Secure input and output handling - Meet Magento Romania 2016
-
Upload
anna-voelkl -
Category
Software
-
view
308 -
download
1
Transcript of Secure input and output handling - Meet Magento Romania 2016
![Page 1: Secure input and output handling - Meet Magento Romania 2016](https://reader033.fdocuments.in/reader033/viewer/2022042907/5871ae9b1a28abda6a8b626b/html5/thumbnails/1.jpg)
Meet Magento Romania 2016 | @rescueAnn
Secure input and output handling
How not to suck at datavalidation and output
Anna Völkl
![Page 2: Secure input and output handling - Meet Magento Romania 2016](https://reader033.fdocuments.in/reader033/viewer/2022042907/5871ae9b1a28abda6a8b626b/html5/thumbnails/2.jpg)
Meet Magento Romania 2016 | @rescueAnn
Hi, I’m Anna!
I do Magento things6 years of Magento, PHP since 2004
I love IT & Information SecurityMagento Security Best Practises, anyone?!
I work at E-CONOMIXMagento & Typo3 ❤ Linz, Austria
![Page 3: Secure input and output handling - Meet Magento Romania 2016](https://reader033.fdocuments.in/reader033/viewer/2022042907/5871ae9b1a28abda6a8b626b/html5/thumbnails/3.jpg)
Meet Magento Romania 2016 | @rescueAnn
What this talk is all about:★ XSS★ Frontend input validation★ Backend input validation★ Output escaping
![Page 4: Secure input and output handling - Meet Magento Romania 2016](https://reader033.fdocuments.in/reader033/viewer/2022042907/5871ae9b1a28abda6a8b626b/html5/thumbnails/4.jpg)
Meet Magento Romania 2016 | @rescueAnn
Once upon a time...
![Page 5: Secure input and output handling - Meet Magento Romania 2016](https://reader033.fdocuments.in/reader033/viewer/2022042907/5871ae9b1a28abda6a8b626b/html5/thumbnails/5.jpg)
Meet Magento Romania 2016 | @rescueAnn
Academic titles - what we expected
BA PhD
BSc MA
DI MSc
Mag. MBA
Dr. LL.M.
![Page 6: Secure input and output handling - Meet Magento Romania 2016](https://reader033.fdocuments.in/reader033/viewer/2022042907/5871ae9b1a28abda6a8b626b/html5/thumbnails/6.jpg)
Meet Magento Romania 2016 | @rescueAnn
Academic titles - what we got
![Page 7: Secure input and output handling - Meet Magento Romania 2016](https://reader033.fdocuments.in/reader033/viewer/2022042907/5871ae9b1a28abda6a8b626b/html5/thumbnails/7.jpg)
Meet Magento Romania 2016 | @rescueAnn
XSS is real.
![Page 8: Secure input and output handling - Meet Magento Romania 2016](https://reader033.fdocuments.in/reader033/viewer/2022042907/5871ae9b1a28abda6a8b626b/html5/thumbnails/8.jpg)
Meet Magento Romania 2016 | @rescueAnn
index.php?name=Anna<script>alert('XSS');</script>
![Page 9: Secure input and output handling - Meet Magento Romania 2016](https://reader033.fdocuments.in/reader033/viewer/2022042907/5871ae9b1a28abda6a8b626b/html5/thumbnails/9.jpg)
Meet Magento Romania 2016 | @rescueAnn
“Cross-Site Scripting (XSS) attacks occur when:
1. Data enters a Web application through an untrusted source, most frequently a web request.
2. The data is included in dynamic content that is sent to a web user without being validated for malicious content.”
Source: https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
![Page 10: Secure input and output handling - Meet Magento Romania 2016](https://reader033.fdocuments.in/reader033/viewer/2022042907/5871ae9b1a28abda6a8b626b/html5/thumbnails/10.jpg)
Meet Magento Romania 2016 | @rescueAnn
XSS in latest SUPEEs
SUPEE-8788
● 17 vulnerabilities● 4 XSS (1 high, 4 medium)
SUPEE-7405
● 20 vulnerabilities● 7 XSS (2 critical, 1 high, 2 medium, 2 low)
![Page 11: Secure input and output handling - Meet Magento Romania 2016](https://reader033.fdocuments.in/reader033/viewer/2022042907/5871ae9b1a28abda6a8b626b/html5/thumbnails/11.jpg)
Meet Magento Romania 2016 | @rescueAnn
Every feature adds a risk.
⬇
Every input/output adds a risk.
