Secure input and output handling in Magento

Meet Magento Romania 2016 | @rescueAnn
Secure input and output
handling
How not to suck at data
validation and output
Anna Völkl

Hi, I’m Anna!
I do Magento things
6 years of Magento, PHP since 2004
I love IT & Information Security
Magento Security Best Practises, anyone?!
I work at E-CONOMIX
Magento & Typo3 ❤ Linz, Austria

What this talk is all about:
★ XSS
★ Frontend input validation
★ Backend input validation
★ Output escaping

Once upon a time...

Academic titles - what we expected
BA PhD
BSc MA
DI MSc
Mag. MBA
Dr. LL.M.

Academic titles - what we got

XSS is real.

index.php?name=Anna<script>alert('XSS');</script>

“Cross-Site Scripting (XSS) attacks occur when:
1. Data enters a Web application through an untrusted
source, most frequently a web request.
2. The data is included in dynamic content that is sent
to a web user without being validated for malicious
content.”
Source: https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)

XSS in latest SUPEEs
SUPEE-8788
● 17 vulnerabilities
● 4 XSS (1 high, 4 medium)
SUPEE-7405
● 20 vulnerabilities
● 7 XSS (2 critical, 1 high, 2 medium, 2 low)

Every feature adds a risk.
⬇
Every input/output adds a risk.

Input
⬇
Process
⬇
Output

Meet Magento Romania 2016 | @rescueAnnSource: http://transferready.co.uk/index.php/blog/function-machines/

e-mail address
password
Logged in
customer

Security-Technology, Department of Defense Computer
Security Initiative, 1980

Stop “Last Minute Security”
Do the coding, spend last X hours on „making it secure“
Secure coding doesn't really take longer
Data quality ⇔ software quality ⇔ security
Always keep security in mind.

Source: http://blogs.technet.com/b/rhalbheer/archive/2011/01/14/real-physical-security.aspx

Input

Frontend input validation
● User experience
● Stop unwanted input when it occurs
● Do not bother your server with crazy input
requests
Don't fill up your database with garbage.

Magento Frontend Validation
Magento 1 (51 validation rules)
js/prototype/validation.js
Magento 2 (74 validation rules)
app/code/Magento/Ui/view/base/web/js
/lib/validation/rules.js

app/code/Magento/Ui/
view/base/web/js/lib/
validation/rules.js
M
2

app/code/Magento/Ui/view/base/web/js/lib/
validation/rules.js
min_text_length
max_text_length
max-words
min-words
range-words
letters-with-basic-punc
alphanumeric
letters-only
no-whitespace
zip-range
integer
vinUS
dateITA
dateNL
time
time12h
phoneUS
phoneUK
mobileUK
stripped-min-length
email2
url2
credit-card-types
ipv4
ipv6
pattern
validate-no-html-tags
validate-select
validate-no-empty
validate-alphanum-with-spaces
validate-data
validate-street
validate-phoneStrict
validate-phoneLax
validate-fax
validate-email
validate-emailSender
validate-password
validate-admin-password
validate-url
validate-clean-url
validate-xml-identifier
validate-ssn
validate-zip-us
validate-date-au
validate-currency-dollar
validate-not-negative-number
validate-zero-or-greater
validate-greater-than-zero
validate-css-length
validate-number
validate-number-range
validate-digits
validate-digits-range
validate-range
validate-alpha
validate-code
validate-alphanum
validate-date
validate-identifier
validate-zip-international
validate-state
less-than-equals-to
greater-than-equals-to
validate-emails
validate-cc-number
validate-cc-ukss
required-entry
checked
not-negative-amount
validate-per-page-value-list
validate-new-password
validate-item-quantity
equalTo
M
2

Add your own validator
define([
'jquery',
'jquery/ui',
'jquery/validate',
'mage/translate'
], function ($) {
$.validator.addMethod('validate-custom-name',
function (value) {
return (value !== 'anna');
}, $.mage.__('Enter valid name'));
});
M
2

<form>
<div class="field required">
<input type="email" id="email_address"
data-validate="{required:true,
'validate-email':true}"
aria-required="true">
</div>
</form>
Adding frontend-validation
M
2

Bonus

Meet Magento Romania 2016 | @rescueAnnSource: https://quadhead.de/cola-hack-sicherheitsluecke-auf-meinecoke-de/
Why frontend validation is not enough...

Don’t trust the user.
Don’t trust the input!

EAV Backend validation input rules
Magento 1
Mage_Eav_Attribute_Data_Abstract
Magento 2
MagentoEavModelAttributeDataAbstractData

MagentoEavModelAttributeDataAbstractData
Input Validation Rules:
● alphanumeric
● numeric
● alpha
● email
● url
● date
M
2

ZendValidator
Standard Validation Classes
Alnum Validator
Alpha Validator
Barcode Validator
Between Validator
Callback Validator
CreditCard Validator
Date Validator
DbRecordExists and
DbNoRecordExists
Validators
Digits Validator
EmailAddress Validator
File Validation Classes
GreaterThan Validator
Hex Validator
Hostname Validator
Iban Validator
Identical Validator
InArray Validator
Ip Validator
Isbn Validator
IsFloat
IsInt
LessThan Validator
NotEmpty Validator
PostCode Validator
Regex Validator
Sitemap Validators
Step Validator
StringLength Validator
Timezone Validator
Uri Validator

Output

Is input validation not enough?!

Magento 2 Templates
XSS security

getXXXHtml()
<?php echo $block->getTitleHtml() ?>
<?php echo $block->getHtmlTitle() ?>
<?php echo
$block->escapeHtml($block->getTitle()) ?>
M
2
Magento 2 Templates XSS security

Type casting and PHP function count()
<h1><?php echo (int)$block->getId() ?></h1>
<?php echo count($var); ?>
M
2

Output in single or double quotes
<?php echo 'some text' ?>
<?php echo "some text" ?>
M
2

Use specific escape functions
<a href="<?php echo $block->escapeXssInUrl(
$block->getUrl()) ?>">
<?php echo $block->getAnchorTextHtml() ?>
</a>
M
2

Use these. Also Magento does it!
$block->escapeHtml()
$block->escapeQuote()
$block->escapeUrl()
$block->escapeXssInUrl()
M
2

Whitelist: allowed Tags, htmlspecialchars
M
2

MagentoFrameworkEscaper
M
2

Whitelist: allowed Tags, htmlspecialchars
$block->escapeQuote()
Escape quotes inside html attributes
$addSlashes = false for escaping js inside html
attribute (onClick, onSubmit etc)
M
2

$block->escapeUrl()
Escape HTML entities in URL
(htmlspecialchars)
$block->escapeXssInUrl()
eliminating 'javascript' + htmlspecialchars
M
2

Testing

Static XSS Test
XssPhtmlTemplateTest.php in
devtestsstatictestsuiteMagentoT
estPhp
See
http://devdocs.magento.com/guides/v2.0/frontend-dev
-guide/templates/template-security.html

$ magento dev:tests:run static

What happened to the
little attribute?!

Weird customers and customer data was removed
Frontend validation added - Dropdown (whitelist)
would have been an option too
Server side validation added
Output escaped

Summary
Think, act and design your software responsibly:
1. Client side validation
2. Server side validation
3. UTF-8 all the way
4. Escape at point of use
5. Use & run tests

Questions?
Right here, right now
or later @resueAnn

Secure input and output handling in Magento

Recommended

Recommended

More Related Content

Similar to Secure input and output handling in Magento

Similar to Secure input and output handling in Magento (20)

Recently uploaded

Recently uploaded (20)

Secure input and output handling in Magento