SlideShare a Scribd company logo
1 of 42
Download to read offline
Secure input and
output handling
How not to suck at data validation
and output encoding
Anna Völkl / @rescueAnn
 Hi, I'm Anna. http://anna.voelkl.at
 I'm a Magento Certified Developer.
5 years Magento, Java/PHP since 2004
 I love IT & Telecommunication and IT- & Information-
Security. 
 I work at LimeSoda. E-Commerce Agency in Vienna/AT
Once upon a time...
academic titles?!
Teamwork also involves being a good teammate, which is why we are very proud
シャネル デコ
FC Barcelona and was presenting partner of the Fan Zone event prior to the gamehqn
Лечебные грязи Сакского озера
Trying to find for a approach to raise male power and endurance.
New year2013 best now41
Импотенция вы поглядите !
how to write an essay explaining why you deserve a scholarship
Sophisticated
Men
High-heeled shoes
A Wise Choice
http://onemilliondollarhomepage.ru/
how to write up divorce paper
write your name really cool
shady lady free download
driver samsung hd160jj p
Our daily business
Input

Process

Output
Security-Technology, Department of Defense Computer
Security Initiative, 1980
XSS is real.
SUPEE-7405:
7 XSS (6 stored, 1 reflected)
Stop „Last Minute Security“
●
Do the coding, spend last X hours on „making it
secure“
●
Secure coding doesn't really take longer
●
Data quality  software quality  security
●
Always keep security in mind
Every feature adds a risk.

