SlideShare a Scribd company logo

Top 5 Magento Secure Coding Best Practices

Download as PPTX, PDF
O
Oleksandr Zarichnyi

This document outlines the top 5 Magento secure coding best practices: 1) Validate all input as strictly as possible using validation libraries, 2) Use parameterized queries to prevent SQL injection, 3) Escape all user input to prevent XSS attacks, 4) Use CSRF tokens on forms to prevent CSRF attacks, and 5) Implement security headers to enable browser protections. It provides code examples for each practice and additional resources for learning about application security best practices.

Technology
1 of 27
Downloaded 13 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
Top 5 Magento Secure Coding Best Practices Alex Zarichnyi, Magento ECG
Security in Magento • Dedicated team
Security in Magento • Dedicated team • External audits
Security in Magento • Dedicated team • External audits • Awareness about OWASP Top 10
Security in Magento http://magento.com/security • Bug bounty program • Dedicated team • External audits • Awareness about OWASP Top 10 up to $10.000
Security in Magento • Built-in security mechanisms • Bug bounty program • Dedicated team • External audits • Awareness about OWASP Top 10
Top 5 Secure Coding Practices
#1. Validate input as strictly as possible
Input Validation Do not trust: • all input parameters • cookie names and values • HTTP header content • Some $_SERVER parameters (e.g. HTTP_X_FORWARDED, HTTP_X_FORWARD ED_FOR)
Zend_Validate • Alpha-numeric values • Credit Carts • Host names • IPs • Custom validators (Mage_Core_Model_Url_Validator) • and many more
$attributeCode = $this->getRequest()->getParam('attribute_code'); $validator = new Zend_Validate_Regex(array( 'pattern' => '/^[a-z][a-z_0-9]{1,254}$/')); if (!$validator->isValid($attributeCode)) { //stop execution and add a session error } Validate attribute code 1. 2. $attributeCode = $this->getRequest()->getParam('attribute_code'); $validatorChain = new Zend_Validate(); $validatorChain->addValidator(new Zend_Validate_StringLength( array('min' => 1, 'max' => 254))) ->addValidator(new Zend_Validate_Alnum()); if (!$validatorChain->isValid($attributeCode)) { //stop execution and add a session error }
$email = $this->getRequest()->getParam('email'); if (Zend_Validate::is($email, 'EmailAddress')) { //continue execution } else { $this->_getSession()->addError($this->__('Invalid email address.')); //redirect back } Validate email
#2. Use parameterized queries (?, :param1)
Working with Data in Magento $id = $this->getRequest()->getParam(‘id’); $model->load($id); $q = $this->getRequest()->getParam(‘q’); $collection->addFieldToFilter(‘name’, ‘%’ . $q . ‘%’)); secure secure
$select->where("region.code = '{$requestParam}'"); $res = $this->_getReadAdapter()->fetchRow($select); $select->where('region.code = ?', $requestParam); $res = $this->_getReadAdapter()->fetchRow($select); Bad code Good code 1. $select->where('region.code= :regionCode'); $bind = array('regionCode' => $requestParam); $res = $this->getReadAdapter()->fetchRow($select, $bind)); 2. name' ); UPDATE admin_user SET password = '34e159c98148ff85036e23986 6a8e053:v6' WHERE username = 'admin';
$select->joinInner( array('i' => $this->getTable('enterprise_giftregistry/item')), 'e.entity_id = i.entity_id AND i.item_id = ' . $requestParam, array() ); $select->joinInner( array('i' => $this->getTable('enterprise_giftregistry/item')), 'e.entity_id = i.entity_id AND i.item_id = ' . (int) $requestParam, array() ); Bad code Good code 1; DROP TABLE customer_entity;
$result = "IF (COUNT(*) {$operator} {$requestParam}, 1, 0)"; $select->from( array('order' => $this->getResource()->getTable('sales/order')), array(new Zend_Db_Expr($result) ); $value = $select->getAdapter()->quote($requestParam); $result = "IF (COUNT(*) {$operator} {$value}, 1, 0)"; $select->from( array('order' => $this->getResource()->getTable('sales/order')), array(new Zend_Db_Expr($result)) ); Bad code Good code
#3. Escape user input
SQL Query Parameters Escaping $db->quoteInto("WHERE date < ?", "2005-01-02") WHERE date < '2005-01-02’ Zend_Db_Adapter_Abstract quote($value, $type = null) quoteInto($text, $value, $type = null, $count = null) quoteIdentifier($ident, $auto=false) quoteColumnAs($ident, $alias, $auto=false) quoteTableAs($ident, $alias = null, $auto = false) $db->quote("O'Reilly"); O'Reilly $db->quote("' or '1'='1' -- “, Zend_Db::FLOAT_TYPE); 0.000000
Mage::helper(‘core’)->escapeHtml($data, $allowedTags = null) Mage_Core_Block_Abstract::escapeHtml($data, $allowedTags = null) String Replacement & &amp; " &quot; ' &#039; < &lt; > &gt; HTML Special Characters Escaping https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet Never insert untrusted data except in allowed locations Use both on frontend & backend
#4. Use CSRF tokens (form keys)
<form name="myForm" id="myForm" method="post" action="..."> <?php echo $this->getBlockHtml('formkey')?> <!-- ... --> </form> public function saveAction() { if (!$this->_validateFormKey()) { //stop and throw an exception or redirect back } } <input type="hidden" value="Bcp957eKYP48XL0Y" name="form_key"> in template in controller
#5. Use security headers
HTTP security headers https://www.owasp.org/index.php/List_of_useful_HTTP_headers Header Description Example X-XSS-Protection Protects from XSS X-XSS-Protection: 1; mode=block X-Frame-Options Protects from Clickjacking X-Frame-Options: deny X-Content-Type- Options Prevents Internet Explorer and Google Chrome from MIME- sniffing a response away from the declared content-type X-Content-Type-Options: nosniff Content-Security- Policy, X-WebKit-CSP Lets you specify a policy for where content can be loaded Lets you put restrictions on script execution X-WebKit-CSP: default-src 'self'
/** * Add security headers to the response * * @listen controller_action_predispatch * @param Varien_Event_Observer $observer */ public function processPreDispatch(Varien_Event_Observer $observer) { $response = $observer->getControllerAction()->getResponse(); $response->setHeader(‘X-XSS-Protection’, ‘1; mode=block’) ->setHeader(‘X-Frame-Options’, ‘DENY’) ->setHeader(‘X-Content-Type-Options’, ‘nosniff’); }
Additional Resources • https://www.owasp.org – The Open Web Application Security Project • http://websec.io/ – Securing PHP-based applications • http://cwe.mitre.org/ – Common Weakness Enumeration • https://www.youtube.com/watch?v=aGnV7P8NXtA –Magento Security Presentation, Imagine 2012 • http://www.developers-paradise.com/wp- content/uploads/eltrino-paradise-2013-roman_stepanov.pdf - Magento Security and Vulnerabilities Presentation, Magento Developer Paradise 2013
zlik ozarichnyi@ebay.com linkedin.com/in/ozarichnyi Дякую!

