SlideShare a Scribd company logo

PHP SuperGlobals: Supersized Trouble

Imperva
Imperva

The document discusses PHP SuperGlobals and how they can be exploited in web applications. It begins with background on PHP and SuperGlobals. It then details how attackers can abuse SuperGlobals like $_SESSION to execute arbitrary code on vulnerable sites like PHPMyAdmin. The document concludes by noting the importance of positive security models and layered defenses to mitigate SuperGlobal and other attacks.

Technology
1 of 37
Download to read offline
© 2013 Imperva, Inc. All rights reserved. PHP SuperGlobals: Supersized Trouble Confidential1 Tal Be’ery, Web Security Research Team Leader
© 2013 Imperva, Inc. All rights reserved. Agenda Confidential2 §  Introduction •  Relevant PHP background §  An anatomy of a modern web exploit •  Abusing SuperGlobals §  Additional PHP SuperGlobal attacks •  In the wild §  Summary & conclusions §  Q&A
© 2013 Imperva, Inc. All rights reserved. HII Reports Confidential3 §  Hacker Intelligence Initiative is focused at understanding how attackers are operating in practice •  A different approach from vulnerability research §  Data set composition •  ~60 real world applications •  Anonymous Proxies §  More than 24 months of data §  Powerful analysis system •  Combines analytic tools with drill down capabilities
© 2013 Imperva, Inc. All rights reserved. Tal Be’ery,Web Research Team Leader Confidential4 §  Web Security Research Team Leader at Imperva §  Holds MSc & BSc degree in CS/EE from TAU §  10+ years of experience in IS domain §  Facebook “white hat” §  Speaker at RSA, BlackHat, AusCERT §  Columnist for securityweek.com §  CISSP
© 2013 Imperva, Inc. All rights reserved. Introduction Confidential5 Relevant PHP Background
© 2013 Imperva, Inc. All rights reserved. §  The most popular server-side programming language in the world: §  And goes from strength to strength Breadth and Depth of PHP - I Confidential6
© 2013 Imperva, Inc. All rights reserved. §  The most popular web applications are powered by PHP Breadth and Depth of PHP – II http://www.alexa.com/topsites Confidential7
© 2013 Imperva, Inc. All rights reserved. PHP SuperGlobals Confidential8 §  Most programing languages support different scopes for variables, primarily the “local” and the “global” scope. §  Global variables •  Provide a simple channel for cross-function communication •  More risky, as *ANY* function may change them §  PHP has several predefined variables that are called SuperGlobals. §  SuperGlobals provide access to the server’s core functionality – cookies, sessions, environment, etc. §  SuperGlobals variables are available to the PHP script in all scopes, with no need for explicit declaration.
© 2013 Imperva, Inc. All rights reserved. PHP SuperGlobal List Confidential9   Variable   Definition   1   GLOBALS   References all variables available in global scope   2   _SERVER   Server and execution environment information   3   _GET   HTTP GET variables   4   _POST   HTTP POST variables   5   _FILES   HTTP File upload variables   6   _COOKIE   HTTP Cookies   7   _SESSION   Session variables   8   _REQUEST   HTTP Request variables   9   _ENV   Environment variables  
© 2013 Imperva, Inc. All rights reserved. External Variable Modification: A PHP Specific Weakness Confidential10 §  MITRE had assigned a specific CWE (Common Weakness Enumeration) code for the External Variable Modification weakness: CWE-473 §  “A PHP application does not properly protect against the modification of variables from external sources, such as query parameters or cookies”. §  SuperGlobals are a natural target: •  Exist in every PHP application •  Provide access to the server’s core functionality
© 2013 Imperva, Inc. All rights reserved. Anatomy of a Modern Web Exploit Confidential11 Exploiting SuperGlobals
© 2013 Imperva, Inc. All rights reserved. PHPMyAdmin (PMA) Confidential12 §  The most popular MySQL administration tool for PHP §  Often is bundled by default in LAMP (Linux, Apache, MySQL, PHP) installations
© 2013 Imperva, Inc. All rights reserved. CVE-2011-2505: PhpMyAdmin Vulnerability Confidential13 §  PhpMyAdmin’s Unset session functionality §  Parse_str() : parses the given query string and stores the variables in the current scope. As a result, *ALL* request variables are imported into the function’s local scope. §  Session_write_close(): Makes Session data persistent throughout the entire user’s session. Session data is implicitly written to a local file on the server.
© 2013 Imperva, Inc. All rights reserved. CVE-2011-2505: Exploit Confidential14 §  An attacker can now •  Craft a malicious query string with the _SESSION SuperGlobal •  Injected _SESSION value overrides the session’s original values •  New values are saved to local file
© 2013 Imperva, Inc. All rights reserved. Serialization Explained Confidential15 §  The process of saving data stored in memory to file is called “serialization” §  The process of loading data stored in file to memory is called “deserialization” Source: http://www.studytonight.com/java/images/Serialization-deserialization.JPG
© 2013 Imperva, Inc. All rights reserved. §  Discovered by Stefan Esser - Late 2010 §  Attacker can write data to the session in *ANY* format, if the session variable name starts with ‘!’ CVE-2010-3065 PHP Vulnerability & Exploit Confidential16
© 2013 Imperva, Inc. All rights reserved. PMA Session Deserialization: Vulnerability Confidential17 §  On session deserialization, the load() function is called §  Eval is evil! •  Can be used to execute unexpected code §  But in order to exploit, attackers need to first specify a valid source (= session filename )
© 2013 Imperva, Inc. All rights reserved. Guessing Session Filename: Theory Confidential18 §  Luckily for the attacker, the location of the session file is predictable §  Session file name consists of •  The “sess_” prefix •  The session identifier – known to the user/attacker §  File’s path is predictable •  default values
© 2013 Imperva, Inc. All rights reserved. Guessing Session Filename: In the Wild Confidential19 §  Multiple guesses for path the same session file (“sess_19qq…”)
© 2013 Imperva, Inc. All rights reserved. The Final Exploit Confidential20 §  Now the attackers can, *FINALLY*, get their code evaluated §  /phpMyAdmin/index.php?session_to_unset=123& token=86498ff0a666f808df76ffaabee9b7a3& _SESSION[!bla]=|xxx|a:1:{i:0;O:10:"PMA_Config":1: {s:6:“source";s:59:"/var/lib/php5/ sess_6a3e0376fbfe9797081a 3ee202ef1ca85c451a62";}}& _SESSION[payload]=<?php phpinfo(); ?>
© 2013 Imperva, Inc. All rights reserved. Exploit Result Confidential21 §  Arbitrary PHP code is executed
© 2013 Imperva, Inc. All rights reserved. PMA SuperGlobal Attacks In the Wild Confidential22 §  Attacks source is a hacked server §  Attacks (at least) two other servers §  Attacks persist over half a year
© 2013 Imperva, Inc. All rights reserved. A Modern Exploit Summary: Research Confidential23 §  Sophisticated research §  Combines multiple vulnerabilities and issues in multiple domains •  PHPMyAdmin (PMA) •  PHP internals
© 2013 Imperva, Inc. All rights reserved. A Modern Exploit Summary: Development Confidential24 §  Exploit packed in a single, “click once” PHP script §  Automates the different attack stages §  Can be launched from infected servers to infect others
© 2013 Imperva, Inc. All rights reserved. Additional PHP SuperGlobal Attacks Confidential25 In the Wild
© 2013 Imperva, Inc. All rights reserved. SuperGlobal Attacks Targets – I Confidential26 §  Specific vulnerabilities exploit – such as the previously discussed PMA attack §  RFI (Remote File Inclusion): trying to overwrite “Server[document_root]” to point to external resource
© 2013 Imperva, Inc. All rights reserved. SuperGlobal Attacks Targets – II Confidential27 §  Part of general scanning against the site – Nikto, Acunetix, Nessus §  IDS filter evasion: SuperGlobal Provide an alternative way to represent HTTP query parameters •  “_REQUEST[Itemid]=1” request parameter is equivalent to “Itemid=1” in every way •  However, it evades a naïve IDS signature that blacklists “Itemid=1” •  We have seen these evasion technique applied on several CVEs
© 2013 Imperva, Inc. All rights reserved. SuperGlobals In the Wild Confidential28 §  During May 2013: §  3.5K requests that manipulated PHP SuperGlobal variables. §  27 different attack sources §  24 web applications as targets
© 2013 Imperva, Inc. All rights reserved. Targeted SuperGlobal Confidential29 §  Some SuperGlobals are more targeted than others §  The more targeted SuperGlobals provide access to more sensitive resources GLOBALS 55% ENV 14% SERVER 14% SESSION 13% REQUEST 4%
© 2013 Imperva, Inc. All rights reserved. Summary & Conclusions Confidential30
© 2013 Imperva, Inc. All rights reserved. The Importance of a Positive Security Model Confidential31 §  The essence of the external variable manipulation weakness: the attacker has the ability to send out external parameters with the same name of internal variables, and thus override the value of the latter. §  External parameters are not part of the standard interface of the targeted application §  Blocking all of the internal variables’ names might be difficult with a negative security approach §  But trivial with a positive security mechanism that specifies the allowed parameter names for each resource
© 2013 Imperva, Inc. All rights reserved. Layered Application Layer Mechanisms Confidential32 §  Bad news: attackers can create a complex exploit by combining several vulnerabilities together §  Good news: it’s enough to break one of the links in the kill chain to break the chain altogether . §  Application layer solution that combines multiple detection mechanisms: •  Positive security model •  Negative security model for generic issues (generic directory traversal protection for this case) •  Specific CVE detection, is crucial for effective mitigations of such complex attacks.
© 2013 Imperva, Inc. All rights reserved. Third-Party Code Perils Confidential33 §  Attackers target popular applications such as the PhpMyAdmin (PMA) utility installation. §  PMA is often bundled with other applications. §  Having this vulnerable utility present on the server, even if it is not being used, exposes the server to code execution attacks. §  Since administrators are not necessarily aware of all the bundled software, an “opt out” security model is needed. §  A way to achieve such an “opt out” security model is by deploying a Web Application Firewall (WAF) with constant updates of security content.
© 2013 Imperva, Inc. All rights reserved. SuperGlobal Parameters In Requests Should Be Blocked Confidential34 §  There is no reason for these parameters to be present in valid requests, they should be banned. §  Imperva’s WAF customers received a content update to their Web Application Firewall on January 15th 2013.
© 2013 Imperva, Inc. All rights reserved. Summing Up Confidential35 §  Establish a positive security model §  Use layered application layer security mechanisms §  Beware of third-party code perils §  Block SuperGlobal parameters in requests
© 2013 Imperva, Inc. All rights reserved. Webinar Materials Confidential36 Post-Webinar Discussions Answers to Attendee Questions Webinar Recording Link Join Group Join Imperva LinkedIn Group, Imperva Data Security Direct, for…
© 2013 Imperva, Inc. All rights reserved. www.imperva.com Confidential37

