Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Meet Magento Romania 2016 | @rescueAnn
Secure input and output
handling
How not to suck at data
validation and output
Anna...
Meet Magento Romania 2016 | @rescueAnn
Hi, I’m Anna!
I do Magento things
6 years of Magento, PHP since 2004
I love IT & In...
Meet Magento Romania 2016 | @rescueAnn
What this talk is all about:
★ XSS
★ Frontend input validation
★ Backend input vali...
Meet Magento Romania 2016 | @rescueAnn
Once upon a time...
Meet Magento Romania 2016 | @rescueAnn
Academic titles - what we expected
BA PhD
BSc MA
DI MSc
Mag. MBA
Dr. LL.M.
Meet Magento Romania 2016 | @rescueAnn
Academic titles - what we got
Meet Magento Romania 2016 | @rescueAnn
XSS is real.
Meet Magento Romania 2016 | @rescueAnn
index.php?name=Anna<script>alert('XSS');</script>
Meet Magento Romania 2016 | @rescueAnn
“Cross-Site Scripting (XSS) attacks occur when:
1. Data enters a Web application th...
Meet Magento Romania 2016 | @rescueAnn
XSS in latest SUPEEs
SUPEE-8788
● 17 vulnerabilities
● 4 XSS (1 high, 4 medium)
SUP...
Meet Magento Romania 2016 | @rescueAnn
Every feature adds a risk.
⬇
Every input/output adds a risk.
Meet Magento Romania 2016 | @rescueAnn
Input
⬇
Process
⬇
Output
Meet Magento Romania 2016 | @rescueAnnSource: http://transferready.co.uk/index.php/blog/function-machines/
Meet Magento Romania 2016 | @rescueAnnSource: http://transferready.co.uk/index.php/blog/function-machines/
Meet Magento Romania 2016 | @rescueAnn
e-mail address
password
Logged in
customer
Meet Magento Romania 2016 | @rescueAnn
Security-Technology, Department of Defense Computer
Security Initiative, 1980
Meet Magento Romania 2016 | @rescueAnn
Stop “Last Minute Security”
Do the coding, spend last X hours on „making it secure“...
Meet Magento Romania 2016 | @rescueAnn
Source: http://blogs.technet.com/b/rhalbheer/archive/2011/01/14/real-physical-secur...
Meet Magento Romania 2016 | @rescueAnn
Input
Meet Magento Romania 2016 | @rescueAnn
Frontend input validation
● User experience
● Stop unwanted input when it occurs
● ...
Meet Magento Romania 2016 | @rescueAnn
Magento Frontend Validation
Magento 1 (51 validation rules)
js/prototype/validation...
Meet Magento Romania 2016 | @rescueAnn
app/code/Magento/Ui/
view/base/web/js/lib/
validation/rules.js
M
2
Meet Magento Romania 2016 | @rescueAnn
app/code/Magento/Ui/view/base/web/js/lib/
validation/rules.js
min_text_length
max_t...
Meet Magento Romania 2016 | @rescueAnn
Add your own validator
define([
'jquery',
'jquery/ui',
'jquery/validate',
'mage/tra...
Meet Magento Romania 2016 | @rescueAnn
<form>
<div class="field required">
<input type="email" id="email_address"
data-val...
Meet Magento Romania 2016 | @rescueAnn
Bonus
Meet Magento Romania 2016 | @rescueAnn
<form>
<div class="field required">
<input type="email" id="email_address"
data-val...
Meet Magento Romania 2016 | @rescueAnnSource: https://quadhead.de/cola-hack-sicherheitsluecke-auf-meinecoke-de/
Why fronte...
Meet Magento Romania 2016 | @rescueAnn
Don’t trust the user.
Don’t trust the input!
Meet Magento Romania 2016 | @rescueAnn
Meet Magento Romania 2016 | @rescueAnn
EAV Backend validation input rules
Magento 1
Mage_Eav_Attribute_Data_Abstract
Magen...
Meet Magento Romania 2016 | @rescueAnn
MagentoEavModelAttributeDataAbstractData
Input Validation Rules:
● alphanumeric
● n...
Meet Magento Romania 2016 | @rescueAnn
ZendValidator
Standard Validation Classes
Alnum Validator
Alpha Validator
Barcode V...
Meet Magento Romania 2016 | @rescueAnn
Output
Meet Magento Romania 2016 | @rescueAnn
Is input validation not enough?!
Meet Magento Romania 2016 | @rescueAnn
Magento 2 Templates
XSS security
Meet Magento Romania 2016 | @rescueAnn
getXXXHtml()
<?php echo $block->getTitleHtml() ?>
<?php echo $block->getHtmlTitle()...
Meet Magento Romania 2016 | @rescueAnn
Type casting and PHP function count()
<h1><?php echo (int)$block->getId() ?></h1>
<...
Meet Magento Romania 2016 | @rescueAnn
Output in single or double quotes
<?php echo 'some text' ?>
<?php echo "some text" ...
Meet Magento Romania 2016 | @rescueAnn
Use specific escape functions
<a href="<?php echo $block->escapeXssInUrl(
$block->g...
Meet Magento Romania 2016 | @rescueAnn
Use these. Also Magento does it!
$block->escapeHtml()
$block->escapeQuote()
$block-...
Meet Magento Romania 2016 | @rescueAnn
$block->escapeHtml()
Whitelist: allowed Tags, htmlspecialchars
M
2
Meet Magento Romania 2016 | @rescueAnn
MagentoFrameworkEscaper
M
2
Meet Magento Romania 2016 | @rescueAnn
$block->escapeHtml()
Whitelist: allowed Tags, htmlspecialchars
$block->escapeQuote(...
Meet Magento Romania 2016 | @rescueAnn
$block->escapeUrl()
Escape HTML entities in URL
(htmlspecialchars)
$block->escapeXs...
Meet Magento Romania 2016 | @rescueAnn
Meet Magento Romania 2016 | @rescueAnn
Testing
Meet Magento Romania 2016 | @rescueAnn
Static XSS Test
XssPhtmlTemplateTest.php in
devtestsstatictestsuiteMagentoT
estPhp
...
Meet Magento Romania 2016 | @rescueAnn
$ magento dev:tests:run static
Meet Magento Romania 2016 | @rescueAnn
$ magento dev:tests:run static
Meet Magento Romania 2016 | @rescueAnn
What happened to the
little attribute?!
Meet Magento Romania 2016 | @rescueAnn
Weird customers and customer data was removed
Frontend validation added - Dropdown ...
Meet Magento Romania 2016 | @rescueAnn
Summary
Think, act and design your software responsibly:
1. Client side validation
...
Meet Magento Romania 2016 | @rescueAnn
Questions?
Right here, right now
or later @resueAnn
Upcoming SlideShare
Loading in …5
×

