MeetMagento NL 2018 - Riccardo Tempesta - Magento 2 under siege

#mm18nl | @RicTempesta
Riccardo Tempesta - CTO @ MageSpecialist
Magento addicted developer
Magento 1 Certified Developer Plus
Magento 2 Certified Professional Developer
In the top Magento2 contributors list of 2017
Magento Stack Exchange 4% topmost
Proud NERD and GEEK
Something about me…

Magento2
under siege

Data Security and Leakage prevention
70s
Phreaking
80s
Worms / Viruses
(network)
Big companies
EU/US governments
public authorities
Security threats timeline

70s
Phreaking
80s
Worms / Viruses
(network)
First 90s
Worms / Viruses
(floppy)
Late 90s
Email viruses
Big companies
EU/US governments
public authorities
Small business companies
and final users

70s
Phreaking
80s
Worms / Viruses
(network)
First 90s
Worms / Viruses
(floppy)
Late 90s
Email viruses
Big companies
EU/US governments
public authorities
Small business companies
and final users
2000s
Spywares
2010s
Websites
Malwares
Users personal
information

Users information
and
personal data
are the main
targets today

And the number of hackers and
“hackers wannabe” has drastically
increased…

Are you asking why?

The hacker cliché in 80s-90s
No social life
Few friends
«Genious»
NOT so cool

Only few movies had
cool hackers

«War Games»
If you do not remeber
this movie you are too
young or not enough
NERD to be here!

The hacker cliché in 2010s
Still no social life
Still few friends
Still genious
But cool!

And this is why,
today everybody
wants
to be a hacker

A considerable amount
of hacking tools are
available today.

It is incredible,
but they are
user friendly!

Security issues are
only happening to
other people…

Even if Magento 2 is one of the
MOST SECURE E-COMMERCE SOLUTIONS
We must be aware that we could
accidentally introduce security holes with:
• Unsecure 3rd party modules
• Bad programming
• Misconfigurations
Using Magento is not enough…

I will try to scare
you for the next 10
minutes with “real
examples”

Example #1: Data leakage
Beware of unverified 3rd party modules

A Magento merchant
Installed a 3rd party extension from a famous
company providing e-commerce services.
After few days he experienced multiple
unauthorized backend accesses.

<?php
namespace SomeVendorModel;
...
class SomeClass implements SomeClassInterface
{
...
public function getSomething()
{
$connection = $this->getConnection();
$filter = $this->request->getParam('filter’);
$qry = "select body from some_table where=" . $filter;
return $connection->fetchAll($qry);
}
...
}
What we found:

<?php
namespace SomeVendorModel;
...
class SomeClass implements SomeClassInterface
{
...
public function getSomething()
{
$connection = $this->getConnection();
$filter = $this->request->getParam('filter’);
$qry = "select body from some_table where=" . $filter;
return $connection->fetchAll($qry);
}
...
}
What we found:
Blind SQL injection

http://mysite/my/awesome/module?filter=title%3da+story
Everything is fine if we use it in the expected way:

…?filter=title%3da+story;+drop+database+magento;
This will NOT work:
Because PHP does not allow multiple queries in one time

…?filter=1+union+select+something+from+somewhere
But this will work:
This is called «union select attack»

Let’s see what a malicious
user can do with SQLMap:

Video #1

Passwords are protected
Magento2 uses a SHA-256 hashing salt + pwd
algorithm to protect passwords.
But a malicious user can always run
a brute force off-line attack.

Let’s see what can happen with “HashCat”
A tool able to run brute force attacks using the
Graphical Card GPU.
Up to 500MH/s with a standard video card

Video #2

In 2015
56% of apps included at least one SQL injection
Source: https://thehackernews.com/2015/12/programming-language-security.html

Most of the people will use the
same password both for PayPal
and your Magento store.

Protecting passwords with BlindHash
Clear password SHA-256 hashed password
Fully encrypted password
https://www.blindhash.com/
Offline attacks complete protection

Example #2: Full control
A common pitfall

A Magento merchant
Discovered something strange on his website.
Someone was able to change the pages content.
But no database/filesystem changes
were detected.

<?php
namespace SomeVendorBlock;
...
class SomeClass extends Template
{
...
public function getWelcomeText()
{
$name = $this->request->getParam(‘name’);
return __(‘Hello %1’, $name);
}
...
}
What we found:

<?php
/** @var SomeBlockClass $block */
?>
...
<?= $block->getWelcomeText() ?>
...
What we found:

http://mysite/my/awesome/module?name=Riccardo
Everything is fine if we use it in the expected way:

http://mysite/my/awesome/module?name=%3Cscript%3Eale
rt%28%27hello%20world%27%29%3C%2Fscript%3E
But, what if we replace it with a JavaScript code?
<script>alert('hello world')</script>
This code will run in your HTML document:

XSS injection:
Request containing the JavaScript
Response containing the Javascript

XSS injection (example):
Response containing the Javascript
Email with a link containing
the malicious JavaScript code
Click on the link

One of your customers receives an email like this one:

https://bit.ly/mm18demo

https://bit.ly/mm18demo-xss

Video #3

In 2015
86% of apps included at least
one XSS vulnerability
Source: https://thehackernews.com/2015/12/programming-language-security.html

Prevent and protect…

When you say «Magento», you
are not talking about a
software, you are talking about
a community.
No community can exist
without contributions.
When you say “Magento”:

Detecting malwares
If you think you have been hacked:
https://github.com/gwillem/magento-malware-scanner
by Willem de Groot
ClamAV can be helpful for known PHP/JS malwares:
:~$ clamscan -r --bell -i /my/magento/path

Our company’s contribution
to Magento 2 security:
● Two Factor Authentication
● Google reCaptcha
● Malicious IP filter
● Malware upload filter
● Admin IP restriction
● Magento IPS/IDS Shield
Our free contribution to security

Our company’s contribution
to Magento 2 security:
● Two Factor Authentication
● Google reCaptcha
● Malicious IP filter
● Malware upload filter
● Admin IP restriction
● Magento IPS/IDS Shield
Our free contribution to security
I can proudly say:
“They will be part of Magento 2.3”

MSP Notifier framework:
● Real Time notifications on:
● Telegram
● E-Mail
● Slack
● …
● Events based notifications
Another free contribution to security

I hope you enjoyed my speech
THANK YOU!

THANK YOU!
KEEP CALM
AND
KEEP HACKING
Github:
MageSpecialist
Twitter:
@RicTempesta
Please do not hack my accounts...

MeetMagento NL 2018 - Riccardo Tempesta - Magento 2 under siege

Recommended

Recommended

More Related Content

Similar to MeetMagento NL 2018 - Riccardo Tempesta - Magento 2 under siege

Similar to MeetMagento NL 2018 - Riccardo Tempesta - Magento 2 under siege (20)

Recently uploaded

Recently uploaded (20)

MeetMagento NL 2018 - Riccardo Tempesta - Magento 2 under siege