Recommended

SWAT Style – Live Network Crypto Hacking and Exploitation by Kevin Cardwell a...
SWAT Style – Live Network Crypto Hacking and Exploitation by Kevin Cardwell a...SWAT Style – Live Network Crypto Hacking and Exploitation by Kevin Cardwell a...
SWAT Style – Live Network Crypto Hacking and Exploitation by Kevin Cardwell a...EC-Council
 
Lateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkLateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkEC-Council
 
Platform Security IRL: Busting Buzzwords & Building Better
Platform Security IRL: Busting Buzzwords & Building BetterPlatform Security IRL: Busting Buzzwords & Building Better
Platform Security IRL: Busting Buzzwords & Building BetterEqual Experts
 
Kioptrix 2014 5
Kioptrix 2014 5Kioptrix 2014 5
Kioptrix 2014 5Jayesh Patel
 
Secure coding in C#
Secure coding in C#Secure coding in C#
Secure coding in C#Siddharth Bezalwar
 
Practical White Hat Hacker Training - Exploitation
Practical White Hat Hacker Training - ExploitationPractical White Hat Hacker Training - Exploitation
Practical White Hat Hacker Training - ExploitationPRISMA CSI
 
10 Mistakes Hackers Want You to Make
10 Mistakes Hackers Want You to Make10 Mistakes Hackers Want You to Make
10 Mistakes Hackers Want You to MakeJoe Kutner
 
Practical White Hat Hacker Training - Post Exploitation
Practical White Hat Hacker Training - Post ExploitationPractical White Hat Hacker Training - Post Exploitation
Practical White Hat Hacker Training - Post ExploitationPRISMA CSI
 