of

Secure input and output handling - Meet Magento Romania 2016 Slide 1 Secure input and output handling - Meet Magento Romania 2016 Slide 2 Secure input and output handling - Meet Magento Romania 2016 Slide 3 Secure input and output handling - Meet Magento Romania 2016 Slide 4 Secure input and output handling - Meet Magento Romania 2016 Slide 5 Secure input and output handling - Meet Magento Romania 2016 Slide 6 Secure input and output handling - Meet Magento Romania 2016 Slide 7 Secure input and output handling - Meet Magento Romania 2016 Slide 8 Secure input and output handling - Meet Magento Romania 2016 Slide 9 Secure input and output handling - Meet Magento Romania 2016 Slide 10 Secure input and output handling - Meet Magento Romania 2016 Slide 11 Secure input and output handling - Meet Magento Romania 2016 Slide 12 Secure input and output handling - Meet Magento Romania 2016 Slide 13 Secure input and output handling - Meet Magento Romania 2016 Slide 14 Secure input and output handling - Meet Magento Romania 2016 Slide 15 Secure input and output handling - Meet Magento Romania 2016 Slide 16 Secure input and output handling - Meet Magento Romania 2016 Slide 17 Secure input and output handling - Meet Magento Romania 2016 Slide 18 Secure input and output handling - Meet Magento Romania 2016 Slide 19 Secure input and output handling - Meet Magento Romania 2016 Slide 20 Secure input and output handling - Meet Magento Romania 2016 Slide 21 Secure input and output handling - Meet Magento Romania 2016 Slide 22 Secure input and output handling - Meet Magento Romania 2016 Slide 23 Secure input and output handling - Meet Magento Romania 2016 Slide 24 Secure input and output handling - Meet Magento Romania 2016 Slide 25 Secure input and output handling - Meet Magento Romania 2016 Slide 26 Secure input and output handling - Meet Magento Romania 2016 Slide 27 Secure input and output handling - Meet Magento Romania 2016 Slide 28 Secure input and output handling - Meet Magento Romania 2016 Slide 29 Secure input and output handling - Meet Magento Romania 2016 Slide 30 Secure input and output handling - Meet Magento Romania 2016 Slide 31 Secure input and output handling - Meet Magento Romania 2016 Slide 32 Secure input and output handling - Meet Magento Romania 2016 Slide 33 Secure input and output handling - Meet Magento Romania 2016 Slide 34 Secure input and output handling - Meet Magento Romania 2016 Slide 35 Secure input and output handling - Meet Magento Romania 2016 Slide 36 Secure input and output handling - Meet Magento Romania 2016 Slide 37 Secure input and output handling - Meet Magento Romania 2016 Slide 38 Secure input and output handling - Meet Magento Romania 2016 Slide 39 Secure input and output handling - Meet Magento Romania 2016 Slide 40 Secure input and output handling - Meet Magento Romania 2016 Slide 41 Secure input and output handling - Meet Magento Romania 2016 Slide 42 Secure input and output handling - Meet Magento Romania 2016 Slide 43 Secure input and output handling - Meet Magento Romania 2016 Slide 44 Secure input and output handling - Meet Magento Romania 2016 Slide 45 Secure input and output handling - Meet Magento Romania 2016 Slide 46 Secure input and output handling - Meet Magento Romania 2016 Slide 47 Secure input and output handling - Meet Magento Romania 2016 Slide 48 Secure input and output handling - Meet Magento Romania 2016 Slide 49 Secure input and output handling - Meet Magento Romania 2016 Slide 50 Secure input and output handling - Meet Magento Romania 2016 Slide 51 Secure input and output handling - Meet Magento Romania 2016 Slide 52 Secure input and output handling - Meet Magento Romania 2016 Slide 53 Secure input and output handling - Meet Magento Romania 2016 Slide 54
Upcoming SlideShare
Magento 2 - hands on MeetMagento Romania 2016
Next
Download to read offline and view in fullscreen.