Every input/output adds a risk.
http://blogs.technet.com/b/rhalbheer/archive/2011/01/14/real-physical-security.aspx
Input
Frontend input validation
●
User experience
●
Stop unwanted input when it occurs
●
Do not bother your server with crazy input
●
Only store, what you expect
Don't fill up your database with garbage.
Magento Frontend Validation
Magento 1 (51 validation rules)
js/prototype/validation.js
Magento 2 (74 validation rules)
app/code/Magento/Ui/view/base/web/js/lib/validati
on/rules.js
app/code/Magento/Ui/view/base/web/js/lib/validation/rules.js
min_text_length
max_text_length
max-words
min-words
range-words
letters-with-basic-punc
alphanumeric
letters-only
no-whitespace
zip-range
integer
vinUS
dateITA
dateNL
time
time12h
phoneUS
phoneUK
mobileUK
stripped-min-length
email2
url2
credit-card-types
ipv4
ipv6
pattern
validate-no-html-tags
validate-select
validate-no-empty
validate-alphanum-with-spaces
validate-data
validate-street
validate-phoneStrict
validate-phoneLax
validate-fax
validate-email
validate-emailSender
validate-password
validate-admin-password
validate-url
validate-clean-url
validate-xml-identifier
validate-ssn
validate-zip-us
validate-date-au
validate-currency-dollar
validate-not-negative-number
validate-zero-or-greater
validate-greater-than-zero
validate-css-length
validate-number
validate-number-range
validate-digits
validate-digits-range
validate-range
validate-alpha
validate-code
validate-alphanum
validate-date
validate-identifier
validate-zip-international
validate-state
less-than-equals-to
greater-than-equals-to
validate-emails
validate-cc-number
validate-cc-ukss
required-entry
checked
not-negative-amount
validate-per-page-value-list
validate-new-password
validate-item-quantity
equalTo
Add your own validator
define([
'jquery',
'jquery/ui',
'jquery/validate',
'mage/translate'
], function ($) {
$.validator.addMethod('validate-custom-name',
function (value) {
return (value !== 'anna');
}, $.mage.__('Enter valid name'));
});
M
2
M
2
<form>
<div class="field required">
<input type="email" id="email_address"
data-validate="{required:true, 'validate-
email':true}"
aria-required="true">
</div>
</form>
M
2
<form>
<div class="field required">
<input type="email" id="email_address"
data-validate="{required:true, 'validate-
email':true}"
aria-required="true">
</div>
</form>
M
2
<form>
<fieldset data-hasrequired="* Required Fields">
<input type="password"
data-validate="{required:true, 'validate-
password':true}" id="password" aria-
required="true">
<input type="password"
data-validate="{required:true,
equalTo:'#password'}" id="password-
confirmation" aria-required="true">
</fieldset>
</form>
M
2
<form>
<fieldset data-hasrequired="* Required Fields">
<input type="password"
data-validate="{required:true, 'validate-
password':true}" id="password" aria-
required="true">
<input type="password"
data-validate="{required:true,
equalTo:'#password'}" id="password-
confirmation" aria-required="true">
</fieldset>
</form>
M
2
Why frontend validation is not enough...
https://quadhead.de/cola-hack-sicherheitsluecke-auf-meinecoke-de/
Don't trust the user.
Don't trust the input!
Why validate input?
User form input
Database query results
Web Services
Server variables
Cookies
Validate input rules
Magento 1
Mage_Eav_Attribute_Data_Abstract
Magento 2
MagentoEavModelAttributeDataAbstractData
MagentoEavModelAttributeDataAbstractData
Input Validation Rules
– alphanumeric
– numeric
– alpha
– email
– url
– date
M
2
ZendValidator
Standard Validation Classes
Alnum Validator
Alpha Validator
Barcode Validator
Between Validator
Callback Validator
CreditCard Validator
Date Validator
DbRecordExists and
DbNoRecordExists
Validators
Digits Validator
EmailAddress
Validator
File Validation Classes
GreaterThan Validator
Hex Validator
Hostname Validator
Iban Validator
Identical Validator
InArray Validator
Ip Validator
Isbn Validator
IsFloat
IsInt
LessThan Validator
NotEmpty Validator
PostCode Validator
Regex Validator
Sitemap Validators
Step Validator
StringLength Validator
Timezone Validator
Uri Validator
Output
Is input validation not enough?
●
XSS
– Protect your users
– Protect yourself!
●
Store escaped data?
– Prepare the data where it's needed!
Use
$block->escapeHtml()
$block->escapeQuote()
$block->escapeUrl()
$block->escapeXssInUrl()
...also Magento does it!
$block->escapeHtml()
Whitelist: allowed Tags, htmlspecialchars
M
2
MagentoFrameworkEscaper
M
2
$block->escapeHtml()
Whitelist: allowed Tags, htmlspecialchars
$block->escapeQuote()
Escape quotes inside html attributes
$addSlashes = false for escaping js that inside
html attribute (onClick, onSubmit etc)
M
2
$block->escapeUrl()
Escape HTML entities in URL
(htmlspecialchars)
$block->escapeXssInUrl()
eliminating 'javascript' +
htmlspecialchars
M
2
Magento 2 Templates XSS security
<?php echo $block->getTitleHtml() ?>
<?php echo $block->getHtmlTitle() ?>
<?php echo $block->escapeHtml($block->getTitle()) ?>
<h1><?php echo (int)$block->getId() ?></h1>
<?php echo count($var); ?>
<?php echo 'some text' ?>
<?php echo "some text" ?>
<a href="<?php echo $block->escapeXssInUrl(
$block->getUrl()) ?>">
<?php echo $block->getAnchorTextHtml() ?>
</a>
Taken from http://devdocs.magento.com/guides/v2.0/frontend-dev-guide/templates/template-security.html
Magento 2 Templates XSS security
●
Static Test: XssPhtmlTemplateTest.php in
devtestsstatictestsuiteMagentoTestPhp
●
See
http://devdocs.magento.com/guides/v2.0/frontend-
dev-guide/templates/template-security.html
magento dev:tests:run static
What happend to the little
attribute?
●
Weird customers and customer data was removed
●
Frontend validation added
•
Dropdown (whitelist) would have been an option too
●
Server side validation added
●
Output escaped
Summary
Think, act and design your software responsibly:
1) UTF-8 all the way
2) Client side validation, filter input
3) Server side validation
4) Data storage (database column size,...)
5) Escape output
6) Run tests
</happy>
Thank you!
Questions?
@rescueAnn
anna@voelkl.at

More Related Content

More from Anna Völkl

Schnell, schön, sicher: Technische Konzeption und Betrieb sicherer E-Commerce...
Schnell, schön, sicher: Technische Konzeption und Betrieb sicherer E-Commerce...Schnell, schön, sicher: Technische Konzeption und Betrieb sicherer E-Commerce...
Schnell, schön, sicher: Technische Konzeption und Betrieb sicherer E-Commerce...Anna Völkl
 