Recommended

SWAT Style – Live Network Crypto Hacking and Exploitation by Kevin Cardwell a...
SWAT Style – Live Network Crypto Hacking and Exploitation by Kevin Cardwell a...SWAT Style – Live Network Crypto Hacking and Exploitation by Kevin Cardwell a...
SWAT Style – Live Network Crypto Hacking and Exploitation by Kevin Cardwell a...EC-Council
 
Lateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkLateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkEC-Council
 
Platform Security IRL: Busting Buzzwords & Building Better
Platform Security IRL: Busting Buzzwords & Building BetterPlatform Security IRL: Busting Buzzwords & Building Better
Platform Security IRL: Busting Buzzwords & Building BetterEqual Experts
 
Kioptrix 2014 5
Kioptrix 2014 5Kioptrix 2014 5
Kioptrix 2014 5Jayesh Patel
 
Secure coding in C#
Secure coding in C#Secure coding in C#
Secure coding in C#Siddharth Bezalwar
 
Practical White Hat Hacker Training - Exploitation
Practical White Hat Hacker Training - ExploitationPractical White Hat Hacker Training - Exploitation
Practical White Hat Hacker Training - ExploitationPRISMA CSI
 
10 Mistakes Hackers Want You to Make
10 Mistakes Hackers Want You to Make10 Mistakes Hackers Want You to Make
10 Mistakes Hackers Want You to MakeJoe Kutner
 
Practical White Hat Hacker Training - Post Exploitation
Practical White Hat Hacker Training - Post ExploitationPractical White Hat Hacker Training - Post Exploitation
Practical White Hat Hacker Training - Post ExploitationPRISMA CSI
 
Anatomy of a Cloud Hack
Anatomy of a Cloud HackAnatomy of a Cloud Hack
Anatomy of a Cloud HackNotSoSecure Global Services
 
Shamoon
ShamoonShamoon
ShamoonShakacon
 
Web Apps Security
Web Apps SecurityWeb Apps Security
Web Apps SecurityVictor Bucutea
 
Problems with parameters b sides-msp
Problems with parameters b sides-mspProblems with parameters b sides-msp
Problems with parameters b sides-mspMike Saunders
 
Web security for developers
Web security for developersWeb security for developers
Web security for developersSunny Neo
 
CSW2017 Geshev+Miller logic bug hunting in chrome on android
CSW2017 Geshev+Miller logic bug hunting in chrome on androidCSW2017 Geshev+Miller logic bug hunting in chrome on android
CSW2017 Geshev+Miller logic bug hunting in chrome on androidCanSecWest
 
Android Application Security
Android Application SecurityAndroid Application Security
Android Application SecurityChong-Kuan Chen
 
Web security and OWASP
Web security and OWASPWeb security and OWASP
Web security and OWASPIsuru Samaraweera
 
Big problems with big data – Hadoop interfaces security
Big problems with big data – Hadoop interfaces securityBig problems with big data – Hadoop interfaces security
Big problems with big data – Hadoop interfaces securitySecuRing
 
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...BlueHat Security Conference
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules CoverageSunny Neo
 
Practical White Hat Hacker Training - Vulnerability Detection
Practical White Hat Hacker Training - Vulnerability DetectionPractical White Hat Hacker Training - Vulnerability Detection
Practical White Hat Hacker Training - Vulnerability DetectionPRISMA CSI
 
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...Aditya K Sood
 
CSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application securityCSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application securityCanSecWest
 
Threat Con 2021: What's Hitting my Honeypots
Threat Con 2021: What's Hitting my HoneypotsThreat Con 2021: What's Hitting my Honeypots
Threat Con 2021: What's Hitting my HoneypotsAPNIC
 
Red Team vs. Blue Team on AWS
Red Team vs. Blue Team on AWSRed Team vs. Blue Team on AWS
Red Team vs. Blue Team on AWSPriyanka Aash
 
Content Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooContent Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooBinu Ramakrishnan
 
[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera SoftwareOWASP
 
External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X WayStephan Borosh
 
From 1000/day to 1000/sec: The Evolution of Incapsula's BIG DATA System [Surg...
From 1000/day to 1000/sec: The Evolution of Incapsula's BIG DATA System [Surg...From 1000/day to 1000/sec: The Evolution of Incapsula's BIG DATA System [Surg...
From 1000/day to 1000/sec: The Evolution of Incapsula's BIG DATA System [Surg...Imperva Incapsula
 
Hiding in Plain Sight: The Danger of Known Vulnerabilities
Hiding in Plain Sight: The Danger of Known VulnerabilitiesHiding in Plain Sight: The Danger of Known Vulnerabilities
Hiding in Plain Sight: The Danger of Known VulnerabilitiesImperva
 
Secure programming with php
Secure programming with phpSecure programming with php
Secure programming with phpMohmad Feroz
 

More Related Content

What's hot

Problems with parameters b sides-msp
Problems with parameters b sides-mspProblems with parameters b sides-msp
Problems with parameters b sides-mspMike Saunders
 
Web security for developers
Web security for developersWeb security for developers
Web security for developersSunny Neo
 
CSW2017 Geshev+Miller logic bug hunting in chrome on android
CSW2017 Geshev+Miller logic bug hunting in chrome on androidCSW2017 Geshev+Miller logic bug hunting in chrome on android
CSW2017 Geshev+Miller logic bug hunting in chrome on androidCanSecWest
 
Android Application Security
Android Application SecurityAndroid Application Security
Android Application SecurityChong-Kuan Chen
 
Big problems with big data – Hadoop interfaces security
Big problems with big data – Hadoop interfaces securityBig problems with big data – Hadoop interfaces security
Big problems with big data – Hadoop interfaces securitySecuRing
 
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...BlueHat Security Conference
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules CoverageSunny Neo
 
Practical White Hat Hacker Training - Vulnerability Detection
Practical White Hat Hacker Training - Vulnerability DetectionPractical White Hat Hacker Training - Vulnerability Detection
Practical White Hat Hacker Training - Vulnerability DetectionPRISMA CSI
 
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...Aditya K Sood
 
CSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application securityCSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application securityCanSecWest
 
Threat Con 2021: What's Hitting my Honeypots
Threat Con 2021: What's Hitting my HoneypotsThreat Con 2021: What's Hitting my Honeypots
Threat Con 2021: What's Hitting my HoneypotsAPNIC
 
