Post on 05-Apr-2017
Bargento 2015
Magento SecurityBest practices 2015
LEADER en INFOGERANCE ECOMMERCE EXPERT en TRES HAUTE SECURITE
Grow your business safely
WWW.NBS-SYSTEM.COM
E-commerce: the 60% rules
• >60% of web traffic is non-human• >60% of attempts to steal databases target e-
commerce websites• >60% of growth for identity theft over three years• A 2012 stufy showed that retailer websites are at
risk 328 days/year• An IP address is scanned around 40 times per day
2Présenté par Philippe Humeau
The triple loot
3Présenté par Philippe Humeau
A different time scale
4Présenté par Philippe Humeau
T
Seconds Minutes Hours Days Weeks Months Years
Time between initial attack and
compromission
Time between compromission and
discovery of it
A *very* bad year
Magento performancesBest practices 2015
A *very* bad year
6Présenté par Philippe Humeau
• Shoplift SQL Injection:https://github.com/joren485/Magento-Shoptlift-SQLI
• Order RSS:http://www.victim.org/rss/order/NEW
• Magmi :http://www.victim.org/magmi/web/magmi.php
SUPEE & Shoplift
It all started with a big #fail (Shoplift)
7Présenté par Philippe Humeau
• A severe SQL Injection allowing to manipulate Magento– To create admin users with chosen passwords– To leverage any feature from the back office– Or simply to write a file or execute code on the
server side
Shoplift
It all started with a big #fail (RSS orders)
8Présenté par Philippe Humeau
It all started with a big #fail (Magmi)
9Présenté par Philippe Humeau
Other SUrPrEEses
10Présenté par Philippe Humeau
• SUPEE 6285, 5994 & 1533– Privilege escalation– XSS in whishlist & shopping cart– Store path disclosure– Wrong log permission– XSS in the admin section– Customer information leak
Other SUPEEs
Magento cache leak
11Présenté par Philippe Humeau
• Magento’s cache stores sensitive information inwww.[site].com/var/resource_config.json
• If this var directory is browsable, one can recover all your sensitive login/pass connections:– To MySQL– To payment gateways– To various shippers/freighters, etc.
• Your [site]/var directory should not be accessible
But there were others before
Magento performancesBest practices 2015
Did you take care of the previous ones?
13Présenté par Philippe Humeau
• Session XSS:http://www.victim.org/index.php/adminUsername: « ><script>alert(‘xss’)</script> »
• Downloader XSS:http://www.victim.org/downloader/?return=%22%3Cscript%3Ealert(‘xss’)%3C/script%3E
• Forgot password form XSS:http://www.victim.org/index.php/admin/index/forgotpassword/
Email address: « ><script>alert(‘xss’)</script> »
Did you take care of the previous ones?
14Présenté par Philippe Humeau
• XML-RPC-XXE: (Post method allowing to retrieve any files)
• Session XSS:http://www.victim.org/index.php/admin/ Username: « ><script>alert(‘xss’)</script> »
• Google Dork:inurl:app/etc/local.xml
Did you take care of the previous ones?
15Présenté par Philippe Humeau
The PayPal / Magento integration flaw (by NBS System)
NBS System will release a new vulnerability soon
16Présenté par Philippe Humeau
• We are still working on a fix• This vulnerability is « multi vendor »• It is, so far as we know, quite widely spread• We’ll start working with Magento to fix it• The flaw touches directly the payment gateway,
allowing to spawn a shell on the victim’s server• It’s not unilaterally Magento’s responsibility
Or even the ones that were not Magento specific?
17Présenté par Philippe Humeau
• Poodle• Heartbleed• Logjam• Shellshock• Venom
PHP: two versions behind, really?
