SlideShare a Scribd company logo
Secure input and
output handling
How not to suck at data validation and
output encoding
Magento Meetup
Vienna Edition
Developer edition
http://de.slideshare.net/avoelkl/secure-input-and-output-handling-57946042
Anna Völkl / @rescueAnn
 Hi, I'm Anna. http://anna.voelkl.at
 I'm a Magento Certified Developer.
5 years Magento, Java/PHP since 2004
 I love IT & Telecommunication and IT- & Information-
Security. 
 I work at LimeSoda. E-Commerce Agency in Vienna/AT
Once upon a time...
Secure input and output handling - Magento Meetup Vienna Edition
academic titles?!
Teamwork also involves being a good teammate, which is why we are very proud
シャネル デコ
FC Barcelona and was presenting partner of the Fan Zone event prior to the gamehqn
Лечебные грязи Сакского озера
Trying to find for a approach to raise male power and endurance.
New year2013 best now41
Импотенция вы поглядите !
how to write an essay explaining why you deserve a scholarship
Sophisticated
Men
High-heeled shoes
A Wise Choice
http://onemilliondollarhomepage.ru/
how to write up divorce paper
write your name really cool
shady lady free download
driver samsung hd160jj p
Our daily business
Input

Process

Output
Secure input and output handling - Magento Meetup Vienna Edition
Security-Technology, Department of Defense Computer
Security Initiative, 1980
Wep Application Security Risks
1)Injection
2)Broken Authentication and Session
Management
3)Cross Site Scripting (XSS)
https://www.owasp.org/index.php/Top10#OWASP_Top_10_for_2013
Stop „Last Minute Security“
●
Do the coding, spend last X hours on „making it
secure“
●
Secure coding doesn't really take longer
●
Data quality  software quality  security
●
Always keep security in mind
Every feature adds a risk.

Every input/output adds a risk.
http://blogs.technet.com/b/rhalbheer/archive/2011/01/14/real-physical-security.aspx
Input
Frontend input validation
●
User experience
●
Stop unwanted input when it occurs
●
Do not bother your server with crazy input
Frontend input validation
●
User experience
●
Stop unwanted input when it occurs
●
Do not bother your server with crazy input
  