Red Team vs. Blue Team on AWS
Red Team vs. Blue Team on AWSRed Team vs. Blue Team on AWS
Red Team vs. Blue Team on AWSPriyanka Aash
 
Content Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooContent Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooBinu Ramakrishnan
 
[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera SoftwareOWASP
 
External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X WayStephan Borosh
 
From 1000/day to 1000/sec: The Evolution of Incapsula's BIG DATA System [Surg...
From 1000/day to 1000/sec: The Evolution of Incapsula's BIG DATA System [Surg...From 1000/day to 1000/sec: The Evolution of Incapsula's BIG DATA System [Surg...
From 1000/day to 1000/sec: The Evolution of Incapsula's BIG DATA System [Surg...Imperva Incapsula
 

What's hot (20)

Anatomy of a Cloud Hack
Anatomy of a Cloud HackAnatomy of a Cloud Hack
Anatomy of a Cloud Hack
 
Shamoon
ShamoonShamoon
Shamoon
 
Web Apps Security
Web Apps SecurityWeb Apps Security
Web Apps Security
 
Problems with parameters b sides-msp
Problems with parameters b sides-mspProblems with parameters b sides-msp
Problems with parameters b sides-msp
 
Web security for developers
Web security for developersWeb security for developers
Web security for developers
 
CSW2017 Geshev+Miller logic bug hunting in chrome on android
CSW2017 Geshev+Miller logic bug hunting in chrome on androidCSW2017 Geshev+Miller logic bug hunting in chrome on android
CSW2017 Geshev+Miller logic bug hunting in chrome on android
 
Android Application Security
Android Application SecurityAndroid Application Security
Android Application Security
 
Web security and OWASP
Web security and OWASPWeb security and OWASP
Web security and OWASP
 
Big problems with big data – Hadoop interfaces security
Big problems with big data – Hadoop interfaces securityBig problems with big data – Hadoop interfaces security
Big problems with big data – Hadoop interfaces security
 
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules Coverage
 
Practical White Hat Hacker Training - Vulnerability Detection
Practical White Hat Hacker Training - Vulnerability DetectionPractical White Hat Hacker Training - Vulnerability Detection
Practical White Hat Hacker Training - Vulnerability Detection
 
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
 
CSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application securityCSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application security
 
Threat Con 2021: What's Hitting my Honeypots
Threat Con 2021: What's Hitting my HoneypotsThreat Con 2021: What's Hitting my Honeypots
Threat Con 2021: What's Hitting my Honeypots
 
Red Team vs. Blue Team on AWS
Red Team vs. Blue Team on AWSRed Team vs. Blue Team on AWS
Red Team vs. Blue Team on AWS
 
Content Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooContent Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at Yahoo
 
[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software
 
External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X Way
 
From 1000/day to 1000/sec: The Evolution of Incapsula's BIG DATA System [Surg...
From 1000/day to 1000/sec: The Evolution of Incapsula's BIG DATA System [Surg...From 1000/day to 1000/sec: The Evolution of Incapsula's BIG DATA System [Surg...
From 1000/day to 1000/sec: The Evolution of Incapsula's BIG DATA System [Surg...
 

Similar to PHP SuperGlobals: Supersized Trouble

Hiding in Plain Sight: The Danger of Known Vulnerabilities
Hiding in Plain Sight: The Danger of Known VulnerabilitiesHiding in Plain Sight: The Danger of Known Vulnerabilities
Hiding in Plain Sight: The Danger of Known VulnerabilitiesImperva
 
Secure programming with php
Secure programming with phpSecure programming with php
Secure programming with phpMohmad Feroz
 
Drupal Security Basics for the DrupalJax January Meetup
Drupal Security Basics for the DrupalJax January MeetupDrupal Security Basics for the DrupalJax January Meetup
Drupal Security Basics for the DrupalJax January MeetupChris Hales
 
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...IBM Security
 
Runtime Protection in the Real World
Runtime Protection in the Real WorldRuntime Protection in the Real World
Runtime Protection in the Real WorldBrooks Garrett
 
Security misconfiguration
Security misconfigurationSecurity misconfiguration
Security misconfigurationMicho Hayek
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelinesZakaria SMAHI
 
Protecting Against Vulnerabilities in SharePoint Add-ons
Protecting Against Vulnerabilities in SharePoint Add-onsProtecting Against Vulnerabilities in SharePoint Add-ons
Protecting Against Vulnerabilities in SharePoint Add-onsImperva
 
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017Philippe Gamache
 
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017 OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017 Philippe Gamache
 
Session10-PHP Misconfiguration
Session10-PHP MisconfigurationSession10-PHP Misconfiguration
Session10-PHP Misconfigurationzakieh alizadeh
 
A Blueprint for Web Attack Survival
A Blueprint for Web Attack SurvivalA Blueprint for Web Attack Survival
A Blueprint for Web Attack SurvivalImperva
 
Chapter 4Secure Design PrinciplesCopyright © 2014 by McGraw-
Chapter 4Secure Design PrinciplesCopyright © 2014 by McGraw-Chapter 4Secure Design PrinciplesCopyright © 2014 by McGraw-
Chapter 4Secure Design PrinciplesCopyright © 2014 by McGraw-WilheminaRossi174
 
Security misconfiguration
Security misconfigurationSecurity misconfiguration
Security misconfigurationJiri Danihelka
 
Securing Java in the Server Room
Securing Java in the Server RoomSecuring Java in the Server Room
Securing Java in the Server RoomTim Ellison
 
Better Security Testing: Using the Cloud and Continuous Delivery
Better Security Testing: Using the Cloud and Continuous DeliveryBetter Security Testing: Using the Cloud and Continuous Delivery
Better Security Testing: Using the Cloud and Continuous DeliveryGene Gotimer
 
Better Security Testing: Using the Cloud and Continuous Delivery
Better Security Testing: Using the Cloud and Continuous Delivery Better Security Testing: Using the Cloud and Continuous Delivery
Better Security Testing: Using the Cloud and Continuous Delivery Coveros, Inc.
 