Magento Security Best Practises - MM17PL
Magento Security Best Practises - MM17PLMagento Security Best Practises - MM17PL
Magento Security Best Practises - MM17PLAnna Völkl
 
Magento Security Best Practises - MM17DE
Magento Security Best Practises - MM17DEMagento Security Best Practises - MM17DE
Magento Security Best Practises - MM17DEAnna Völkl
 
Secure input and output handling - Mage Titans Manchester 2016
Secure input and output handling - Mage Titans Manchester 2016Secure input and output handling - Mage Titans Manchester 2016
Secure input and output handling - Mage Titans Manchester 2016Anna Völkl
 
Secure input and output handling - Meet Magento Romania 2016
Secure input and output handling - Meet Magento Romania 2016Secure input and output handling - Meet Magento Romania 2016
Secure input and output handling - Meet Magento Romania 2016Anna Völkl
 
Secure input and output handling - ViennaPHP
Secure input and output handling - ViennaPHPSecure input and output handling - ViennaPHP
Secure input and output handling - ViennaPHPAnna Völkl
 
Magento Application Security [EN]
Magento Application Security [EN]Magento Application Security [EN]
Magento Application Security [EN]Anna Völkl
 
Magento Application Security [DE]
Magento Application Security [DE]Magento Application Security [DE]
Magento Application Security [DE]Anna Völkl
 

More from Anna Völkl (8)

Schnell, schön, sicher: Technische Konzeption und Betrieb sicherer E-Commerce...
Schnell, schön, sicher: Technische Konzeption und Betrieb sicherer E-Commerce...Schnell, schön, sicher: Technische Konzeption und Betrieb sicherer E-Commerce...
Schnell, schön, sicher: Technische Konzeption und Betrieb sicherer E-Commerce...
 
Magento Security Best Practises - MM17PL
Magento Security Best Practises - MM17PLMagento Security Best Practises - MM17PL
Magento Security Best Practises - MM17PL
 
Magento Security Best Practises - MM17DE
Magento Security Best Practises - MM17DEMagento Security Best Practises - MM17DE
Magento Security Best Practises - MM17DE
 
Secure input and output handling - Mage Titans Manchester 2016
Secure input and output handling - Mage Titans Manchester 2016Secure input and output handling - Mage Titans Manchester 2016
Secure input and output handling - Mage Titans Manchester 2016
 
Secure input and output handling - Meet Magento Romania 2016
Secure input and output handling - Meet Magento Romania 2016Secure input and output handling - Meet Magento Romania 2016
Secure input and output handling - Meet Magento Romania 2016
 
Secure input and output handling - ViennaPHP
Secure input and output handling - ViennaPHPSecure input and output handling - ViennaPHP
Secure input and output handling - ViennaPHP
 
Magento Application Security [EN]
Magento Application Security [EN]Magento Application Security [EN]
Magento Application Security [EN]
 
Magento Application Security [DE]
Magento Application Security [DE]Magento Application Security [DE]
Magento Application Security [DE]
 

Recently uploaded

JS-Experts - Cybersecurity for Generative AI
JS-Experts - Cybersecurity for Generative AIJS-Experts - Cybersecurity for Generative AI
JS-Experts - Cybersecurity for Generative AIIvo Andreev
 
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/ML
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/MLBig Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/ML
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/MLAlluxio, Inc.
 
