Secure input and output handling - Mage Titans Manchester 2016
2 likes1,732 views
This document is a presentation by Anna about Magento security, focusing on cross-site scripting (XSS) vulnerabilities and best practices for frontend and backend input validation. It emphasizes the importance of not trusting user input and implementing multiple layers of security, including client-side validation and output escaping. The presentation also discusses Magento’s built-in validation rules and methods to enhance security against XSS attacks.
![Add your own validator
define([
'jquery',
'jquery/ui',
'jquery/validate',
'mage/translate'
], function ($) {
$.validator.addMethod('validate-custom-name',
function (value) {
return (value !== 'anna');
}, $.mage.__('Enter valid name'));
});
M
2](https://image.slidesharecdn.com/magetitans-secureinputandoutputhandling-161114060836/85/Secure-input-and-output-handling-Mage-Titans-Manchester-2016-28-320.jpg)
Secure input and output handling - Mage Titans Manchester 2016
- 2. Hi, I’m Anna! I do Magento things 6 years of Magento, PHP since 2004 I love IT & Information Security Magento Security Best Practises, anyone?! I work at E-CONOMIX Magento & Typo3 ❤ Linz, Austria
- 3. What this talk is all about: ★ Cross-Site Scripting (XSS) ★ Frontend input validation ★ Backend input validation ★ Output escaping
- 5. Academic titles - what we expected BA PhD BSc MA DI MSc Mag. MBA Dr. LL.M.
- 6. Academic titles - what we got
- 8. XSS is real.
- 11. “XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.” Source: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
- 12. 65% of all websites globally suffer from XSS Source: http://security.stackexchange.com/questions/129447/why-does-xss-affect-so-many-websites
- 13. XSS in latest SUPEEs SUPEE-7405 ● 20 vulnerabilities ● 7 XSS (2 critical, 1 high, 2 medium, 2 low) SUPEE-8788 ● 17 vulnerabilities ● 4 XSS (1 high, 4 medium)
- 14. Every feature adds a risk. ⬇ Every input/output adds a risk.
- 19. Security-Technology, Department of Defense Computer Security Initiative, 1980
- 20. Stop “Last Minute Security” Do the coding, spend last X hours on „making it secure“ Secure coding doesn't really take longer Data quality ⇔ software quality ⇔ security Always keep security in mind.
- 22. Input
- 23. Frontend input validation User experience Stop unwanted input when it occurs Do not bother your server with crazy input requests Don't fill up your database with garbage.
- 24. Magento Frontend Validation Magento 1 (51 validation rules) js/prototype/validation.js Magento 2 (74 validation rules) app/code/Magento/Ui/view/base/web/js/lib/ validation/rules.js
- 28. Add your own validator define([ 'jquery', 'jquery/ui', 'jquery/validate', 'mage/translate' ], function ($) { $.validator.addMethod('validate-custom-name', function (value) { return (value !== 'anna'); }, $.mage.__('Enter valid name')); }); M 2
- 29. <form> <div class="field required"> <input type="email" id="email_address" data-validate="{required:true, 'validate-email':true}" aria-required="true"> </div> </form> Adding frontend-validation M 2
- 30. Bonus
- 31. <form> <div class="field required"> <input type="email" id="email_address" data-validate="{required:true, 'validate-email':true}" aria-required="true"> </div> </form> Adding frontend-validation M 2
- 32. Source: https://quadhead.de/cola-hack-sicherheitsluecke-auf-meinecoke-de/ Why frontend validation is not enough...
- 33. Don’t trust the user. Don’t trust the input!
- 35. EAV Backend validation input rules Magento 1 Mage_Eav_Attribute_Data_Abstract Magento 2 MagentoEavModelAttributeDataAbstractData
- 36. MagentoEavModelAttributeDataAbstractData Input Validation Rules: alphanumeric - numeric - alpha - email - url - date M 2
- 37. ZendValidator Standard Validation Classes Alnum Validator Alpha Validator Barcode Validator Between Validator Callback Validator CreditCard Validator Date Validator DbRecordExists and DbNoRecordExists Validators Digits Validator EmailAddress Validator File Validation Classes GreaterThan Validator Hex Validator Hostname Validator Iban Validator Identical Validator InArray Validator Ip Validator Isbn Validator IsFloat IsInt LessThan Validator NotEmpty Validator PostCode Validator Regex Validator Sitemap Validators Step Validator StringLength Validator Timezone Validator Uri Validator
- 38. Output
- 39. Is input validation not enough?!
- 40. Magento 2 Templates XSS security
- 41. getXXXHtml() <?php echo $block->getTitleHtml() ?> <?php echo $block->getHtmlTitle() ?> <?php echo $block->escapeHtml($block->getTitle()) ?> M 2 Magento 2 Templates XSS security
- 42. Type casting and PHP function count() <h1><?php echo (int)$block->getId() ?></h1> <?php echo count($var); ?> M 2 Magento 2 Templates XSS security
- 43. Output in single or double quotes <?php echo 'some text' ?> <?php echo "some text" ?> M 2 Magento 2 Templates XSS security
- 44. Use specific escape functions <a href="<?php echo $block->escapeXssInUrl( $block->getUrl()) ?>"> <?php echo $block->getAnchorTextHtml() ?> </a> M 2 Magento 2 Templates XSS security
- 45. Use these. Also Magento does it! $block->escapeHtml() $block->escapeQuote() $block->escapeXssInUrl() M 2
- 46. $block->escapeHtml() String output that should not contain HTML M 2
- 47. MagentoFrameworkEscaper /** * Escape string for HTML context. allowedTags will not be escaped, except the following: script, img, embed, * iframe, video, source, object, audio * * @param string|array $data * @param array|null $allowedTags * @return string|array */ public function escapeHtml($data, $allowedTags = null) { ... ... }
- 48. $block->escapeHtml() String output that should not contain HTML $block->escapeXssInUrl() ⇒ $block->escapeUrl() URL output $block->escapeQuote() Escape quotes inside html attributes M 2
- 50. Testing
- 51. Static XSS Test XssPhtmlTemplateTest.php in devtestsstatictestsuiteMagentoTestPhp See http://devdocs.magento.com/guides/v2.0/frontend-dev -guide/templates/template-security.html
- 52. $ magento dev:tests:run static
- 53. $ magento dev:tests:run static
- 54. What happened to the little attribute?!
- 55. Weird customers and customer data was removed Frontend validation added - Dropdown (whitelist) would have been an option too Server side validation added Output escaped
- 56. Summary Think, act and design your software responsibly: 1. Client side validation 2. Server side validation 3. UTF-8 all the way 4. Escape at point of use 5. Use & run tests
- 57. Questions? Right here, right now or later @rescueAnn Thank you! ❤