More Related Content

PPTX
Top 5 magento secure coding best practices Alex Zarichnyi
Magento Dev
 
PDF
PHPunit and you
markstory
 
PDF
PHPUnit Episode iv.iii: Return of the tests
Michelangelo van Dam
 
PDF
Dealing with Legacy PHP Applications
Clinton Dreisbach
 
PDF
Manipulating Magento - Meet Magento Netherlands 2018
Joke Puts
 
PDF
Dealing With Legacy PHP Applications
Viget Labs
 
PDF
Introduction to Zend Framework web services
Michelangelo van Dam
 
PPTX
Сергей Иващенко - Meet Magento Ukraine - Цены в Magento 2
Atwix
 
Top 5 magento secure coding best practices Alex Zarichnyi
Magento Dev
 
PHPunit and you
markstory
 
PHPUnit Episode iv.iii: Return of the tests
Michelangelo van Dam
 
Dealing with Legacy PHP Applications
Clinton Dreisbach
 
Manipulating Magento - Meet Magento Netherlands 2018
Joke Puts
 
Dealing With Legacy PHP Applications
Viget Labs
 
Introduction to Zend Framework web services
Michelangelo van Dam
 
Сергей Иващенко - Meet Magento Ukraine - Цены в Magento 2
Atwix
 

What's hot (20)