The Top 10 Most Common Weaknesses in Serverless Applications 2018
The Top 10 Most Common Weaknesses in Serverless Applications 2018The Top 10 Most Common Weaknesses in Serverless Applications 2018
The Top 10 Most Common Weaknesses in Serverless Applications 2018PureSec
 
Network Security - Real and Present Dangers
Network Security - Real and Present DangersNetwork Security - Real and Present Dangers
Network Security - Real and Present DangersPeter Wood
 
API Roles In Cloud and Mobile Security - Greg Olsen, IT Manager, Integration ...
API Roles In Cloud and Mobile Security - Greg Olsen, IT Manager, Integration ...API Roles In Cloud and Mobile Security - Greg Olsen, IT Manager, Integration ...
API Roles In Cloud and Mobile Security - Greg Olsen, IT Manager, Integration ...CA API Management
 

Similar to PHP SuperGlobals: Supersized Trouble (20)

Hiding in Plain Sight: The Danger of Known Vulnerabilities
Hiding in Plain Sight: The Danger of Known VulnerabilitiesHiding in Plain Sight: The Danger of Known Vulnerabilities
Hiding in Plain Sight: The Danger of Known Vulnerabilities
 
Secure programming with php
Secure programming with phpSecure programming with php
Secure programming with php
 
Drupal Security Basics for the DrupalJax January Meetup
Drupal Security Basics for the DrupalJax January MeetupDrupal Security Basics for the DrupalJax January Meetup
Drupal Security Basics for the DrupalJax January Meetup
 
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
 
Runtime Protection in the Real World
Runtime Protection in the Real WorldRuntime Protection in the Real World
Runtime Protection in the Real World
 
Security misconfiguration
Security misconfigurationSecurity misconfiguration
Security misconfiguration
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
 
Protecting Against Vulnerabilities in SharePoint Add-ons
Protecting Against Vulnerabilities in SharePoint Add-onsProtecting Against Vulnerabilities in SharePoint Add-ons
Protecting Against Vulnerabilities in SharePoint Add-ons
 
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
 
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017 OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
 
Session10-PHP Misconfiguration
Session10-PHP MisconfigurationSession10-PHP Misconfiguration
Session10-PHP Misconfiguration
 
A Blueprint for Web Attack Survival
A Blueprint for Web Attack SurvivalA Blueprint for Web Attack Survival
A Blueprint for Web Attack Survival
 
Chapter 4Secure Design PrinciplesCopyright © 2014 by McGraw-
Chapter 4Secure Design PrinciplesCopyright © 2014 by McGraw-Chapter 4Secure Design PrinciplesCopyright © 2014 by McGraw-
Chapter 4Secure Design PrinciplesCopyright © 2014 by McGraw-
 
Security misconfiguration
Security misconfigurationSecurity misconfiguration
Security misconfiguration
 
Securing Java in the Server Room
Securing Java in the Server RoomSecuring Java in the Server Room
Securing Java in the Server Room
 
Better Security Testing: Using the Cloud and Continuous Delivery
Better Security Testing: Using the Cloud and Continuous DeliveryBetter Security Testing: Using the Cloud and Continuous Delivery
Better Security Testing: Using the Cloud and Continuous Delivery
 
Better Security Testing: Using the Cloud and Continuous Delivery
Better Security Testing: Using the Cloud and Continuous Delivery Better Security Testing: Using the Cloud and Continuous Delivery
Better Security Testing: Using the Cloud and Continuous Delivery
 
The Top 10 Most Common Weaknesses in Serverless Applications 2018
The Top 10 Most Common Weaknesses in Serverless Applications 2018The Top 10 Most Common Weaknesses in Serverless Applications 2018
The Top 10 Most Common Weaknesses in Serverless Applications 2018
 
Network Security - Real and Present Dangers
Network Security - Real and Present DangersNetwork Security - Real and Present Dangers
Network Security - Real and Present Dangers
 
API Roles In Cloud and Mobile Security - Greg Olsen, IT Manager, Integration ...
API Roles In Cloud and Mobile Security - Greg Olsen, IT Manager, Integration ...API Roles In Cloud and Mobile Security - Greg Olsen, IT Manager, Integration ...
API Roles In Cloud and Mobile Security - Greg Olsen, IT Manager, Integration ...
 

More from Imperva

Cybersecurity and Healthcare - HIMSS 2018 Survey
Cybersecurity and Healthcare - HIMSS 2018 SurveyCybersecurity and Healthcare - HIMSS 2018 Survey
Cybersecurity and Healthcare - HIMSS 2018 SurveyImperva
 
API Security Survey
API Security SurveyAPI Security Survey
API Security SurveyImperva
 
Imperva ppt
Imperva pptImperva ppt
Imperva pptImperva
 
Beyond takeover: stories from a hacked account
Beyond takeover: stories from a hacked accountBeyond takeover: stories from a hacked account
Beyond takeover: stories from a hacked accountImperva
 
Research: From zero to phishing in 60 seconds
Research: From zero to phishing in 60 seconds Research: From zero to phishing in 60 seconds
Research: From zero to phishing in 60 seconds Imperva
 
Making Sense of Web Attacks: From Alerts to Narratives
Making Sense of Web Attacks: From Alerts to NarrativesMaking Sense of Web Attacks: From Alerts to Narratives
Making Sense of Web Attacks: From Alerts to NarrativesImperva
 
How We Blocked a 650Gb DDoS Attack Over Lunch
How We Blocked a 650Gb DDoS Attack Over LunchHow We Blocked a 650Gb DDoS Attack Over Lunch
How We Blocked a 650Gb DDoS Attack Over LunchImperva
 
Survey: Insider Threats and Cyber Security
Survey: Insider Threats and Cyber SecuritySurvey: Insider Threats and Cyber Security
Survey: Insider Threats and Cyber SecurityImperva
 
Companies Aware, but Not Prepared for GDPR
Companies Aware, but Not Prepared for GDPRCompanies Aware, but Not Prepared for GDPR
Companies Aware, but Not Prepared for GDPRImperva
 
Rise of Ransomware
Rise of Ransomware Rise of Ransomware
Rise of Ransomware Imperva
 
7 Tips to Protect Your Data from Contractors and Privileged Vendors
7 Tips to Protect Your Data from Contractors and Privileged Vendors7 Tips to Protect Your Data from Contractors and Privileged Vendors
7 Tips to Protect Your Data from Contractors and Privileged VendorsImperva
 
SEO Botnet Sophistication
SEO Botnet SophisticationSEO Botnet Sophistication
SEO Botnet SophisticationImperva
 