Frontend input validation
Frontend input validation
●
User experience
●
Stop unwanted input when it occurs
●
Do not bother your server with crazy input
●
Only store, what you expect
Don't fill up your database with garbage.
Magento Frontend Validation
Magento 1 (51 validation rules)
js/prototype/validation.js
Magento 2 (74 validation rules)
app/code/Magento/Ui/view/base/web/js/lib/validati
on/rules.js
app/code/Magento/Ui/view/base/web/js/lib/validation/rules.js
min_text_length
max_text_length
max-words
min-words
range-words
letters-with-basic-punc
alphanumeric
letters-only
no-whitespace
zip-range
integer
vinUS
dateITA
dateNL
time
time12h
phoneUS
phoneUK
mobileUK
stripped-min-length
email2
url2
credit-card-types
ipv4
ipv6
pattern
validate-no-html-tags
validate-select
validate-no-empty
validate-alphanum-with-spaces
validate-data
validate-street
validate-phoneStrict
validate-phoneLax
validate-fax
validate-email
validate-emailSender
validate-password
validate-admin-password
validate-url
validate-clean-url
validate-xml-identifier
validate-ssn
validate-zip-us
validate-date-au
validate-currency-dollar
validate-not-negative-number
validate-zero-or-greater
validate-greater-than-zero
validate-css-length
validate-number
validate-number-range
validate-digits
validate-digits-range
validate-range
validate-alpha
validate-code
validate-alphanum
validate-date
validate-identifier
validate-zip-international
validate-state
less-than-equals-to
greater-than-equals-to
validate-emails
validate-cc-number
validate-cc-ukss
required-entry
checked
not-negative-amount
validate-per-page-value-list
validate-new-password
validate-item-quantity
equalTo
Add your own validator
define([
'jquery',
'jquery/ui',
'jquery/validate',
'mage/translate'
], function ($) {
$.validator.addMethod('validate-custom-name',
function (value) {
return (value !== 'anna');
}, $.mage.__('Enter valid name'));
});
M
2
M
2
<form>
<div class="field required">
<input type="email" id="email_address"
data-validate="{required:true, 'validate-
email':true}"
aria-required="true">
</div>
</form>
M
2
Why frontend validation is not enough...
https://quadhead.de/cola-hack-sicherheitsluecke-auf-meinecoke-de/
Don't trust the user.
Don't trust the input!
Why validate input?
User form input
Database query results
Web Services
Server variables
Cookies
Validate input rules
Magento 1
Mage_Eav_Attribute_Data_Abstract
Magento 2
MagentoEavModelAttributeDataAbstractData
MagentoEavModelAttributeDataAbstractData
Input Validation Rules
– alphanumeric
– numeric
– alpha
– email
– url
– date
M
2
ZendValidator
Standard Validation Classes
Alnum Validator
Alpha Validator
Barcode Validator
Between Validator
Callback Validator
CreditCard Validator
Date Validator
DbRecordExists and
DbNoRecordExists
Validators
Digits Validator
EmailAddress
Validator
File Validation Classes
GreaterThan Validator
Hex Validator
Hostname Validator
Iban Validator
Identical Validator
InArray Validator
Ip Validator
Isbn Validator
IsFloat
IsInt
LessThan Validator
NotEmpty Validator
PostCode Validator
Regex Validator
Sitemap Validators
Step Validator
StringLength Validator
Timezone Validator
Uri Validator
Output
Is input validation not enough?
●
Cross Site Scripting (XSS)
– Protect your users
– Protect yourself!
●
Store escaped data?
– Prepare the data where it's needed!
Use
$block->escapeHtml()
$block->escapeQuote()
$block->escapeUrl()
$block->escapeXssInUrl()
...also Magento does it!
Magento 2 Templates XSS security
<?php echo $block->getTitleHtml() ?>
<?php echo $block->getHtmlTitle() ?>
<?php echo $block->escapeHtml($block->getTitle()) ?>
<h1><?php echo (int)$block->getId() ?></h1>
<?php echo count($var); ?>
<?php echo 'some text' ?>
<?php echo "some text" ?>
<a href="<?php echo $block->escapeXssInUrl(
$block->getUrl()) ?>">
<?php echo $block->getAnchorTextHtml() ?>
</a>
Taken from http://devdocs.magento.com/guides/v2.0/frontend-dev-guide/templates/template-security.html
Magento 2 Templates XSS security
●
Static Test: XssPhtmlTemplateTest.php in
devtestsstatictestsuiteMagentoTestPhp
●
See
http://devdocs.magento.com/guides/v2.0/frontend-
dev-guide/templates/template-security.html
magento dev:tests:run static
What happend to the little
attribute?
●
Weird customers and customer data was removed
●
Frontend validation added
•
Dropdown (whitelist) would have been an option too
●
Server side validation added
●
Output escaped
Summary
Think, act and design your software responsibly:
1) UTF-8 all the way
2) Client side validation, filter input
3) Server side validation
4) Data storage (database column size,...)
5) Escape output
6) Run tests
</happy>
Thank you!
Questions?
@rescueAnn
a.voelkl@limesoda.com

More Related Content

PDF
Secure input and output handling - ViennaPHP
PDF
Secure input and output handling - Mage Titans Manchester 2016
PDF
Secure input and output handling - Meet Magento Romania 2016
PPTX
SydPHP Security in PHP
PDF
Secure development environment @ Meet Magento Croatia 2017
PPTX
Make implementation of third party elements in magento 2 in 5-times easier
PPTX
Magento 2 Workflows
PPTX
Mage Titans USA 2016 M2 deployment
Secure input and output handling - ViennaPHP
Secure input and output handling - Mage Titans Manchester 2016
Secure input and output handling - Meet Magento Romania 2016
SydPHP Security in PHP
Secure development environment @ Meet Magento Croatia 2017
Make implementation of third party elements in magento 2 in 5-times easier
Magento 2 Workflows
Mage Titans USA 2016 M2 deployment

Similar to Secure input and output handling - Magento Meetup Vienna Edition (20)

