The document outlines Magento security best practices for 2015, highlighting vulnerabilities, common threats such as SQL injections, and other risks associated with e-commerce websites. It emphasizes the importance of updating to current software versions, securing sensitive data, and implementing strong passwords and access controls. Additionally, it suggests organizational and infrastructure security measures to protect Magento deployments from various attacks.

1. Bargento 2015
Magento Security
Best practices 2015
LEADER en INFOGERANCE ECOMMERCE
EXPERT en TRES HAUTE SECURITE
Grow your business safely
WWW.NBS-SYSTEM.COM

2. E-commerce: the 60% rules
• >60% of web traffic is non-human
• >60% of attempts to steal databases target e-commerce
websites
• >60% of growth for identity theft over three years
• A 2012 stufy showed that retailer websites are at risk 328
days/year
• An IP address is scanned around 40 times per day
2Présenté par Philippe Humeau

3. The triple loot
3Présenté par Philippe Humeau

4. A different time scale
4Présenté par Philippe Humeau
T
Seconds Minutes Hours Days Weeks Months Years
Time between initial
attack and
compromission
Time between
compromission and
discovery of it

5. A *very* bad year
Magento performances
Best practices 2015

6. A *very* bad year
6Présenté par Philippe Humeau
• Shoplift SQL Injection:
https://github.com/joren485/Magento-Shoptlift-SQLI
• Order RSS:
http://www.victim.org/rss/order/NEW
• Magmi :
http://www.victim.org/magmi/web/magmi.php
SUPEE & Shoplift

7. It all started with a big #fail (Shoplift)
7Présenté par Philippe Humeau
• A severe SQL Injection allowing to manipulate Magento
– To create admin users with chosen passwords
– To leverage any feature from the back office
– Or simply to write a file or execute code on the server side
Shoplift

8. It all started with a big #fail (RSS orders)
8Présenté par Philippe Humeau

9. It all started with a big #fail (Magmi)
9Présenté par Philippe Humeau

10. Other SUrPrEEses
10Présenté par Philippe Humeau
• SUPEE 6285, 5994 & 1533
– Privilege escalation
– XSS in whishlist & shopping cart
– Store path disclosure
– Wrong log permission
– XSS in the admin section
– Customer information leak
Other SUPEEs

11. Magento cache leak
11Présenté par Philippe Humeau
• Magento’s cache stores sensitive information in
www.[site].com/var/resource_config.json
• If this var directory is browsable, one can recover all
your sensitive login/pass connections:
– To MySQL
– To payment gateways
– To various shippers/freighters, etc.
• Your [site]/var directory should not be accessible

12. But there were others before
Magento performances
Best practices 2015

13. Did you take care of the previous ones?
13Présenté par Philippe Humeau
• Session XSS:
http://www.victim.org/index.php/admin
Username: « ><script>alert(‘xss’)</script> »
• Downloader XSS:
http://www.victim.org/downloader/?return=%22%3Cs
cript%3Ealert(‘xss’)%3C/script%3E
• Forgot password form XSS:
http://www.victim.org/index.php/admin/index/forgotp
assword/
Email address: « ><script>alert(‘xss’)</script> »

14. Did you take care of the previous ones?
14Présenté par Philippe Humeau
• XML-RPC-XXE: (Post method allowing to retrieve any
files)
• Session XSS:
http://www.victim.org/index.php/admin/
Username: « ><script>alert(‘xss’)</script> »
• Google Dork:
inurl:app/etc/local.xml

15. Did you take care of the previous ones?
15Présenté par Philippe Humeau
The PayPal / Magento integration flaw (by NBS System)

16. NBS System will release a new vulnerability soon
16Présenté par Philippe Humeau
• We are still working on a fix
• This vulnerability is « multi vendor »
• It is, so far as we know, quite widely spread
• We’ll start working with Magento to fix it
• The flaw touches directly the payment gateway, allowing to
spawn a shell on the victim’s server
• It’s not unilaterally Magento’s responsibility

17. Or even the ones that were not Magento specific?
17Présenté par Philippe Humeau
• Poodle
• Heartbleed
• Logjam
• Shellshock
• Venom

18. PHP: two versions behind, really?
18Présenté par Philippe Humeau
PHP versions in use in our parc:
PHP 5.2
3%
PHP 5.3
51%
PHP 5.4
37%
PHP 5.5
9%
88% are outdated and not
supported anymore…
No security fixes
(and +12% to 40% performances to
gain)

