This document provides an overview of common security vulnerabilities and best practices for securing Magento stores and applications. It begins with introductions of two Magento experts and their backgrounds. The document then discusses why security is important for online stores and outlines the top 10 vulnerabilities according to OWASP. The majority of the document dives into specific vulnerabilities like SQL injections, file injections, cross-site scripting, and insecure direct object references. For each vulnerability, it provides patterns, examples, and prevention techniques. It concludes with additional security best practices like checking extensions, installing patches, and validating all incoming data.
Magento Security from Developer's and Tester's Points of View
1.
2. Alexey Motorny
5+ years in Magento development
All this time he’s been a proud member
of Amasty team
Took part in 50+ Magento 1
and Magento 2 projects
Master of Science
Magento Certified Developer
3. Valeria Shevtsova
5+ years of experience in testing
Testing instructor
Research degree in science
Head of QA department
10. 10
1.1 SQL INJECTIONS: PATTERNS
1
2
3
4
Using GET POST variables without validation and processing
$data = $model->getData(GET[‘field_name’])
Raw SQL queries, such as
$sql = "INSERT INTO $table (attribute_id ,
store_id, $entityIdName, `value`) ";
$db->query($sql);
Building parameters of WHERE queries using concatenation
$select->where(‘attribute_id = ’. $attributeId);
Same goes to
->order()
-> join()
->group() and other sql-functions
11.
12. 1.1 SQL INJECTIONS THROUGH FORMS
$userdata = $connection->fetchRow("SELECT firstname, lastname FROM
admin_user WHERE username = '" . $observer->getUserName() . "'");
EXAMPLE
12
48. 48
MORE SECURITY STUFF
1
2
3
4
6
When buying extensions from Magento vendors,
always pay attention to security questions
Install security patches in time
Use additional backend security measures
Check if user and admin passwords are strong enough
Use Security extensions
Configure your servers for safety5
49. 49
DETECT VULNERABILITIES LIKE A BOSS
1
2
3
4
6
Look for unwanted access to users’ data
via direct links
Look for known patterns
Check forms, URLs to prevent SQL and JavaScript injections
Check user cookies
Make sure admin area has no security holes
Test files uploading via file upload inputs5
50. 50
TIPS ON WRITING SAFE APPLICATIONS FOR MAGENTO
1
2
3
4
6
Make sure your server environment
is configured for safety
Validate all the incoming data
Data escaping is a must!
Check extension for getting access to important files
Data validation for API is a must
Use Magento functions5