![Page 12: Secure input and output handling - Meet Magento Romania 2016](https://reader033.fdocuments.in/reader033/viewer/2022042907/5871ae9b1a28abda6a8b626b/html5/thumbnails/12.jpg)
Meet Magento Romania 2016 | @rescueAnn
Input⬇
Process⬇
Output
![Page 13: Secure input and output handling - Meet Magento Romania 2016](https://reader033.fdocuments.in/reader033/viewer/2022042907/5871ae9b1a28abda6a8b626b/html5/thumbnails/13.jpg)
Meet Magento Romania 2016 | @rescueAnnSource: http://transferready.co.uk/index.php/blog/function-machines/
![Page 14: Secure input and output handling - Meet Magento Romania 2016](https://reader033.fdocuments.in/reader033/viewer/2022042907/5871ae9b1a28abda6a8b626b/html5/thumbnails/14.jpg)
Meet Magento Romania 2016 | @rescueAnnSource: http://transferready.co.uk/index.php/blog/function-machines/
![Page 15: Secure input and output handling - Meet Magento Romania 2016](https://reader033.fdocuments.in/reader033/viewer/2022042907/5871ae9b1a28abda6a8b626b/html5/thumbnails/15.jpg)
Meet Magento Romania 2016 | @rescueAnn
e-mail address
password
Logged in customer
![Page 16: Secure input and output handling - Meet Magento Romania 2016](https://reader033.fdocuments.in/reader033/viewer/2022042907/5871ae9b1a28abda6a8b626b/html5/thumbnails/16.jpg)
Meet Magento Romania 2016 | @rescueAnn
Security-Technology, Department of Defense Computer Security Initiative, 1980
![Page 17: Secure input and output handling - Meet Magento Romania 2016](https://reader033.fdocuments.in/reader033/viewer/2022042907/5871ae9b1a28abda6a8b626b/html5/thumbnails/17.jpg)
Meet Magento Romania 2016 | @rescueAnn
Stop “Last Minute Security”
Do the coding, spend last X hours on „making it secure“
Secure coding doesn't really take longer
Data quality ⇔ software quality ⇔ security
Always keep security in mind.
![Page 18: Secure input and output handling - Meet Magento Romania 2016](https://reader033.fdocuments.in/reader033/viewer/2022042907/5871ae9b1a28abda6a8b626b/html5/thumbnails/18.jpg)
Meet Magento Romania 2016 | @rescueAnn
Source: http://blogs.technet.com/b/rhalbheer/archive/2011/01/14/real-physical-security.aspx
![Page 19: Secure input and output handling - Meet Magento Romania 2016](https://reader033.fdocuments.in/reader033/viewer/2022042907/5871ae9b1a28abda6a8b626b/html5/thumbnails/19.jpg)
Meet Magento Romania 2016 | @rescueAnn
Input
![Page 20: Secure input and output handling - Meet Magento Romania 2016](https://reader033.fdocuments.in/reader033/viewer/2022042907/5871ae9b1a28abda6a8b626b/html5/thumbnails/20.jpg)
Meet Magento Romania 2016 | @rescueAnn
Frontend input validation
● User experience● Stop unwanted input when it occurs● Do not bother your server with crazy input
requests
Don't fill up your database with garbage.
![Page 21: Secure input and output handling - Meet Magento Romania 2016](https://reader033.fdocuments.in/reader033/viewer/2022042907/5871ae9b1a28abda6a8b626b/html5/thumbnails/21.jpg)
Meet Magento Romania 2016 | @rescueAnn
Magento Frontend Validation
Magento 1 (51 validation rules)
js/prototype/validation.js
Magento 2 (74 validation rules)
app/code/Magento/Ui/view/base/web/js/lib/validation/rules.js
![Page 22: Secure input and output handling - Meet Magento Romania 2016](https://reader033.fdocuments.in/reader033/viewer/2022042907/5871ae9b1a28abda6a8b626b/html5/thumbnails/22.jpg)
Meet Magento Romania 2016 | @rescueAnn
app/code/Magento/Ui/view/base/web/js/lib/validation/rules.js
M2
