This document is a presentation by Anna about Magento security, focusing on cross-site scripting (XSS) vulnerabilities and best practices for frontend and backend input validation. It emphasizes the importance of not trusting user input and implementing multiple layers of security, including client-side validation and output escaping. The presentation also discusses Magento’s built-in validation rules and methods to enhance security against XSS attacks.

2. Hi, I’m Anna!
I do Magento things
6 years of Magento, PHP since 2004
I love IT & Information Security
Magento Security Best Practises, anyone?!
I work at E-CONOMIX
Magento & Typo3 ❤ Linz, Austria

3. What this talk is all about:
★ Cross-Site Scripting (XSS)
★ Frontend input validation
★ Backend input validation
★ Output escaping

4. Once upon a
time...

5. Academic titles - what we expected
BA PhD
BSc MA
DI MSc
Mag. MBA
Dr. LL.M.

6. Academic titles - what we got

7. We were
lucky but...

8. XSS is real.

9. index.php?name=Anna

10. index.php?name=Anna<script>alert('EVIL');</script>

11. “XSS flaws occur whenever an application takes
untrusted data and sends it to a web browser without
proper validation or escaping. XSS allows attackers to
execute scripts in the victim’s browser which can hijack
user sessions, deface web sites, or redirect the user to
malicious sites.”
Source: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

12. 65%
of all websites globally suffer from XSS
Source: http://security.stackexchange.com/questions/129447/why-does-xss-affect-so-many-websites

13. XSS in latest SUPEEs
SUPEE-7405
● 20 vulnerabilities
● 7 XSS (2 critical, 1 high, 2
medium, 2 low)
SUPEE-8788
● 17 vulnerabilities
● 4 XSS (1 high, 4 medium)

14. Every feature adds a risk.
⬇
Every input/output adds a risk.

15. Input
⬇
Process
⬇
Output

16. Source: http://transferready.co.uk/index.php/blog/function-machines/

17. Source: http://transferready.co.uk/index.php/blog/function-machines/

18. e-mail address
password
Logged in
customer

19. Security-Technology, Department of Defense
Computer Security Initiative, 1980

20. Stop “Last Minute Security”
Do the coding, spend last X hours on „making it secure“
Secure coding doesn't really take longer
Data quality ⇔ software quality ⇔ security
Always keep security in mind.

21. Source: http://blogs.technet.com/b/rhalbheer/archive/2011/01/14/real-physical-security.aspx

22. Input

23. Frontend input validation
User experience
Stop unwanted input when it occurs
Do not bother your server with crazy input requests
Don't fill up your database with garbage.

24. Magento Frontend Validation
Magento 1 (51 validation rules)
js/prototype/validation.js
Magento 2 (74 validation rules)
app/code/Magento/Ui/view/base/web/js/lib/
validation/rules.js

25. app/code/Magento/Ui/
view/base/web/js/lib/
validation/rules.js
M
2

26. min_text_length
max_text_length
stripped-min-length
validate-no-html-tags
required-entry
validate-alphanum-with-spaces
validate-email
validate-password
validate-url
validate-number
validate-range
validate-date

27. app/code/Magento/Ui/view/base/web/js/lib
/validation/rules.js
min_text_length
max_text_length
max-words
min-words
range-words
letters-with-basic-punc
alphanumeric
letters-only
no-whitespace
zip-range
integer
vinUS
dateITA
dateNL
time
time12h
phoneUS
phoneUK
mobileUK
stripped-min-length
email2
url2
credit-card-types
ipv4
ipv6
pattern
validate-no-html-tags
validate-select
validate-no-empty
validate-alphanum-with-spaces
validate-data
validate-street
validate-phoneStrict
validate-phoneLax
validate-fax
validate-email
validate-emailSender
validate-password
validate-admin-password
validate-url
validate-clean-url
validate-xml-identifier
validate-ssn
validate-zip-us
validate-date-au
validate-currency-dollar
validate-not-negative-number
validate-zero-or-greater
validate-greater-than-zero
validate-css-length
validate-number
validate-number-range
validate-digits
validate-digits-range
validate-range
validate-alpha
validate-code
validate-alphanum
validate-date
validate-identifier
validate-zip-international
validate-state
less-than-equals-to
greater-than-equals-to
validate-emails
validate-cc-number
validate-cc-ukss
required-entry
checked
not-negative-amount
validate-per-page-value-list
validate-new-password
validate-item-quantity
equalTo
M
2