Phishing Made Easy
Phishing Made EasyPhishing Made Easy
Phishing Made EasyImperva
 
Imperva 2017 Cyber Threat Defense Report
Imperva 2017 Cyber Threat Defense ReportImperva 2017 Cyber Threat Defense Report
Imperva 2017 Cyber Threat Defense ReportImperva
 
Combat Payment Card Attacks with WAF and Threat Intelligence
Combat Payment Card Attacks with WAF and Threat IntelligenceCombat Payment Card Attacks with WAF and Threat Intelligence
Combat Payment Card Attacks with WAF and Threat IntelligenceImperva
 
HTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing Exponentially
HTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing ExponentiallyHTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing Exponentially
HTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing ExponentiallyImperva
 
Get Going With Your GDPR Plan
Get Going With Your GDPR PlanGet Going With Your GDPR Plan
Get Going With Your GDPR PlanImperva
 
Cyber Criminal's Path To Your Data
Cyber Criminal's Path To Your DataCyber Criminal's Path To Your Data
Cyber Criminal's Path To Your DataImperva
 
Combat Today's Threats With A Single Platform For App and Data Security
Combat Today's Threats With A Single Platform For App and Data SecurityCombat Today's Threats With A Single Platform For App and Data Security
Combat Today's Threats With A Single Platform For App and Data SecurityImperva
 
Hacking HTTP/2 : New attacks on the Internet’s Next Generation Foundation
Hacking HTTP/2 : New attacks on the Internet’s Next Generation FoundationHacking HTTP/2 : New attacks on the Internet’s Next Generation Foundation
Hacking HTTP/2 : New attacks on the Internet’s Next Generation FoundationImperva
 

More from Imperva (20)

Cybersecurity and Healthcare - HIMSS 2018 Survey
Cybersecurity and Healthcare - HIMSS 2018 SurveyCybersecurity and Healthcare - HIMSS 2018 Survey
Cybersecurity and Healthcare - HIMSS 2018 Survey
 
API Security Survey
API Security SurveyAPI Security Survey
API Security Survey
 
Imperva ppt
Imperva pptImperva ppt
Imperva ppt
 
Beyond takeover: stories from a hacked account
Beyond takeover: stories from a hacked accountBeyond takeover: stories from a hacked account
Beyond takeover: stories from a hacked account
 
Research: From zero to phishing in 60 seconds
Research: From zero to phishing in 60 seconds Research: From zero to phishing in 60 seconds
Research: From zero to phishing in 60 seconds
 
Making Sense of Web Attacks: From Alerts to Narratives
Making Sense of Web Attacks: From Alerts to NarrativesMaking Sense of Web Attacks: From Alerts to Narratives
Making Sense of Web Attacks: From Alerts to Narratives
 
How We Blocked a 650Gb DDoS Attack Over Lunch
How We Blocked a 650Gb DDoS Attack Over LunchHow We Blocked a 650Gb DDoS Attack Over Lunch
How We Blocked a 650Gb DDoS Attack Over Lunch
 
Survey: Insider Threats and Cyber Security
Survey: Insider Threats and Cyber SecuritySurvey: Insider Threats and Cyber Security
Survey: Insider Threats and Cyber Security
 
Companies Aware, but Not Prepared for GDPR
Companies Aware, but Not Prepared for GDPRCompanies Aware, but Not Prepared for GDPR
Companies Aware, but Not Prepared for GDPR
 
Rise of Ransomware
Rise of Ransomware Rise of Ransomware
Rise of Ransomware
 
7 Tips to Protect Your Data from Contractors and Privileged Vendors
7 Tips to Protect Your Data from Contractors and Privileged Vendors7 Tips to Protect Your Data from Contractors and Privileged Vendors
7 Tips to Protect Your Data from Contractors and Privileged Vendors
 
SEO Botnet Sophistication
SEO Botnet SophisticationSEO Botnet Sophistication
SEO Botnet Sophistication
 
Phishing Made Easy
Phishing Made EasyPhishing Made Easy
Phishing Made Easy
 
Imperva 2017 Cyber Threat Defense Report
Imperva 2017 Cyber Threat Defense ReportImperva 2017 Cyber Threat Defense Report
Imperva 2017 Cyber Threat Defense Report
 
Combat Payment Card Attacks with WAF and Threat Intelligence
Combat Payment Card Attacks with WAF and Threat IntelligenceCombat Payment Card Attacks with WAF and Threat Intelligence
Combat Payment Card Attacks with WAF and Threat Intelligence
 
HTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing Exponentially
HTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing ExponentiallyHTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing Exponentially
HTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing Exponentially
 
Get Going With Your GDPR Plan
Get Going With Your GDPR PlanGet Going With Your GDPR Plan
Get Going With Your GDPR Plan
 
Cyber Criminal's Path To Your Data
Cyber Criminal's Path To Your DataCyber Criminal's Path To Your Data
Cyber Criminal's Path To Your Data
 
Combat Today's Threats With A Single Platform For App and Data Security
Combat Today's Threats With A Single Platform For App and Data SecurityCombat Today's Threats With A Single Platform For App and Data Security
Combat Today's Threats With A Single Platform For App and Data Security
 
Hacking HTTP/2 : New attacks on the Internet’s Next Generation Foundation
Hacking HTTP/2 : New attacks on the Internet’s Next Generation FoundationHacking HTTP/2 : New attacks on the Internet’s Next Generation Foundation
Hacking HTTP/2 : New attacks on the Internet’s Next Generation Foundation
 

Recently uploaded

Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Bhuvaneswari Subramani
 
Navigating Identity and Access Management in the Modern Enterprise
Navigating Identity and Access Management in the Modern EnterpriseNavigating Identity and Access Management in the Modern Enterprise
Navigating Identity and Access Management in the Modern EnterpriseWSO2
 
API Governance and Monetization - The evolution of API governance
API Governance and Monetization - The evolution of API governanceAPI Governance and Monetization - The evolution of API governance
API Governance and Monetization - The evolution of API governanceWSO2
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfOrbitshub
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamUiPathCommunity
 
ChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps ProductivityChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps ProductivityVictorSzoltysek
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Victor Rentea
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
How to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cfHow to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cfdanishmna97
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightSafe Software
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusZilliz
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxRemote DBA Services
 