PDF
Disregard Inputs, Acquire Zend_Form
Daniel Cousineau
 
PDF
Unit testing with zend framework tek11
Michelangelo van Dam
 
PPTX
Agile data presentation 3 - cambridge
Romans Malinovskis
 
PPTX
Hacking Your Way To Better Security - Dutch PHP Conference 2016
Colin O'Dell
 
PDF
QA for PHP projects
Michelangelo van Dam
 
PDF
Refactoring using Codeception
Jeroen van Dijk
 
PPT
Os Nixon
oscon2007
 
PDF
Developing for Business
Antonio Spinelli
 
PDF
TDC2016SP - Trilha Developing for Business
tdc-globalcode
 
PDF
PhpSpec 2.0 ilustrated by examples
Marcello Duarte
 
KEY
Unit testing zend framework apps
Michelangelo van Dam
 
PDF
Apex 5 plugins for everyone version 2018
Alan Arentsen
 
PDF
Ruby - Design patterns tdc2011
Rafael Felix da Silva
 
PDF
Laravel admin20170819
yehlu
 
PDF
Aplicacoes dinamicas Rails com Backbone
Rafael Felix da Silva
 
PDF
Proposed PHP function: is_literal()
Craig Francis
 
PDF
Backbone - TDC 2011 Floripa
Rafael Felix da Silva
 
PPTX
Web весна 2013 лекция 6
Technopark
 
PPTX
Deploying Straight to Production
Mark Baker
 
PDF
QA Lab: тестирование ПО. Станислав Шмидт: "Self-testing REST APIs with API Fi...
GeeksLab Odessa
 
Disregard Inputs, Acquire Zend_Form
Daniel Cousineau
 
Unit testing with zend framework tek11
Michelangelo van Dam
 
Agile data presentation 3 - cambridge
Romans Malinovskis
 
Hacking Your Way To Better Security - Dutch PHP Conference 2016
Colin O'Dell
 
QA for PHP projects
Michelangelo van Dam
 
Refactoring using Codeception
Jeroen van Dijk
 
Os Nixon
oscon2007
 
Developing for Business
Antonio Spinelli
 
TDC2016SP - Trilha Developing for Business
tdc-globalcode
 
PhpSpec 2.0 ilustrated by examples
Marcello Duarte
 
Unit testing zend framework apps
Michelangelo van Dam
 
Apex 5 plugins for everyone version 2018
Alan Arentsen
 
Ruby - Design patterns tdc2011
Rafael Felix da Silva
 
Laravel admin20170819
yehlu
 
Aplicacoes dinamicas Rails com Backbone
Rafael Felix da Silva
 
Proposed PHP function: is_literal()
Craig Francis
 
Backbone - TDC 2011 Floripa
Rafael Felix da Silva
 
Web весна 2013 лекция 6
Technopark
 
Deploying Straight to Production
Mark Baker
 
QA Lab: тестирование ПО. Станислав Шмидт: "Self-testing REST APIs with API Fi...
GeeksLab Odessa
 
Ad

Viewers also liked (20)

PDF
The Project Management Plan in 20 steps
Marco De Santis, PMP, CFPP
 
PPTX
PMI Project Management Principles
tltiede
 
PDF
LCE13: Introduction to Jira - Linaro's Project Management Application
Linaro
 
PDF
Project Management Plan - Odogu & Siersma
TEGA ODOGU
 
PDF
Project Management in nutshell
Stamford Global
 
PDF
Process Improvement and Change Management, 29th October 2015
Association for Project Management
 
PDF
Alpha Case Study - Project Management Plan Sample
Agatha Maia Duarte de Assis
 