18Présenté par Philippe Humeau
PHP versions in use in our parc:
PHP 5.23%
PHP 5.351%
PHP 5.437%
PHP 5.59%
88% are outdated and not supported anymore…
No security fixes
(and +12% to 40% performances to gain)
Easily exploitable things beyond classic vulnerabilities
Magento performancesBest practices 2015
When Magento’s support is being creative…
20Présenté par Philippe Humeau
• Magento’s support is giving dangerous advice– « Chmod 777 your document root… » *REALLY?*– « Magento is not compatible with reverse
proxies » *Woot?*– « Give me your root password so we can look »
*NO KIDDING?*– Etc…
Don’t go to a car dealer to fix a bad tooth…
Classic mistakes that cost…
21Présenté par Philippe Humeau
• Leaving yout logs accessible, especially Debug ones
• Leaving payment gateway logs accessible to all
• Not hiding which Magento, PHP & Apache versions you use
• Using unaudited extensions, a lot are BAD• Using weak passwords, along with no
locking policies. It’s a plague
Applicative level D.o.S attacks
22Présenté par Philippe Humeau
• Leaving import/export scripts, reindexers, crontabs accessible
• Trying to call pages that load very slowly• Accessing directly the API to import/export• Etc.
Securing Magento flaws
Magento performancesBest practices 2015
Securing Magento flaws
• Update to CE versions > 1.9 or EE versions > 1.14.1
• Use PHP 5.6• Shoplift, Magmi, XML-RPC-XXE: filter the access
with a .htaccess file (or an NGINX rule)
24Présenté par Philippe Humeau
Securing recent flaws
• Example with Magmi (using Apache)RewriteCond%{REQUEST_URI}^/(index.php/)?
magmi/ [NC]RewriteCond %{REQUEST_ADDR}!^192.168.0.1RewriteRule^(.*)$ http://%{HTTP_HOST}/ [R=302,L]
• Example with Magmi (using NGINX)location ~* ^/(index.php/)?magmi{allow192.168.0.1;denyall;location ~* .(php) {includefastcgi_params;}}
25Présenté par Philippe Humeau
Protect your back office & updater
• Example using Apache<Location /wp-admin>AuthTypeBasicAuthName"RestrictedArea"AuthUserFile/etc/apache2/access/htpasswdRequirevalid-userOrderdeny,allowAllowfrom[MY_IP]Satisfyany</Location>
Then, just add the user:htpasswd–c /etc/apache2/access/htpasswd[user]
26Présenté par Philippe Humeau
Leveraging native Magento security
• Use HTTPS in your back office & order tunnel accesses
• Change your back office default URL• Do *NOT* use a weak password (no,
« tommy4242 » is not safe)• Put some limits to the number of failed login
attempts• Put a password expiration time and change it
every 3 months• Enforce the use of case sensitive passwords• Disable email password recovery
27Présenté par Philippe Humeau
Securing Web applications
Magento performancesBest practices 2015
Organizational security
• Get a security review• Keep track of vulnerabilities on Magento
ecosystem• Have serious passwords, change them every 3
months• Do not keep information unless it is needed• Pick a PCI/DSS certified hosting company• Use 3D secure• Keep up to date versions of Magento & PHP
29Présenté par Philippe Humeau
Infrastructure security
• Keep a daily backup• Use a WAF. NAXSI is open-source, free and stable• Put rate limits on your reverse proxies• Filter your outgoing traffic
It’s the job of your managed services provider
30Présenté par Philippe Humeau
Host level security
• Change your back office default URL• Disable directory indexing• Set up correct permissions: file=644,
directory=755• No follow, no index on your preproduction
environment• Use the best practices mentioned before
It’s the job of your managed services provider
31Présenté par Philippe Humeau
High end security
Magento performancesBest practices 2015
CerberHost
33Présenté par Philippe Humeau
Contact
NBS SystemAdresse : 8 rue Bernard Buffet, Immeuble Le Cardinet – 5ème étage75017 Paris
Mail : contact@nbs-system.comTéléphone : +33.1.58.56.60.80Support technique : +33.1.58.56.60.88Fax : +33.1.58.56.60.81
34
Atelier présenté le 13 octobre 2015 au Bargento 2015 par Philippe Humeau
Présenté par Philippe Humeau