Choreo: Empowering the Future of Enterprise Software Engineering
Choreo: Empowering the Future of Enterprise Software EngineeringChoreo: Empowering the Future of Enterprise Software Engineering
Choreo: Empowering the Future of Enterprise Software EngineeringWSO2
 
Stronger Together: Developing an Organizational Strategy for Accessible Desig...
Stronger Together: Developing an Organizational Strategy for Accessible Desig...Stronger Together: Developing an Organizational Strategy for Accessible Desig...
Stronger Together: Developing an Organizational Strategy for Accessible Desig...caitlingebhard1
 

Recently uploaded (20)

Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
Navigating Identity and Access Management in the Modern Enterprise
Navigating Identity and Access Management in the Modern EnterpriseNavigating Identity and Access Management in the Modern Enterprise
Navigating Identity and Access Management in the Modern Enterprise
 
API Governance and Monetization - The evolution of API governance
API Governance and Monetization - The evolution of API governanceAPI Governance and Monetization - The evolution of API governance
API Governance and Monetization - The evolution of API governance
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
ChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps ProductivityChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps Productivity
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
How to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cfHow to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cf
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and Insight
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Choreo: Empowering the Future of Enterprise Software Engineering
Choreo: Empowering the Future of Enterprise Software EngineeringChoreo: Empowering the Future of Enterprise Software Engineering
Choreo: Empowering the Future of Enterprise Software Engineering
 
Stronger Together: Developing an Organizational Strategy for Accessible Desig...
Stronger Together: Developing an Organizational Strategy for Accessible Desig...Stronger Together: Developing an Organizational Strategy for Accessible Desig...
Stronger Together: Developing an Organizational Strategy for Accessible Desig...
 