Generative AI for Cybersecurity - EC-Council
Generative AI for Cybersecurity - EC-CouncilGenerative AI for Cybersecurity - EC-Council
Generative AI for Cybersecurity - EC-CouncilVICTOR MAESTRE RAMIREZ
 
Fields in Java and Kotlin and what to expect.pptx
Fields in Java and Kotlin and what to expect.pptxFields in Java and Kotlin and what to expect.pptx
Fields in Java and Kotlin and what to expect.pptxJoão Esperancinha
 
Webinar_050417_LeClair12345666777889.ppt
Webinar_050417_LeClair12345666777889.pptWebinar_050417_LeClair12345666777889.ppt
Webinar_050417_LeClair12345666777889.pptkinjal48
 
Your Vision, Our Expertise: TECUNIQUE's Tailored Software Teams
Your Vision, Our Expertise: TECUNIQUE's Tailored Software TeamsYour Vision, Our Expertise: TECUNIQUE's Tailored Software Teams
Your Vision, Our Expertise: TECUNIQUE's Tailored Software TeamsJaydeep Chhasatia
 
Top Software Development Trends in 2024
Top Software Development Trends in  2024Top Software Development Trends in  2024
Top Software Development Trends in 2024Mind IT Systems
 
OpenChain Webinar: Universal CVSS Calculator
OpenChain Webinar: Universal CVSS CalculatorOpenChain Webinar: Universal CVSS Calculator
OpenChain Webinar: Universal CVSS CalculatorShane Coughlan
 
Introduction-to-Software-Development-Outsourcing.pptx
Introduction-to-Software-Development-Outsourcing.pptxIntroduction-to-Software-Development-Outsourcing.pptx
Introduction-to-Software-Development-Outsourcing.pptxIntelliSource Technologies
 
IA Generativa y Grafos de Neo4j: RAG time
IA Generativa y Grafos de Neo4j: RAG timeIA Generativa y Grafos de Neo4j: RAG time
IA Generativa y Grafos de Neo4j: RAG timeNeo4j
 
ERP For Electrical and Electronics manufecturing.pptx
ERP For Electrical and Electronics manufecturing.pptxERP For Electrical and Electronics manufecturing.pptx
ERP For Electrical and Electronics manufecturing.pptxAutus Cyber Tech
 
Deep Learning for Images with PyTorch - Datacamp
Deep Learning for Images with PyTorch - DatacampDeep Learning for Images with PyTorch - Datacamp
Deep Learning for Images with PyTorch - DatacampVICTOR MAESTRE RAMIREZ
 
Leveraging DxSherpa's Generative AI Services to Unlock Human-Machine Harmony
Leveraging DxSherpa's Generative AI Services to Unlock Human-Machine HarmonyLeveraging DxSherpa's Generative AI Services to Unlock Human-Machine Harmony
Leveraging DxSherpa's Generative AI Services to Unlock Human-Machine Harmonyelliciumsolutionspun
 
Growing Oxen: channel operators and retries
Growing Oxen: channel operators and retriesGrowing Oxen: channel operators and retries
Growing Oxen: channel operators and retriesSoftwareMill
 
How Does the Epitome of Spyware Differ from Other Malicious Software?
How Does the Epitome of Spyware Differ from Other Malicious Software?How Does the Epitome of Spyware Differ from Other Malicious Software?
How Does the Epitome of Spyware Differ from Other Malicious Software?AmeliaSmith90
 
Enterprise Document Management System - Qualityze Inc
Enterprise Document Management System - Qualityze IncEnterprise Document Management System - Qualityze Inc
Enterprise Document Management System - Qualityze Incrobinwilliams8624
 
Cybersecurity Challenges with Generative AI - for Good and Bad
Cybersecurity Challenges with Generative AI - for Good and BadCybersecurity Challenges with Generative AI - for Good and Bad
Cybersecurity Challenges with Generative AI - for Good and BadIvo Andreev
 
ARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdf
ARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdfARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdf
ARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdfTobias Schneck
 
Kawika Technologies pvt ltd Software Development Company in Trivandrum
Kawika Technologies pvt ltd Software Development Company in TrivandrumKawika Technologies pvt ltd Software Development Company in Trivandrum
Kawika Technologies pvt ltd Software Development Company in TrivandrumKawika Technologies
 
AI Embracing Every Shade of Human Beauty
AI Embracing Every Shade of Human BeautyAI Embracing Every Shade of Human Beauty
AI Embracing Every Shade of Human BeautyRaymond Okyere-Forson
 

Recently uploaded (20)

JS-Experts - Cybersecurity for Generative AI
JS-Experts - Cybersecurity for Generative AIJS-Experts - Cybersecurity for Generative AI
JS-Experts - Cybersecurity for Generative AI
 