PPTX
Top 5 Magento Secure Coding Best Practices
PPTX
Top 5 magento secure coding best practices Alex Zarichnyi
PDF
Magento Live UK 2015: Security Essentials Seminar
PDF
Magento Security from Developer's and Tester's Points of View
PDF
Magento Application Security [EN]
PPTX
PHP Dublin Meetup - Clean Code in PHP
PDF
All About Magento
PDF
Mli 2017 technical first steps to building secure Magento extensions
PPTX
Igor Miniailo - Magento 2 API Design Best Practices
PPTX
Polish Magento Code Quality for Lasting Performance and Maintainability.pptx
PPTX
Typical customization pitfalls in Magento 2
PDF
Magento security best practices 2015
ODP
OWASP Secure Coding
PPTX
Magento Technical guidelines
PDF
Hire Magento 2 developer India, Call us for more
PDF
The Ultimate Checklist for Hiring Top-Tier Magento Developers
PPTX
Virtues of platform development
PPTX
Magento meet-up
PDF
Andrea Zwirner - Magento security and hardening strategies
PDF
Magento best practices
Top 5 Magento Secure Coding Best Practices
Top 5 magento secure coding best practices Alex Zarichnyi
Magento Live UK 2015: Security Essentials Seminar
Magento Security from Developer's and Tester's Points of View
Magento Application Security [EN]
PHP Dublin Meetup - Clean Code in PHP
All About Magento
Mli 2017 technical first steps to building secure Magento extensions
Igor Miniailo - Magento 2 API Design Best Practices
Polish Magento Code Quality for Lasting Performance and Maintainability.pptx
Typical customization pitfalls in Magento 2
Magento security best practices 2015
OWASP Secure Coding
Magento Technical guidelines
Hire Magento 2 developer India, Call us for more
The Ultimate Checklist for Hiring Top-Tier Magento Developers
Virtues of platform development
Magento meet-up
Andrea Zwirner - Magento security and hardening strategies
Magento best practices
Ad

Recently uploaded (20)

PDF
Raksha Bandhan Grocery Pricing Trends in India 2025.pdf
PPTX
Transform Your Business with a Software ERP System
PPTX
Lecture 3: Operating Systems Introduction to Computer Hardware Systems
PDF
top salesforce developer skills in 2025.pdf
PDF
Understanding Forklifts - TECH EHS Solution
PDF
Design an Analysis of Algorithms II-SECS-1021-03
PPTX
Agentic AI : A Practical Guide. Undersating, Implementing and Scaling Autono...
PDF
Design an Analysis of Algorithms I-SECS-1021-03
PDF
Claude Code: Everyone is a 10x Developer - A Comprehensive AI-Powered CLI Tool
PDF
How to Migrate SBCGlobal Email to Yahoo Easily
PDF
Internet Downloader Manager (IDM) Crack 6.42 Build 41
PDF
medical staffing services at VALiNTRY
PPTX
Computer Software and OS of computer science of grade 11.pptx
PPT
Introduction Database Management System for Course Database
PDF
Odoo Companies in India – Driving Business Transformation.pdf
PDF
How to Choose the Right IT Partner for Your Business in Malaysia
PPTX
Embracing Complexity in Serverless! GOTO Serverless Bengaluru
PDF
Designing Intelligence for the Shop Floor.pdf
PPTX
ai tools demonstartion for schools and inter college
PDF
Upgrade and Innovation Strategies for SAP ERP Customers
Raksha Bandhan Grocery Pricing Trends in India 2025.pdf
Transform Your Business with a Software ERP System
Lecture 3: Operating Systems Introduction to Computer Hardware Systems
top salesforce developer skills in 2025.pdf
Understanding Forklifts - TECH EHS Solution
Design an Analysis of Algorithms II-SECS-1021-03
Agentic AI : A Practical Guide. Undersating, Implementing and Scaling Autono...
Design an Analysis of Algorithms I-SECS-1021-03
Claude Code: Everyone is a 10x Developer - A Comprehensive AI-Powered CLI Tool
How to Migrate SBCGlobal Email to Yahoo Easily
Internet Downloader Manager (IDM) Crack 6.42 Build 41
medical staffing services at VALiNTRY
Computer Software and OS of computer science of grade 11.pptx
Introduction Database Management System for Course Database
Odoo Companies in India – Driving Business Transformation.pdf
How to Choose the Right IT Partner for Your Business in Malaysia
Embracing Complexity in Serverless! GOTO Serverless Bengaluru
Designing Intelligence for the Shop Floor.pdf
ai tools demonstartion for schools and inter college
Upgrade and Innovation Strategies for SAP ERP Customers
Ad

Secure input and output handling - Magento Meetup Vienna Edition