PHP SuperGlobals: Supersized Trouble

  • 1. © 2013 Imperva, Inc. All rights reserved. PHP SuperGlobals: Supersized Trouble Confidential1 Tal Be’ery, Web Security Research Team Leader
  • 2. © 2013 Imperva, Inc. All rights reserved. Agenda Confidential2 §  Introduction •  Relevant PHP background §  An anatomy of a modern web exploit •  Abusing SuperGlobals §  Additional PHP SuperGlobal attacks •  In the wild §  Summary & conclusions §  Q&A
  • 3. © 2013 Imperva, Inc. All rights reserved. HII Reports Confidential3 §  Hacker Intelligence Initiative is focused at understanding how attackers are operating in practice •  A different approach from vulnerability research §  Data set composition •  ~60 real world applications •  Anonymous Proxies §  More than 24 months of data §  Powerful analysis system •  Combines analytic tools with drill down capabilities
  • 4. © 2013 Imperva, Inc. All rights reserved. Tal Be’ery,Web Research Team Leader Confidential4 §  Web Security Research Team Leader at Imperva §  Holds MSc & BSc degree in CS/EE from TAU §  10+ years of experience in IS domain §  Facebook “white hat” §  Speaker at RSA, BlackHat, AusCERT §  Columnist for securityweek.com §  CISSP
  • 5. © 2013 Imperva, Inc. All rights reserved. Introduction Confidential5 Relevant PHP Background
  • 6. © 2013 Imperva, Inc. All rights reserved. §  The most popular server-side programming language in the world: §  And goes from strength to strength Breadth and Depth of PHP - I Confidential6
  • 7. © 2013 Imperva, Inc. All rights reserved. §  The most popular web applications are powered by PHP Breadth and Depth of PHP – II http://www.alexa.com/topsites Confidential7
  • 8. © 2013 Imperva, Inc. All rights reserved. PHP SuperGlobals Confidential8 §  Most programing languages support different scopes for variables, primarily the “local” and the “global” scope. §  Global variables •  Provide a simple channel for cross-function communication •  More risky, as *ANY* function may change them §  PHP has several predefined variables that are called SuperGlobals. §  SuperGlobals provide access to the server’s core functionality – cookies, sessions, environment, etc. §  SuperGlobals variables are available to the PHP script in all scopes, with no need for explicit declaration.
  • 9. © 2013 Imperva, Inc. All rights reserved. PHP SuperGlobal List Confidential9   Variable   Definition   1   GLOBALS   References all variables available in global scope   2   _SERVER   Server and execution environment information   3   _GET   HTTP GET variables   4   _POST   HTTP POST variables   5   _FILES   HTTP File upload variables   6   _COOKIE   HTTP Cookies   7   _SESSION   Session variables   8   _REQUEST   HTTP Request variables   9   _ENV   Environment variables  
  • 10. © 2013 Imperva, Inc. All rights reserved. External Variable Modification: A PHP Specific Weakness Confidential10 §  MITRE had assigned a specific CWE (Common Weakness Enumeration) code for the External Variable Modification weakness: CWE-473 §  “A PHP application does not properly protect against the modification of variables from external sources, such as query parameters or cookies”. §  SuperGlobals are a natural target: •  Exist in every PHP application •  Provide access to the server’s core functionality
  • 11. © 2013 Imperva, Inc. All rights reserved. Anatomy of a Modern Web Exploit Confidential11 Exploiting SuperGlobals
  • 12. © 2013 Imperva, Inc. All rights reserved. PHPMyAdmin (PMA) Confidential12 §  The most popular MySQL administration tool for PHP §  Often is bundled by default in LAMP (Linux, Apache, MySQL, PHP) installations
  • 13. © 2013 Imperva, Inc. All rights reserved. CVE-2011-2505: PhpMyAdmin Vulnerability Confidential13 §  PhpMyAdmin’s Unset session functionality §  Parse_str() : parses the given query string and stores the variables in the current scope. As a result, *ALL* request variables are imported into the function’s local scope. §  Session_write_close(): Makes Session data persistent throughout the entire user’s session. Session data is implicitly written to a local file on the server.
  • 14. © 2013 Imperva, Inc. All rights reserved. CVE-2011-2505: Exploit Confidential14 §  An attacker can now •  Craft a malicious query string with the _SESSION SuperGlobal •  Injected _SESSION value overrides the session’s original values •  New values are saved to local file
  • 15. © 2013 Imperva, Inc. All rights reserved. Serialization Explained Confidential15 §  The process of saving data stored in memory to file is called “serialization” §  The process of loading data stored in file to memory is called “deserialization” Source: http://www.studytonight.com/java/images/Serialization-deserialization.JPG
  • 16. © 2013 Imperva, Inc. All rights reserved. §  Discovered by Stefan Esser - Late 2010 §  Attacker can write data to the session in *ANY* format, if the session variable name starts with ‘!’ CVE-2010-3065 PHP Vulnerability & Exploit Confidential16
  • 17. © 2013 Imperva, Inc. All rights reserved. PMA Session Deserialization: Vulnerability Confidential17 §  On session deserialization, the load() function is called §  Eval is evil! •  Can be used to execute unexpected code §  But in order to exploit, attackers need to first specify a valid source (= session filename )
  • 18. © 2013 Imperva, Inc. All rights reserved. Guessing Session Filename: Theory Confidential18 §  Luckily for the attacker, the location of the session file is predictable §  Session file name consists of •  The “sess_” prefix •  The session identifier – known to the user/attacker §  File’s path is predictable •  default values
  • 19. © 2013 Imperva, Inc. All rights reserved. Guessing Session Filename: In the Wild Confidential19 §  Multiple guesses for path the same session file (“sess_19qq…”)
  • 20. © 2013 Imperva, Inc. All rights reserved. The Final Exploit Confidential20 §  Now the attackers can, *FINALLY*, get their code evaluated §  /phpMyAdmin/index.php?session_to_unset=123& token=86498ff0a666f808df76ffaabee9b7a3& _SESSION[!bla]=|xxx|a:1:{i:0;O:10:"PMA_Config":1: {s:6:“source";s:59:"/var/lib/php5/ sess_6a3e0376fbfe9797081a 3ee202ef1ca85c451a62";}}& _SESSION[payload]=<?php phpinfo(); ?>
  • 21. © 2013 Imperva, Inc. All rights reserved. Exploit Result Confidential21 §  Arbitrary PHP code is executed
  • 22. © 2013 Imperva, Inc. All rights reserved. PMA SuperGlobal Attacks In the Wild Confidential22 §  Attacks source is a hacked server §  Attacks (at least) two other servers §  Attacks persist over half a year
  • 23. © 2013 Imperva, Inc. All rights reserved. A Modern Exploit Summary: Research Confidential23 §  Sophisticated research §  Combines multiple vulnerabilities and issues in multiple domains •  PHPMyAdmin (PMA) •  PHP internals
  • 24. © 2013 Imperva, Inc. All rights reserved. A Modern Exploit Summary: Development Confidential24 §  Exploit packed in a single, “click once” PHP script §  Automates the different attack stages §  Can be launched from infected servers to infect others
  • 25. © 2013 Imperva, Inc. All rights reserved. Additional PHP SuperGlobal Attacks Confidential25 In the Wild
  • 26. © 2013 Imperva, Inc. All rights reserved. SuperGlobal Attacks Targets – I Confidential26 §  Specific vulnerabilities exploit – such as the previously discussed PMA attack §  RFI (Remote File Inclusion): trying to overwrite “Server[document_root]” to point to external resource
  • 27. © 2013 Imperva, Inc. All rights reserved. SuperGlobal Attacks Targets – II Confidential27 §  Part of general scanning against the site – Nikto, Acunetix, Nessus §  IDS filter evasion: SuperGlobal Provide an alternative way to represent HTTP query parameters •  “_REQUEST[Itemid]=1” request parameter is equivalent to “Itemid=1” in every way •  However, it evades a naïve IDS signature that blacklists “Itemid=1” •  We have seen these evasion technique applied on several CVEs
  • 28. © 2013 Imperva, Inc. All rights reserved. SuperGlobals In the Wild Confidential28 §  During May 2013: §  3.5K requests that manipulated PHP SuperGlobal variables. §  27 different attack sources §  24 web applications as targets
  • 29. © 2013 Imperva, Inc. All rights reserved. Targeted SuperGlobal Confidential29 §  Some SuperGlobals are more targeted than others §  The more targeted SuperGlobals provide access to more sensitive resources GLOBALS 55% ENV 14% SERVER 14% SESSION 13% REQUEST 4%
  • 30. © 2013 Imperva, Inc. All rights reserved. Summary & Conclusions Confidential30
  • 31. © 2013 Imperva, Inc. All rights reserved. The Importance of a Positive Security Model Confidential31 §  The essence of the external variable manipulation weakness: the attacker has the ability to send out external parameters with the same name of internal variables, and thus override the value of the latter. §  External parameters are not part of the standard interface of the targeted application §  Blocking all of the internal variables’ names might be difficult with a negative security approach §  But trivial with a positive security mechanism that specifies the allowed parameter names for each resource
  • 32. © 2013 Imperva, Inc. All rights reserved. Layered Application Layer Mechanisms Confidential32 §  Bad news: attackers can create a complex exploit by combining several vulnerabilities together §  Good news: it’s enough to break one of the links in the kill chain to break the chain altogether . §  Application layer solution that combines multiple detection mechanisms: •  Positive security model •  Negative security model for generic issues (generic directory traversal protection for this case) •  Specific CVE detection, is crucial for effective mitigations of such complex attacks.
  • 33. © 2013 Imperva, Inc. All rights reserved. Third-Party Code Perils Confidential33 §  Attackers target popular applications such as the PhpMyAdmin (PMA) utility installation. §  PMA is often bundled with other applications. §  Having this vulnerable utility present on the server, even if it is not being used, exposes the server to code execution attacks. §  Since administrators are not necessarily aware of all the bundled software, an “opt out” security model is needed. §  A way to achieve such an “opt out” security model is by deploying a Web Application Firewall (WAF) with constant updates of security content.
  • 34. © 2013 Imperva, Inc. All rights reserved. SuperGlobal Parameters In Requests Should Be Blocked Confidential34 §  There is no reason for these parameters to be present in valid requests, they should be banned. §  Imperva’s WAF customers received a content update to their Web Application Firewall on January 15th 2013.
  • 35. © 2013 Imperva, Inc. All rights reserved. Summing Up Confidential35 §  Establish a positive security model §  Use layered application layer security mechanisms §  Beware of third-party code perils §  Block SuperGlobal parameters in requests
  • 36. © 2013 Imperva, Inc. All rights reserved. Webinar Materials Confidential36 Post-Webinar Discussions Answers to Attendee Questions Webinar Recording Link Join Group Join Imperva LinkedIn Group, Imperva Data Security Direct, for…
  • 37. © 2013 Imperva, Inc. All rights reserved. www.imperva.com Confidential37