Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Secure input and
output handling
How not to suck at data
validation and output
Anna Völkl / @rescueAnn
 Hi, I'm Anna. http://anna.voelkl.at
 I'm a Magento Certified Developer.
5 years Magento, Java/P...
What is Magento?
●
eCommerce Plaform
●
Initial release 2008
●
Varien  eBay  Permira private equity fund
●
Editions
– Com...
What is Magento?
http://blog.aheadworks.com/2016/03/magento-2-contributes-to-the-global-ecommerce-platforms-market/
Why is Magento cool?
●
Feature rich
●
Highly customizeable
●
Multiple stores/languages/currencies
●
Medium-large enterpris...
Magento 2
Magento 2 technology stack
●
Apache 2.x/Nginx 1.7+
●
PHP 5.5, 5.6x, 7.0
●
MySQL 5.6.x/MySQL Percona 5.6.x
●
Optional
– Var...
Magento 2 technology stack
●
HTML 5, CSS 3 (LESS)
●
Jquery, RequireJS
●
Zend Framework 1, Zend Framework 2, Symfony
●
Codi...
Magento 2 testing
●
Automated testing suite
– Integration
– Functional areas
– Performance
●
PHPUnit (unit tests)
●
Seleni...
Once upon a time...
academic titles?!
Teamwork also involves being a good teammate, which is why we are very proud
シャネル デコ
FC Barcelona and wa...
Our daily business
Input

Process

Output
Security-Technology, Department of Defense Computer
Security Initiative, 1980
OWASP Top 10
1) Injection
2)Broken Authentication and
Session Management
3)Cross Site Scripting (XSS)
4)Insecure Direct Ob...
Stop „Last Minute Security“
●
Do the coding, spend last X hours on „making it
secure“
●
Secure coding doesn't really take ...
Every feature adds a risk.

Every input/output adds a risk.
http://blogs.technet.com/b/rhalbheer/archive/2011/01/14/real-physical-security.aspx
Input
Frontend input validation
●
User experience
●
Stop unwanted input when it occurs
●
Do not bother your server with crazy in...
Magento Frontend Validation
Magento 1 (51 validation rules)
js/prototype/validation.js
Magento 2 (74 validation rules)
app...
app/code/Magento/Ui/view/base/web/js/lib/validation/rules.js
min_text_length
max_text_length
max-words
min-words
range-wor...
Add your own validator
define([
'jquery',
'jquery/ui',
'jquery/validate',
'mage/translate'
], function ($) {
$.validator.a...
M
2
<form>
<div class="field required">
<input type="email" id="email_address"
data-validate="{required:true, 'validate-
email...
<form>
<div class="field required">
<input type="email" id="email_address"
data-validate="{required:true, 'validate-
email...
<form>
<fieldset data-hasrequired="* Required Fields">
<input type="password"
data-validate="{required:true, 'validate-
pa...
<form>
<fieldset data-hasrequired="* Required Fields">
<input type="password"
data-validate="{required:true, 'validate-
pa...
Why frontend validation is not enough...
https://quadhead.de/cola-hack-sicherheitsluecke-auf-meinecoke-de/
Don't trust the user.
Don't trust the input!
Why validate input?
User form input
Database query results
Web Services
Server variables
Cookies
Validate input rules
Magento 1
Mage_Eav_Attribute_Data_Abstract
Magento 2
MagentoEavModelAttributeDataAbstractData
MagentoEavModelAttributeDataAbstractData
Input Validation Rules
– alphanumeric
– numeric
– alpha
– email
– url
– date
M
2
ZendValidator
Standard Validation Classes
Alnum Validator
Alpha Validator
Barcode Validator
Between Validator
Callback Val...
Output
Is input validation not enough?
●
XSS
– Protect your users
– Protect yourself!
●
Store escaped data?
– Prepare the data wh...
Use
$block->escapeHtml()
$block->escapeQuote()
$block->escapeUrl()
$block->escapeXssInUrl()
...also Magento does it!
$block->escapeHtml()
Whitelist: allowed Tags, htmlspecialchars
M
2
MagentoFrameworkEscaper
M
2
$block->escapeHtml()
Whitelist: allowed Tags, htmlspecialchars
$block->escapeQuote()
Escape quotes inside html attributes
...
$block->escapeUrl()
Escape HTML entities in URL
(htmlspecialchars)
$block->escapeXssInUrl()
eliminating 'javascript' +
htm...
Magento 2 Templates XSS security
<?php echo $block->getTitleHtml() ?>
<?php echo $block->getHtmlTitle() ?>
<?php echo $blo...
Magento 2 Templates XSS security
●
Static Test: XssPhtmlTemplateTest.php in
devtestsstatictestsuiteMagentoTestPhp
●
See
ht...
magento dev:tests:run static
What happend to the little
attribute?
●
Weird customers and customer data was removed
●
Frontend validation added
•
Dropdown (whitelist) would have been an opti...
Summary
Think, act and design your software responsibly:
1) UTF-8 all the way
2) Client side validation, filter input
3) S...
</happy>
Thank you!
Questions?
@rescueAnn
anna@voelkl.at
Upcoming SlideShare
Loading in …5
×