![Page 23: Secure input and output handling - Meet Magento Romania 2016](https://reader033.fdocuments.in/reader033/viewer/2022042907/5871ae9b1a28abda6a8b626b/html5/thumbnails/23.jpg)
Meet Magento Romania 2016 | @rescueAnn
app/code/Magento/Ui/view/base/web/js/lib/validation/rules.js
min_text_lengthmax_text_lengthmax-wordsmin-wordsrange-wordsletters-with-basic-puncalphanumericletters-onlyno-whitespacezip-rangeintegervinUSdateITAdateNLtimetime12hphoneUSphoneUKmobileUK
stripped-min-lengthemail2url2credit-card-typesipv4ipv6patternvalidate-no-html-tagsvalidate-selectvalidate-no-emptyvalidate-alphanum-with-spacesvalidate-datavalidate-streetvalidate-phoneStrictvalidate-phoneLaxvalidate-faxvalidate-emailvalidate-emailSendervalidate-password
validate-admin-passwordvalidate-urlvalidate-clean-urlvalidate-xml-identifiervalidate-ssnvalidate-zip-usvalidate-date-auvalidate-currency-dollarvalidate-not-negative-numbervalidate-zero-or-greatervalidate-greater-than-zerovalidate-css-lengthvalidate-numbervalidate-number-rangevalidate-digitsvalidate-digits-rangevalidate-rangevalidate-alphavalidate-code
validate-alphanumvalidate-datevalidate-identifiervalidate-zip-internationalvalidate-stateless-than-equals-togreater-than-equals-tovalidate-emailsvalidate-cc-numbervalidate-cc-ukssrequired-entrycheckednot-negative-amountvalidate-per-page-value-listvalidate-new-passwordvalidate-item-quantityequalTo
M2
![Page 24: Secure input and output handling - Meet Magento Romania 2016](https://reader033.fdocuments.in/reader033/viewer/2022042907/5871ae9b1a28abda6a8b626b/html5/thumbnails/24.jpg)
Meet Magento Romania 2016 | @rescueAnn
Add your own validator
define([ 'jquery', 'jquery/ui', 'jquery/validate', 'mage/translate'], function ($) { $.validator.addMethod('validate-custom-name', function (value) { return (value !== 'anna'); }, $.mage.__('Enter valid name'));});
M2
![Page 25: Secure input and output handling - Meet Magento Romania 2016](https://reader033.fdocuments.in/reader033/viewer/2022042907/5871ae9b1a28abda6a8b626b/html5/thumbnails/25.jpg)
Meet Magento Romania 2016 | @rescueAnn
<form> <div class="field required"> <input type="email" id="email_address" data-validate="{required:true, 'validate-email':true}" aria-required="true"> </div></form>
Adding frontend-validationM2
![Page 26: Secure input and output handling - Meet Magento Romania 2016](https://reader033.fdocuments.in/reader033/viewer/2022042907/5871ae9b1a28abda6a8b626b/html5/thumbnails/26.jpg)
Meet Magento Romania 2016 | @rescueAnn
Bonus
![Page 27: Secure input and output handling - Meet Magento Romania 2016](https://reader033.fdocuments.in/reader033/viewer/2022042907/5871ae9b1a28abda6a8b626b/html5/thumbnails/27.jpg)
Meet Magento Romania 2016 | @rescueAnn
<form> <div class="field required"> <input type="email" id="email_address" data-validate="{required:true, 'validate-email':true}" aria-required="true"> </div></form>
Adding frontend-validationM2
![Page 28: Secure input and output handling - Meet Magento Romania 2016](https://reader033.fdocuments.in/reader033/viewer/2022042907/5871ae9b1a28abda6a8b626b/html5/thumbnails/28.jpg)
Meet Magento Romania 2016 | @rescueAnnSource: https://quadhead.de/cola-hack-sicherheitsluecke-auf-meinecoke-de/
Why frontend validation is not enough...
![Page 29: Secure input and output handling - Meet Magento Romania 2016](https://reader033.fdocuments.in/reader033/viewer/2022042907/5871ae9b1a28abda6a8b626b/html5/thumbnails/29.jpg)
Meet Magento Romania 2016 | @rescueAnn
Don’t trust the user.Don’t trust the input!
