some other opensource are hack.

Edited by sktthemes


surely if you use things like mysql_real_escape_string and addslashes to your mysql queries this would limit the effect of hackers editing superglobals to access data?

How sure are you sure that your method will work?

HG is a consultant, he only does research and write articles.

Base on his research and his past articles I read and his experience on hackers. He feels and knows how a hackers can do those things.

There's no safety zones on php, it's a given.

Edited by LastMitch


I have gone through your article and it is very impressive but if you will use the best php services then there is no such danger and the method given by you is not that promising


There's no safety zones on php, it's a given.

Boy I hate it when people blame the tools instead of the developers. Sites built on ANY language can contain massive security holes if web security best practices are not followed. Blaming PHP is analagous to a bad carpenter blaming his hammer for the house collapsing.


First rule of PHP (Web Development): "Never trust no-one, no how, not ever. Never. Ever, ever, ever. Ever." I sanitize everything to the highest level required coming in and going out. Plus I use PDO for database access. And I'm a ruthless tag stripper. If anyone needs <script> they can go to jsfiddle.com... ^_^

Votes + Comments
I agree
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.