Secure input and output handling - ViennaPHP

Updated version of my "Secure input and output handling" talk for the ViennaPHP Meetup on March 23rd, 2016

  • Login to see the comments

Secure input and output handling - ViennaPHP

  1. 1. Secure input and output handling How not to suck at data validation and output
  2. 2. Anna Völkl / @rescueAnn  Hi, I'm Anna. http://anna.voelkl.at  I'm a Magento Certified Developer. 5 years Magento, Java/PHP since 2004  I love IT & Telecommunication and IT- & Information- Security.   I work at . Web Agency in Vienna/AT
  3. 3. What is Magento? ● eCommerce Plaform ● Initial release 2008 ● Varien  eBay  Permira private equity fund ● Editions – Community Edition (CE, Open Source) – Enterprise Edition (EE) ● Matthias Talk – https://github.com/viennaphp/talks/blob/master/201505/01-outlook-on-magento-2.pdf
  4. 4. What is Magento? http://blog.aheadworks.com/2016/03/magento-2-contributes-to-the-global-ecommerce-platforms-market/
  5. 5. Why is Magento cool? ● Feature rich ● Highly customizeable ● Multiple stores/languages/currencies ● Medium-large enterprises, Small-Business Team ● Very active developer community (magento.stackexchange.com, Twitter, Slack, IRC, official Forum, Reddit,...) ● Magento 2 ;-)
  6. 6. Magento 2
  7. 7. Magento 2 technology stack ● Apache 2.x/Nginx 1.7+ ● PHP 5.5, 5.6x, 7.0 ● MySQL 5.6.x/MySQL Percona 5.6.x ● Optional – Varnish 3.x/4.x – Redis 2.x/3.x, Memcache 1.4.x (Cache Storage) – Solr 4.x (ElasticSearch planned)
  8. 8. Magento 2 technology stack ● HTML 5, CSS 3 (LESS) ● Jquery, RequireJS ● Zend Framework 1, Zend Framework 2, Symfony ● Coding standards PSR-0 (autoloading standard), PSR-1 (basic coding standards), and PSR-2 (coding style guide), PSR-3, PSR-4 ● Composer (dependency management)
  9. 9. Magento 2 testing ● Automated testing suite – Integration – Functional areas – Performance ● PHPUnit (unit tests) ● Selenium (functional tests)
  10. 10. Once upon a time...
  11. 11. academic titles?! Teamwork also involves being a good teammate, which is why we are very proud シャネル デコ FC Barcelona and was presenting partner of the Fan Zone event prior to the gamehqn Лечебные грязи Сакского озера Trying to find for a approach to raise male power and endurance. New year2013 best now41 Импотенция вы поглядите ! how to write an essay explaining why you deserve a scholarship Sophisticated Men High-heeled shoes A Wise Choice http://onemilliondollarhomepage.ru/ how to write up divorce paper write your name really cool shady lady free download driver samsung hd160jj p
  12. 12. Our daily business
  13. 13. Input  Process  Output
  14. 14. Security-Technology, Department of Defense Computer Security Initiative, 1980
  15. 15. OWASP Top 10 1) Injection 2)Broken Authentication and Session Management 3)Cross Site Scripting (XSS) 4)Insecure Direct Object References 5)Security Misconfiguration 6)Sensitive Data Exposure 7)Missing Function Level Access Control 8)Cross-Site Request Forgery (CSRF) 9)Using Components with known Vulnerabilities 10)Unvalidated Redirects and Forwards
  16. 16. Stop „Last Minute Security“ ● Do the coding, spend last X hours on „making it secure“ ● Secure coding doesn't really take longer ● Data quality  software quality  security ● Always keep security in mind
  17. 17. Every feature adds a risk.  Every input/output adds a risk.
  18. 18. http://blogs.technet.com/b/rhalbheer/archive/2011/01/14/real-physical-security.aspx
  19. 19. Input
  20. 20. Frontend input validation ● User experience ● Stop unwanted input when it occurs ● Do not bother your server with crazy input ● Only store, what you expect Don't fill up your database with garbage.
  21. 21. Magento Frontend Validation Magento 1 (51 validation rules) js/prototype/validation.js Magento 2 (74 validation rules) app/code/Magento/Ui/view/base/web/js/lib/validati on/rules.js
  22. 22. app/code/Magento/Ui/view/base/web/js/lib/validation/rules.js min_text_length max_text_length max-words min-words range-words letters-with-basic-punc alphanumeric letters-only no-whitespace zip-range integer vinUS dateITA dateNL time time12h phoneUS phoneUK mobileUK stripped-min-length email2 url2 credit-card-types ipv4 ipv6 pattern validate-no-html-tags validate-select validate-no-empty validate-alphanum-with-spaces validate-data validate-street validate-phoneStrict validate-phoneLax validate-fax validate-email validate-emailSender validate-password validate-admin-password validate-url validate-clean-url validate-xml-identifier validate-ssn validate-zip-us validate-date-au validate-currency-dollar validate-not-negative-number validate-zero-or-greater validate-greater-than-zero validate-css-length validate-number validate-number-range validate-digits validate-digits-range validate-range validate-alpha validate-code validate-alphanum validate-date validate-identifier validate-zip-international validate-state less-than-equals-to greater-than-equals-to validate-emails validate-cc-number validate-cc-ukss required-entry checked not-negative-amount validate-per-page-value-list validate-new-password validate-item-quantity equalTo