19. Easily exploitable things beyond
classic vulnerabilities
Magento performances
Best practices 2015

20. When Magento’s support is being creative…
20Présenté par Philippe Humeau
• Magento’s support is giving dangerous advice
– « Chmod 777 your document root… » *REALLY?*
– « Magento is not compatible with reverse proxies » *Woot?*
– « Give me your root password so we can look » *NO
KIDDING?*
– Etc…
Don’t go to a car dealer to fix a bad tooth…

21. Classic mistakes that cost…
21Présenté par Philippe Humeau
• Leaving yout logs accessible, especially Debug ones
• Leaving payment gateway logs accessible to all
• Not hiding which Magento, PHP & Apache versions you
use
• Using unaudited extensions, a lot are BAD
• Using weak passwords, along with no locking policies.
It’s a plague

22. Applicative level D.o.S attacks
22Présenté par Philippe Humeau
• Leaving import/export scripts, reindexers, crontabs
accessible
• Trying to call pages that load very slowly
• Accessing directly the API to import/export
• Etc.

23. Securing Magento flaws
Magento performances
Best practices 2015

24. Securing Magento flaws
• Update to CE versions > 1.9 or EE versions > 1.14.1
• Use PHP 5.6
• Shoplift, Magmi, XML-RPC-XXE: filter the access with a
.htaccess file (or an NGINX rule)
24Présenté par Philippe Humeau

25. Securing recent flaws
• Example with Magmi (using Apache)
RewriteCond%{REQUEST_URI}^/(index.php/)?magmi/ [NC]
RewriteCond %{REQUEST_ADDR}!^192.168.0.1
RewriteRule^(.*)$ http://%{HTTP_HOST}/ [R=302,L]
• Example with Magmi (using NGINX)
location ~* ^/(index.php/)?magmi{
allow192.168.0.1;
denyall;
location ~* .(php) {
includefastcgi_params;}}
25Présenté par Philippe Humeau

26. Protect your back office & updater
• Example using Apache
<Location /wp-admin>
AuthTypeBasic
AuthName"RestrictedArea"
AuthUserFile/etc/apache2/access/htpasswd
Requirevalid-user
Orderdeny,allow
Allowfrom[MY_IP]
Satisfyany
</Location>
Then, just add the user:
htpasswd–c /etc/apache2/access/htpasswd[user]
26Présenté par Philippe Humeau

27. Leveraging native Magento security
• Use HTTPS in your back office & order tunnel accesses
• Change your back office default URL
• Do *NOT* use a weak password (no, « tommy4242 » is not
safe)
• Put some limits to the number of failed login attempts
• Put a password expiration time and change it every 3 months
• Enforce the use of case sensitive passwords
• Disable email password recovery
27Présenté par Philippe Humeau

28. Securing Web applications
Magento performances
Best practices 2015

29. Organizational security
• Get a security review
• Keep track of vulnerabilities on Magento ecosystem
• Have serious passwords, change them every 3 months
• Do not keep information unless it is needed
• Pick a PCI/DSS certified hosting company
• Use 3D secure
• Keep up to date versions of Magento & PHP
29Présenté par Philippe Humeau

30. Infrastructure security
• Keep a daily backup
• Use a WAF. NAXSI is open-source, free and stable
• Put rate limits on your reverse proxies
• Filter your outgoing traffic
It’s the job of your managed services provider
30Présenté par Philippe Humeau

31. Host level security
• Change your back office default URL
• Disable directory indexing
• Set up correct permissions: file=644, directory=755
• No follow, no index on your preproduction environment
• Use the best practices mentioned before
It’s the job of your managed services provider
31Présenté par Philippe Humeau

32. High end security
Magento performances
Best practices 2015

33. CerberHost
33Présenté par Philippe Humeau

34. Contact
NBS System
Adresse :
8 rue Bernard Buffet,
Immeuble Le Cardinet – 5ème étage
75017 Paris
Mail : contact@nbs-system.com
Téléphone : +33.1.58.56.60.80
Support technique : +33.1.58.56.60.88
Fax : +33.1.58.56.60.81
34
Atelier présenté le 13 octobre 2015 au
Bargento 2015 par Philippe Humeau
Présenté par Philippe Humeau