3 Likes

Share

Download to read offline

Secure input and output handling - Meet Magento Romania 2016

Download to read offline

Talk about secure input and output handling and Meet Magento Romania 2016

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all

Secure input and output handling - Meet Magento Romania 2016

  1. 1. Meet Magento Romania 2016 | @rescueAnn Secure input and output handling How not to suck at data validation and output Anna Völkl
  2. 2. Meet Magento Romania 2016 | @rescueAnn Hi, I’m Anna! I do Magento things 6 years of Magento, PHP since 2004 I love IT & Information Security Magento Security Best Practises, anyone?! I work at E-CONOMIX Magento & Typo3 ❤ Linz, Austria
  3. 3. Meet Magento Romania 2016 | @rescueAnn What this talk is all about: ★ XSS ★ Frontend input validation ★ Backend input validation ★ Output escaping
  4. 4. Meet Magento Romania 2016 | @rescueAnn Once upon a time...
  5. 5. Meet Magento Romania 2016 | @rescueAnn Academic titles - what we expected BA PhD BSc MA DI MSc Mag. MBA Dr. LL.M.
  6. 6. Meet Magento Romania 2016 | @rescueAnn Academic titles - what we got
  7. 7. Meet Magento Romania 2016 | @rescueAnn XSS is real.
  8. 8. Meet Magento Romania 2016 | @rescueAnn index.php?name=Anna<script>alert('XSS');</script>
  9. 9. Meet Magento Romania 2016 | @rescueAnn “Cross-Site Scripting (XSS) attacks occur when: 1. Data enters a Web application through an untrusted source, most frequently a web request. 2. The data is included in dynamic content that is sent to a web user without being validated for malicious content.” Source: https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
  10. 10. Meet Magento Romania 2016 | @rescueAnn XSS in latest SUPEEs SUPEE-8788 ● 17 vulnerabilities ● 4 XSS (1 high, 4 medium) SUPEE-7405 ● 20 vulnerabilities ● 7 XSS (2 critical, 1 high, 2 medium, 2 low)
  11. 11. Meet Magento Romania 2016 | @rescueAnn Every feature adds a risk. ⬇ Every input/output adds a risk.
  12. 12. Meet Magento Romania 2016 | @rescueAnn Input ⬇ Process ⬇ Output
  13. 13. Meet Magento Romania 2016 | @rescueAnnSource: http://transferready.co.uk/index.php/blog/function-machines/
  14. 14. Meet Magento Romania 2016 | @rescueAnnSource: http://transferready.co.uk/index.php/blog/function-machines/
  15. 15. Meet Magento Romania 2016 | @rescueAnn e-mail address password Logged in customer
  16. 16. Meet Magento Romania 2016 | @rescueAnn Security-Technology, Department of Defense Computer Security Initiative, 1980
  17. 17. Meet Magento Romania 2016 | @rescueAnn Stop “Last Minute Security” Do the coding, spend last X hours on „making it secure“ Secure coding doesn't really take longer Data quality ⇔ software quality ⇔ security Always keep security in mind.
  18. 18. Meet Magento Romania 2016 | @rescueAnn Source: http://blogs.technet.com/b/rhalbheer/archive/2011/01/14/real-physical-security.aspx
  19. 19. Meet Magento Romania 2016 | @rescueAnn Input
  20. 20. Meet Magento Romania 2016 | @rescueAnn Frontend input validation ● User experience ● Stop unwanted input when it occurs ● Do not bother your server with crazy input requests Don't fill up your database with garbage.
  21. 21. Meet Magento Romania 2016 | @rescueAnn Magento Frontend Validation Magento 1 (51 validation rules) js/prototype/validation.js Magento 2 (74 validation rules) app/code/Magento/Ui/view/base/web/js /lib/validation/rules.js