![Page 30: Secure input and output handling - Meet Magento Romania 2016](https://reader033.fdocuments.in/reader033/viewer/2022042907/5871ae9b1a28abda6a8b626b/html5/thumbnails/30.jpg)
Meet Magento Romania 2016 | @rescueAnn
![Page 31: Secure input and output handling - Meet Magento Romania 2016](https://reader033.fdocuments.in/reader033/viewer/2022042907/5871ae9b1a28abda6a8b626b/html5/thumbnails/31.jpg)
Meet Magento Romania 2016 | @rescueAnn
EAV Backend validation input rules
Magento 1
Mage_Eav_Attribute_Data_Abstract
Magento 2
Magento\Eav\Model\Attribute\Data\AbstractData
![Page 32: Secure input and output handling - Meet Magento Romania 2016](https://reader033.fdocuments.in/reader033/viewer/2022042907/5871ae9b1a28abda6a8b626b/html5/thumbnails/32.jpg)
Meet Magento Romania 2016 | @rescueAnn
Magento\Eav\Model\Attribute\Data\AbstractData
Input Validation Rules:
● alphanumeric● numeric● alpha● email● url● date
M2
![Page 33: Secure input and output handling - Meet Magento Romania 2016](https://reader033.fdocuments.in/reader033/viewer/2022042907/5871ae9b1a28abda6a8b626b/html5/thumbnails/33.jpg)
Meet Magento Romania 2016 | @rescueAnn
Zend\Validator Standard Validation Classes
Alnum ValidatorAlpha ValidatorBarcode ValidatorBetween ValidatorCallback ValidatorCreditCard ValidatorDate ValidatorDb\RecordExists and Db\NoRecordExists ValidatorsDigits ValidatorEmailAddress Validator
File Validation ClassesGreaterThan ValidatorHex ValidatorHostname ValidatorIban ValidatorIdentical ValidatorInArray ValidatorIp ValidatorIsbn ValidatorIsFloatIsIntLessThan Validator
NotEmpty ValidatorPostCode ValidatorRegex ValidatorSitemap ValidatorsStep ValidatorStringLength ValidatorTimezone ValidatorUri Validator
![Page 34: Secure input and output handling - Meet Magento Romania 2016](https://reader033.fdocuments.in/reader033/viewer/2022042907/5871ae9b1a28abda6a8b626b/html5/thumbnails/34.jpg)
Meet Magento Romania 2016 | @rescueAnn
Output
![Page 35: Secure input and output handling - Meet Magento Romania 2016](https://reader033.fdocuments.in/reader033/viewer/2022042907/5871ae9b1a28abda6a8b626b/html5/thumbnails/35.jpg)
Meet Magento Romania 2016 | @rescueAnn
Is input validation not enough?!
![Page 36: Secure input and output handling - Meet Magento Romania 2016](https://reader033.fdocuments.in/reader033/viewer/2022042907/5871ae9b1a28abda6a8b626b/html5/thumbnails/36.jpg)
Meet Magento Romania 2016 | @rescueAnn
Magento 2 Templates XSS security
![Page 37: Secure input and output handling - Meet Magento Romania 2016](https://reader033.fdocuments.in/reader033/viewer/2022042907/5871ae9b1a28abda6a8b626b/html5/thumbnails/37.jpg)
Meet Magento Romania 2016 | @rescueAnn
getXXXHtml()
<?php echo $block->getTitleHtml() ?><?php echo $block->getHtmlTitle() ?><?php echo $block->escapeHtml($block->getTitle()) ?>
M2
Magento 2 Templates XSS security
![Page 38: Secure input and output handling - Meet Magento Romania 2016](https://reader033.fdocuments.in/reader033/viewer/2022042907/5871ae9b1a28abda6a8b626b/html5/thumbnails/38.jpg)
Meet Magento Romania 2016 | @rescueAnn
Type casting and PHP function count()
<h1><?php echo (int)$block->getId() ?></h1><?php echo count($var); ?>
M2
Magento 2 Templates XSS security
![Page 39: Secure input and output handling - Meet Magento Romania 2016](https://reader033.fdocuments.in/reader033/viewer/2022042907/5871ae9b1a28abda6a8b626b/html5/thumbnails/39.jpg)
Meet Magento Romania 2016 | @rescueAnn
Output in single or double quotes
<?php echo 'some text' ?><?php echo "some text" ?>
M2
Magento 2 Templates XSS security
![Page 40: Secure input and output handling - Meet Magento Romania 2016](https://reader033.fdocuments.in/reader033/viewer/2022042907/5871ae9b1a28abda6a8b626b/html5/thumbnails/40.jpg)
Meet Magento Romania 2016 | @rescueAnn
Use specific escape functions
<a href="<?php echo $block->escapeXssInUrl( $block->getUrl()) ?>"> <?php echo $block->getAnchorTextHtml() ?></a>
M2
Magento 2 Templates XSS security
![Page 41: Secure input and output handling - Meet Magento Romania 2016](https://reader033.fdocuments.in/reader033/viewer/2022042907/5871ae9b1a28abda6a8b626b/html5/thumbnails/41.jpg)
Meet Magento Romania 2016 | @rescueAnn
Use these. Also Magento does it!