28. Add your own validator
define([
'jquery',
'jquery/ui',
'jquery/validate',
'mage/translate'
], function ($) {
$.validator.addMethod('validate-custom-name',
function (value) {
return (value !== 'anna');
}, $.mage.__('Enter valid name'));
});
M
2

29. <form>
<div class="field required">
<input type="email" id="email_address"
data-validate="{required:true,
'validate-email':true}"
aria-required="true">
</div>
</form>
Adding frontend-validation
M
2

30. Bonus

31. <form>
<div class="field required">
<input type="email" id="email_address"
data-validate="{required:true,
'validate-email':true}"
aria-required="true">
</div>
</form>
Adding frontend-validation
M
2

32. Source: https://quadhead.de/cola-hack-sicherheitsluecke-auf-meinecoke-de/
Why frontend validation is not enough...

33. Don’t trust the user.
Don’t trust the input!

35. EAV Backend validation input rules
Magento 1
Mage_Eav_Attribute_Data_Abstract
Magento 2
MagentoEavModelAttributeDataAbstractData

36. MagentoEavModelAttributeDataAbstractData
Input Validation Rules:
alphanumeric - numeric - alpha - email - url - date
M
2

37. ZendValidator
Standard Validation Classes
Alnum Validator
Alpha Validator
Barcode Validator
Between Validator
Callback Validator
CreditCard Validator
Date Validator
DbRecordExists and
DbNoRecordExists
Validators
Digits Validator
EmailAddress Validator
File Validation Classes
GreaterThan Validator
Hex Validator
Hostname Validator
Iban Validator
Identical Validator
InArray Validator
Ip Validator
Isbn Validator
IsFloat
IsInt
LessThan Validator
NotEmpty Validator
PostCode Validator
Regex Validator
Sitemap Validators
Step Validator
StringLength Validator
Timezone Validator
Uri Validator

38. Output

39. Is input validation not enough?!

40. Magento 2 Templates
XSS security

41. getXXXHtml()
<?php echo $block->getTitleHtml() ?>
<?php echo $block->getHtmlTitle() ?>
<?php echo $block->escapeHtml($block->getTitle()) ?>
M
2
Magento 2 Templates XSS security

42. Type casting and PHP function count()
<h1><?php echo (int)$block->getId() ?></h1>
<?php echo count($var); ?>
M
2
Magento 2 Templates XSS security

43. Output in single or double quotes
<?php echo 'some text' ?>
<?php echo "some text" ?>
M
2
Magento 2 Templates XSS security

44. Use specific escape functions
<a href="<?php echo $block->escapeXssInUrl(
$block->getUrl()) ?>">
<?php echo $block->getAnchorTextHtml() ?>
</a>
M
2
Magento 2 Templates XSS security

45. Use these. Also Magento does it!
$block->escapeHtml()
$block->escapeQuote()
$block->escapeXssInUrl()
M
2

46. $block->escapeHtml()
String output that should not contain HTML
M
2

47. MagentoFrameworkEscaper
/**
* Escape string for HTML context. allowedTags will not be escaped, except
the following: script, img, embed,
* iframe, video, source, object, audio
*
* @param string|array $data
* @param array|null $allowedTags
* @return string|array
*/
public function escapeHtml($data, $allowedTags = null)
{
...
...
}

48. $block->escapeHtml()
String output that should not contain HTML
$block->escapeXssInUrl() ⇒ $block->escapeUrl()
URL output
$block->escapeQuote()
Escape quotes inside html attributes
M
2

50. Testing

51. Static XSS Test
XssPhtmlTemplateTest.php in
devtestsstatictestsuiteMagentoTestPhp
See
http://devdocs.magento.com/guides/v2.0/frontend-dev
-guide/templates/template-security.html

52. $ magento dev:tests:run static

53. $ magento dev:tests:run static

54. What happened to the
little attribute?!

55. Weird customers and customer data was removed
Frontend validation added - Dropdown (whitelist)
would have been an option too
Server side validation added
Output escaped

56. Summary
Think, act and design your software responsibly:
1. Client side validation
2. Server side validation
3. UTF-8 all the way
4. Escape at point of use
5. Use & run tests

57. Questions?
Right here, right now
or later @rescueAnn
Thank you! ❤