  22. 22. Meet Magento Romania 2016 | @rescueAnn app/code/Magento/Ui/ view/base/web/js/lib/ validation/rules.js M 2
  23. 23. Meet Magento Romania 2016 | @rescueAnn app/code/Magento/Ui/view/base/web/js/lib/ validation/rules.js min_text_length max_text_length max-words min-words range-words letters-with-basic-punc alphanumeric letters-only no-whitespace zip-range integer vinUS dateITA dateNL time time12h phoneUS phoneUK mobileUK stripped-min-length email2 url2 credit-card-types ipv4 ipv6 pattern validate-no-html-tags validate-select validate-no-empty validate-alphanum-with-spaces validate-data validate-street validate-phoneStrict validate-phoneLax validate-fax validate-email validate-emailSender validate-password validate-admin-password validate-url validate-clean-url validate-xml-identifier validate-ssn validate-zip-us validate-date-au validate-currency-dollar validate-not-negative-number validate-zero-or-greater validate-greater-than-zero validate-css-length validate-number validate-number-range validate-digits validate-digits-range validate-range validate-alpha validate-code validate-alphanum validate-date validate-identifier validate-zip-international validate-state less-than-equals-to greater-than-equals-to validate-emails validate-cc-number validate-cc-ukss required-entry checked not-negative-amount validate-per-page-value-list validate-new-password validate-item-quantity equalTo M 2
  24. 24. Meet Magento Romania 2016 | @rescueAnn Add your own validator define([ 'jquery', 'jquery/ui', 'jquery/validate', 'mage/translate' ], function ($) { $.validator.addMethod('validate-custom-name', function (value) { return (value !== 'anna'); }, $.mage.__('Enter valid name')); }); M 2
  25. 25. Meet Magento Romania 2016 | @rescueAnn <form> <div class="field required"> <input type="email" id="email_address" data-validate="{required:true, 'validate-email':true}" aria-required="true"> </div> </form> Adding frontend-validation M 2
  26. 26. Meet Magento Romania 2016 | @rescueAnn Bonus
  27. 27. Meet Magento Romania 2016 | @rescueAnn <form> <div class="field required"> <input type="email" id="email_address" data-validate="{required:true, 'validate-email':true}" aria-required="true"> </div> </form> Adding frontend-validation M 2
  28. 28. Meet Magento Romania 2016 | @rescueAnnSource: https://quadhead.de/cola-hack-sicherheitsluecke-auf-meinecoke-de/ Why frontend validation is not enough...
  29. 29. Meet Magento Romania 2016 | @rescueAnn Don’t trust the user. Don’t trust the input!
  30. 30. Meet Magento Romania 2016 | @rescueAnn
  31. 31. Meet Magento Romania 2016 | @rescueAnn EAV Backend validation input rules Magento 1 Mage_Eav_Attribute_Data_Abstract Magento 2 MagentoEavModelAttributeDataAbstractData
  32. 32. Meet Magento Romania 2016 | @rescueAnn MagentoEavModelAttributeDataAbstractData Input Validation Rules: ● alphanumeric ● numeric ● alpha ● email ● url ● date M 2
  33. 33. Meet Magento Romania 2016 | @rescueAnn ZendValidator Standard Validation Classes Alnum Validator Alpha Validator Barcode Validator Between Validator Callback Validator CreditCard Validator Date Validator DbRecordExists and DbNoRecordExists Validators Digits Validator EmailAddress Validator File Validation Classes GreaterThan Validator Hex Validator Hostname Validator Iban Validator Identical Validator InArray Validator Ip Validator Isbn Validator IsFloat IsInt LessThan Validator NotEmpty Validator PostCode Validator Regex Validator Sitemap Validators Step Validator StringLength Validator Timezone Validator Uri Validator