$block->escapeHtml()
$block->escapeQuote()
$block->escapeUrl()
$block->escapeXssInUrl()
M2
![Page 42: Secure input and output handling - Meet Magento Romania 2016](https://reader033.fdocuments.in/reader033/viewer/2022042907/5871ae9b1a28abda6a8b626b/html5/thumbnails/42.jpg)
Meet Magento Romania 2016 | @rescueAnn
$block->escapeHtml()Whitelist: allowed Tags, htmlspecialchars
M2
![Page 43: Secure input and output handling - Meet Magento Romania 2016](https://reader033.fdocuments.in/reader033/viewer/2022042907/5871ae9b1a28abda6a8b626b/html5/thumbnails/43.jpg)
Meet Magento Romania 2016 | @rescueAnn
Magento\Framework\EscaperM2
![Page 44: Secure input and output handling - Meet Magento Romania 2016](https://reader033.fdocuments.in/reader033/viewer/2022042907/5871ae9b1a28abda6a8b626b/html5/thumbnails/44.jpg)
Meet Magento Romania 2016 | @rescueAnn
$block->escapeHtml()Whitelist: allowed Tags, htmlspecialchars
$block->escapeQuote()Escape quotes inside html attributes$addSlashes = false for escaping js inside html attribute (onClick, onSubmit etc)
M2
![Page 45: Secure input and output handling - Meet Magento Romania 2016](https://reader033.fdocuments.in/reader033/viewer/2022042907/5871ae9b1a28abda6a8b626b/html5/thumbnails/45.jpg)
Meet Magento Romania 2016 | @rescueAnn
$block->escapeUrl()Escape HTML entities in URL (htmlspecialchars)
$block->escapeXssInUrl()eliminating 'javascript' + htmlspecialchars
M2
![Page 46: Secure input and output handling - Meet Magento Romania 2016](https://reader033.fdocuments.in/reader033/viewer/2022042907/5871ae9b1a28abda6a8b626b/html5/thumbnails/46.jpg)
Meet Magento Romania 2016 | @rescueAnn
![Page 47: Secure input and output handling - Meet Magento Romania 2016](https://reader033.fdocuments.in/reader033/viewer/2022042907/5871ae9b1a28abda6a8b626b/html5/thumbnails/47.jpg)
Meet Magento Romania 2016 | @rescueAnn
Testing
![Page 48: Secure input and output handling - Meet Magento Romania 2016](https://reader033.fdocuments.in/reader033/viewer/2022042907/5871ae9b1a28abda6a8b626b/html5/thumbnails/48.jpg)
Meet Magento Romania 2016 | @rescueAnn
Static XSS Test
XssPhtmlTemplateTest.php in dev\tests\static\testsuite\Magento\Test\Php\
See http://devdocs.magento.com/guides/v2.0/frontend-dev-guide/templates/template-security.html
![Page 49: Secure input and output handling - Meet Magento Romania 2016](https://reader033.fdocuments.in/reader033/viewer/2022042907/5871ae9b1a28abda6a8b626b/html5/thumbnails/49.jpg)
Meet Magento Romania 2016 | @rescueAnn
$ magento dev:tests:run static
![Page 50: Secure input and output handling - Meet Magento Romania 2016](https://reader033.fdocuments.in/reader033/viewer/2022042907/5871ae9b1a28abda6a8b626b/html5/thumbnails/50.jpg)
Meet Magento Romania 2016 | @rescueAnn
$ magento dev:tests:run static
![Page 51: Secure input and output handling - Meet Magento Romania 2016](https://reader033.fdocuments.in/reader033/viewer/2022042907/5871ae9b1a28abda6a8b626b/html5/thumbnails/51.jpg)
Meet Magento Romania 2016 | @rescueAnn
What happened to the little attribute?!
![Page 52: Secure input and output handling - Meet Magento Romania 2016](https://reader033.fdocuments.in/reader033/viewer/2022042907/5871ae9b1a28abda6a8b626b/html5/thumbnails/52.jpg)
Meet Magento Romania 2016 | @rescueAnn
Weird customers and customer data was removed Frontend validation added - Dropdown (whitelist)
would have been an option tooServer side validation added
Output escaped
![Page 53: Secure input and output handling - Meet Magento Romania 2016](https://reader033.fdocuments.in/reader033/viewer/2022042907/5871ae9b1a28abda6a8b626b/html5/thumbnails/53.jpg)
Meet Magento Romania 2016 | @rescueAnn
Summary
Think, act and design your software responsibly:
1. Client side validation2. Server side validation3. UTF-8 all the way4. Escape at point of use5. Use & run tests
![Page 54: Secure input and output handling - Meet Magento Romania 2016](https://reader033.fdocuments.in/reader033/viewer/2022042907/5871ae9b1a28abda6a8b626b/html5/thumbnails/54.jpg)
Meet Magento Romania 2016 | @rescueAnn
Questions?
Right here, right nowor later @resueAnn