  23. 23. Add your own validator define([ 'jquery', 'jquery/ui', 'jquery/validate', 'mage/translate' ], function ($) { $.validator.addMethod('validate-custom-name', function (value) { return (value !== 'anna'); }, $.mage.__('Enter valid name')); }); M 2
  24. 24. M 2
  25. 25. <form> <div class="field required"> <input type="email" id="email_address" data-validate="{required:true, 'validate- email':true}" aria-required="true"> </div> </form> M 2
  26. 26. <form> <div class="field required"> <input type="email" id="email_address" data-validate="{required:true, 'validate- email':true}" aria-required="true"> </div> </form> M 2
  27. 27. <form> <fieldset data-hasrequired="* Required Fields"> <input type="password" data-validate="{required:true, 'validate- password':true}" id="password" aria- required="true"> <input type="password" data-validate="{required:true, equalTo:'#password'}" id="password- confirmation" aria-required="true"> </fieldset> </form> M 2
  28. 28. <form> <fieldset data-hasrequired="* Required Fields"> <input type="password" data-validate="{required:true, 'validate- password':true}" id="password" aria- required="true"> <input type="password" data-validate="{required:true, equalTo:'#password'}" id="password- confirmation" aria-required="true"> </fieldset> </form> M 2
  29. 29. Why frontend validation is not enough... https://quadhead.de/cola-hack-sicherheitsluecke-auf-meinecoke-de/
  30. 30. Don't trust the user. Don't trust the input!
  31. 31. Why validate input? User form input Database query results Web Services Server variables Cookies
  32. 32. Validate input rules Magento 1 Mage_Eav_Attribute_Data_Abstract Magento 2 MagentoEavModelAttributeDataAbstractData
  33. 33. MagentoEavModelAttributeDataAbstractData Input Validation Rules – alphanumeric – numeric – alpha – email – url – date M 2
  34. 34. ZendValidator Standard Validation Classes Alnum Validator Alpha Validator Barcode Validator Between Validator Callback Validator CreditCard Validator Date Validator DbRecordExists and DbNoRecordExists Validators Digits Validator EmailAddress Validator File Validation Classes GreaterThan Validator Hex Validator Hostname Validator Iban Validator Identical Validator InArray Validator Ip Validator Isbn Validator IsFloat IsInt LessThan Validator NotEmpty Validator PostCode Validator Regex Validator Sitemap Validators Step Validator StringLength Validator Timezone Validator Uri Validator
  35. 35. Output
  36. 36. Is input validation not enough? ● XSS – Protect your users – Protect yourself! ● Store escaped data? – Prepare the data where it's needed!
  37. 37. Use $block->escapeHtml() $block->escapeQuote() $block->escapeUrl() $block->escapeXssInUrl() ...also Magento does it!
  38. 38. $block->escapeHtml() Whitelist: allowed Tags, htmlspecialchars M 2
  39. 39. MagentoFrameworkEscaper M 2
  40. 40. $block->escapeHtml() Whitelist: allowed Tags, htmlspecialchars $block->escapeQuote() Escape quotes inside html attributes $addSlashes = false for escaping js that inside html attribute (onClick, onSubmit etc) M 2
  41. 41. $block->escapeUrl() Escape HTML entities in URL (htmlspecialchars) $block->escapeXssInUrl() eliminating 'javascript' + htmlspecialchars M 2
  42. 42. Magento 2 Templates XSS security <?php echo $block->getTitleHtml() ?> <?php echo $block->getHtmlTitle() ?> <?php echo $block->escapeHtml($block->getTitle()) ?> <h1><?php echo (int)$block->getId() ?></h1> <?php echo count($var); ?> <?php echo 'some text' ?> <?php echo "some text" ?> <a href="<?php echo $block->escapeXssInUrl( $block->getUrl()) ?>"> <?php echo $block->getAnchorTextHtml() ?> </a> Taken from http://devdocs.magento.com/guides/v2.0/frontend-dev-guide/templates/template-security.html
  43. 43. Magento 2 Templates XSS security ● Static Test: XssPhtmlTemplateTest.php in devtestsstatictestsuiteMagentoTestPhp ● See http://devdocs.magento.com/guides/v2.0/frontend- dev-guide/templates/template-security.html
  44. 44. magento dev:tests:run static
  45. 45. What happend to the little attribute?
  46. 46. ● Weird customers and customer data was removed ● Frontend validation added • Dropdown (whitelist) would have been an option too ● Server side validation added ● Output escaped
  47. 47. Summary Think, act and design your software responsibly: 1) UTF-8 all the way 2) Client side validation, filter input 3) Server side validation 4) Data storage (database column size,...) 5) Escape output 6) Run tests
  48. 48. </happy>
  49. 49. Thank you! Questions? @rescueAnn anna@voelkl.at

×