  34. 34. Meet Magento Romania 2016 | @rescueAnn Output
  35. 35. Meet Magento Romania 2016 | @rescueAnn Is input validation not enough?!
  36. 36. Meet Magento Romania 2016 | @rescueAnn Magento 2 Templates XSS security
  37. 37. Meet Magento Romania 2016 | @rescueAnn getXXXHtml() <?php echo $block->getTitleHtml() ?> <?php echo $block->getHtmlTitle() ?> <?php echo $block->escapeHtml($block->getTitle()) ?> M 2 Magento 2 Templates XSS security
  38. 38. Meet Magento Romania 2016 | @rescueAnn Type casting and PHP function count() <h1><?php echo (int)$block->getId() ?></h1> <?php echo count($var); ?> M 2 Magento 2 Templates XSS security
  39. 39. Meet Magento Romania 2016 | @rescueAnn Output in single or double quotes <?php echo 'some text' ?> <?php echo "some text" ?> M 2 Magento 2 Templates XSS security
  40. 40. Meet Magento Romania 2016 | @rescueAnn Use specific escape functions <a href="<?php echo $block->escapeXssInUrl( $block->getUrl()) ?>"> <?php echo $block->getAnchorTextHtml() ?> </a> M 2 Magento 2 Templates XSS security
  41. 41. Meet Magento Romania 2016 | @rescueAnn Use these. Also Magento does it! $block->escapeHtml() $block->escapeQuote() $block->escapeUrl() $block->escapeXssInUrl() M 2
  42. 42. Meet Magento Romania 2016 | @rescueAnn $block->escapeHtml() Whitelist: allowed Tags, htmlspecialchars M 2
  43. 43. Meet Magento Romania 2016 | @rescueAnn MagentoFrameworkEscaper M 2
  44. 44. Meet Magento Romania 2016 | @rescueAnn $block->escapeHtml() Whitelist: allowed Tags, htmlspecialchars $block->escapeQuote() Escape quotes inside html attributes $addSlashes = false for escaping js inside html attribute (onClick, onSubmit etc) M 2
  45. 45. Meet Magento Romania 2016 | @rescueAnn $block->escapeUrl() Escape HTML entities in URL (htmlspecialchars) $block->escapeXssInUrl() eliminating 'javascript' + htmlspecialchars M 2
  46. 46. Meet Magento Romania 2016 | @rescueAnn
  47. 47. Meet Magento Romania 2016 | @rescueAnn Testing
  48. 48. Meet Magento Romania 2016 | @rescueAnn Static XSS Test XssPhtmlTemplateTest.php in devtestsstatictestsuiteMagentoT estPhp See http://devdocs.magento.com/guides/v2.0/frontend-dev -guide/templates/template-security.html
  49. 49. Meet Magento Romania 2016 | @rescueAnn $ magento dev:tests:run static
  50. 50. Meet Magento Romania 2016 | @rescueAnn $ magento dev:tests:run static
  51. 51. Meet Magento Romania 2016 | @rescueAnn What happened to the little attribute?!
  52. 52. Meet Magento Romania 2016 | @rescueAnn Weird customers and customer data was removed Frontend validation added - Dropdown (whitelist) would have been an option too Server side validation added Output escaped
  53. 53. Meet Magento Romania 2016 | @rescueAnn Summary Think, act and design your software responsibly: 1. Client side validation 2. Server side validation 3. UTF-8 all the way 4. Escape at point of use 5. Use & run tests
  54. 54. Meet Magento Romania 2016 | @rescueAnn Questions? Right here, right now or later @resueAnn
  • deng8112

    Oct. 12, 2018
  • beejhuff

    Dec. 25, 2016
  • keyurs1

    Nov. 15, 2016

Talk about secure input and output handling and Meet Magento Romania 2016

Views

Total views

1,589

On Slideshare

0

From embeds

0

Number of embeds

322

Actions

Downloads

13

Shares

0

Comments

0

Likes

3

×