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/ML
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/MLBig Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/ML
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/ML
 
Generative AI for Cybersecurity - EC-Council
Generative AI for Cybersecurity - EC-CouncilGenerative AI for Cybersecurity - EC-Council
Generative AI for Cybersecurity - EC-Council
 
Fields in Java and Kotlin and what to expect.pptx
Fields in Java and Kotlin and what to expect.pptxFields in Java and Kotlin and what to expect.pptx
Fields in Java and Kotlin and what to expect.pptx
 
Webinar_050417_LeClair12345666777889.ppt
Webinar_050417_LeClair12345666777889.pptWebinar_050417_LeClair12345666777889.ppt
Webinar_050417_LeClair12345666777889.ppt
 
Your Vision, Our Expertise: TECUNIQUE's Tailored Software Teams
Your Vision, Our Expertise: TECUNIQUE's Tailored Software TeamsYour Vision, Our Expertise: TECUNIQUE's Tailored Software Teams
Your Vision, Our Expertise: TECUNIQUE's Tailored Software Teams
 
Top Software Development Trends in 2024
Top Software Development Trends in  2024Top Software Development Trends in  2024
Top Software Development Trends in 2024
 
OpenChain Webinar: Universal CVSS Calculator
OpenChain Webinar: Universal CVSS CalculatorOpenChain Webinar: Universal CVSS Calculator
OpenChain Webinar: Universal CVSS Calculator
 
Introduction-to-Software-Development-Outsourcing.pptx
Introduction-to-Software-Development-Outsourcing.pptxIntroduction-to-Software-Development-Outsourcing.pptx
Introduction-to-Software-Development-Outsourcing.pptx
 
IA Generativa y Grafos de Neo4j: RAG time
IA Generativa y Grafos de Neo4j: RAG timeIA Generativa y Grafos de Neo4j: RAG time
IA Generativa y Grafos de Neo4j: RAG time
 
ERP For Electrical and Electronics manufecturing.pptx
ERP For Electrical and Electronics manufecturing.pptxERP For Electrical and Electronics manufecturing.pptx
ERP For Electrical and Electronics manufecturing.pptx
 
Deep Learning for Images with PyTorch - Datacamp
Deep Learning for Images with PyTorch - DatacampDeep Learning for Images with PyTorch - Datacamp
Deep Learning for Images with PyTorch - Datacamp
 
Leveraging DxSherpa's Generative AI Services to Unlock Human-Machine Harmony
Leveraging DxSherpa's Generative AI Services to Unlock Human-Machine HarmonyLeveraging DxSherpa's Generative AI Services to Unlock Human-Machine Harmony
Leveraging DxSherpa's Generative AI Services to Unlock Human-Machine Harmony
 
Growing Oxen: channel operators and retries
Growing Oxen: channel operators and retriesGrowing Oxen: channel operators and retries
Growing Oxen: channel operators and retries
 
How Does the Epitome of Spyware Differ from Other Malicious Software?
How Does the Epitome of Spyware Differ from Other Malicious Software?How Does the Epitome of Spyware Differ from Other Malicious Software?
How Does the Epitome of Spyware Differ from Other Malicious Software?
 
Enterprise Document Management System - Qualityze Inc
Enterprise Document Management System - Qualityze IncEnterprise Document Management System - Qualityze Inc
Enterprise Document Management System - Qualityze Inc
 
Cybersecurity Challenges with Generative AI - for Good and Bad
Cybersecurity Challenges with Generative AI - for Good and BadCybersecurity Challenges with Generative AI - for Good and Bad
Cybersecurity Challenges with Generative AI - for Good and Bad
 
ARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdf
ARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdfARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdf
ARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdf
 
Kawika Technologies pvt ltd Software Development Company in Trivandrum
Kawika Technologies pvt ltd Software Development Company in TrivandrumKawika Technologies pvt ltd Software Development Company in Trivandrum
Kawika Technologies pvt ltd Software Development Company in Trivandrum
 
AI Embracing Every Shade of Human Beauty
AI Embracing Every Shade of Human BeautyAI Embracing Every Shade of Human Beauty
AI Embracing Every Shade of Human Beauty
 

Secure Input and Output Handling