PDF
Advertising Media Plan Project "Axe"
Al Apellidos
 
PDF
Online shopping portal: Software Project Plan
piyushree nagrale
 
PDF
Project Management Plan - Cafe Au Lait.PDF
Geoff Penhorwood
 
PPTX
Restaurant project
Arun Kabra
 
PPTX
Business plan - Entrepreneurship Project - Shivam Jaiswal
Shivam Jaiswal
 
DOCX
Cafe construction project report
Hagi Sahib
 
PPT
Online shopping ppt by rohit jain
Rohit Jain
 
PPTX
Business project plan
Ahmed Shafie
 
PPTX
PROJECT ON NEW BUSINESS PLAN
VisualBee.com
 
PPTX
Wedding project management
Ailuri Reddy
 
DOC
Sample project plan
mamoonnift
 
PDF
Project Management Concepts (from PMBOK 5th Ed)
Jeremy Jay Lim
 
PPTX
Project planning and project work plan
Ferdinand Importado, CPA, MBA
 
The Project Management Plan in 20 steps
Marco De Santis, PMP, CFPP
 
PMI Project Management Principles
tltiede
 
LCE13: Introduction to Jira - Linaro's Project Management Application
Linaro
 
Project Management Plan - Odogu & Siersma
TEGA ODOGU
 
Project Management in nutshell
Stamford Global
 
Process Improvement and Change Management, 29th October 2015
Association for Project Management
 
Alpha Case Study - Project Management Plan Sample
Agatha Maia Duarte de Assis
 
Advertising Media Plan Project "Axe"
Al Apellidos
 
Online shopping portal: Software Project Plan
piyushree nagrale
 
Project Management Plan - Cafe Au Lait.PDF
Geoff Penhorwood
 
Restaurant project
Arun Kabra
 
Business plan - Entrepreneurship Project - Shivam Jaiswal
Shivam Jaiswal
 
Cafe construction project report
Hagi Sahib
 
Online shopping ppt by rohit jain
Rohit Jain
 
Business project plan
Ahmed Shafie
 
PROJECT ON NEW BUSINESS PLAN
VisualBee.com
 
Wedding project management
Ailuri Reddy
 
Sample project plan
mamoonnift
 
Project Management Concepts (from PMBOK 5th Ed)
Jeremy Jay Lim
 
Project planning and project work plan
Ferdinand Importado, CPA, MBA
 
Ad

Similar to Top 5 Magento Secure Coding Best Practices (20)

PDF
Sql Injection Myths and Fallacies
Karwin Software Solutions LLC
 
PDF
PHPSpec - the only Design Tool you need - 4Developers
Kacper Gunia
 
KEY
Unit testing with zend framework PHPBenelux
Michelangelo van Dam
 
KEY
Zend Framework Study@Tokyo #2
Shinya Ohyanagi
 
PDF
Dutch PHP Conference - PHPSpec 2 - The only Design Tool you need
Kacper Gunia
 
PDF
Moving a high traffic ZF1 Enterprise Application to SF2 - Lessons learned
Baldur Rensch
 
PDF
Unit testing after Zend Framework 1.8
Michelangelo van Dam
 
PDF
Quality Assurance for PHP projects - ZendCon 2012
Michelangelo van Dam
 
KEY
Zend framework service
Michelangelo van Dam
 
KEY
Zend framework service
Michelangelo van Dam
 
PDF
Jakość dostarczanego oprogramowania oparta o testy
Paweł Tekliński
 
PPT
Php Security By Mugdha And Anish
OSSCube
 
PPTX
Meet Magento Belarus debug Pavel Novitsky (eng)
Pavel Novitsky
 
KEY
Workshop quality assurance for php projects tek12
Michelangelo van Dam
 
PPTX
Geek Sync | Rewriting Bad SQL Code 101
IDERA Software
 
PDF
TestFest - Respect\Validation 1.0
Henrique Moody
 
PDF
Contagion的Ruby/Rails投影片
cfc
 
PDF
Min-Maxing Software Costs
Konstantin Kudryashov
 
PDF
Becoming a better WordPress Developer
Joey Kudish
 
KEY
PHP security audits
Damien Seguy
 
Sql Injection Myths and Fallacies
Karwin Software Solutions LLC
 
PHPSpec - the only Design Tool you need - 4Developers
Kacper Gunia
 
Unit testing with zend framework PHPBenelux
Michelangelo van Dam
 
Zend Framework Study@Tokyo #2
Shinya Ohyanagi
 
Dutch PHP Conference - PHPSpec 2 - The only Design Tool you need
Kacper Gunia
 
Moving a high traffic ZF1 Enterprise Application to SF2 - Lessons learned
Baldur Rensch
 
Unit testing after Zend Framework 1.8
Michelangelo van Dam
 
Quality Assurance for PHP projects - ZendCon 2012
Michelangelo van Dam
 
Zend framework service
Michelangelo van Dam
 
Zend framework service
Michelangelo van Dam
 
Jakość dostarczanego oprogramowania oparta o testy
Paweł Tekliński
 
Php Security By Mugdha And Anish
OSSCube
 
Meet Magento Belarus debug Pavel Novitsky (eng)
Pavel Novitsky
 
Workshop quality assurance for php projects tek12
Michelangelo van Dam
 
Geek Sync | Rewriting Bad SQL Code 101
IDERA Software
 
TestFest - Respect\Validation 1.0
Henrique Moody
 
Contagion的Ruby/Rails投影片
cfc
 
Min-Maxing Software Costs
Konstantin Kudryashov
 
Becoming a better WordPress Developer
Joey Kudish
 
PHP security audits
Damien Seguy
 

Recently uploaded (20)

PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PDF
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PDF
KodekX | Application Modernization Development
KodekX
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
KodekX | Application Modernization Development
KodekX
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 

Top 5 Magento Secure Coding Best Practices

  • 1. Top 5 Magento Secure Coding Best Practices Alex Zarichnyi, Magento ECG
  • 2. Security in Magento • Dedicated team
  • 3. Security in Magento • Dedicated team • External audits
  • 4. Security in Magento • Dedicated team • External audits • Awareness about OWASP Top 10
  • 5. Security in Magento http://magento.com/security • Bug bounty program • Dedicated team • External audits • Awareness about OWASP Top 10 up to $10.000
  • 6. Security in Magento • Built-in security mechanisms • Bug bounty program • Dedicated team • External audits • Awareness about OWASP Top 10
  • 7. Top 5 Secure Coding Practices
  • 8. #1. Validate input as strictly as possible
  • 9. Input Validation Do not trust: • all input parameters • cookie names and values • HTTP header content • Some $_SERVER parameters (e.g. HTTP_X_FORWARDED, HTTP_X_FORWARD ED_FOR)
  • 10. Zend_Validate • Alpha-numeric values • Credit Carts • Host names • IPs • Custom validators (Mage_Core_Model_Url_Validator) • and many more
  • 11. $attributeCode = $this->getRequest()->getParam('attribute_code'); $validator = new Zend_Validate_Regex(array( 'pattern' => '/^[a-z][a-z_0-9]{1,254}$/')); if (!$validator->isValid($attributeCode)) { //stop execution and add a session error } Validate attribute code 1. 2. $attributeCode = $this->getRequest()->getParam('attribute_code'); $validatorChain = new Zend_Validate(); $validatorChain->addValidator(new Zend_Validate_StringLength( array('min' => 1, 'max' => 254))) ->addValidator(new Zend_Validate_Alnum()); if (!$validatorChain->isValid($attributeCode)) { //stop execution and add a session error }
  • 12. $email = $this->getRequest()->getParam('email'); if (Zend_Validate::is($email, 'EmailAddress')) { //continue execution } else { $this->_getSession()->addError($this->__('Invalid email address.')); //redirect back } Validate email
  • 13. #2. Use parameterized queries (?, :param1)
  • 14. Working with Data in Magento $id = $this->getRequest()->getParam(‘id’); $model->load($id); $q = $this->getRequest()->getParam(‘q’); $collection->addFieldToFilter(‘name’, ‘%’ . $q . ‘%’)); secure secure
  • 15. $select->where("region.code = '{$requestParam}'"); $res = $this->_getReadAdapter()->fetchRow($select); $select->where('region.code = ?', $requestParam); $res = $this->_getReadAdapter()->fetchRow($select); Bad code Good code 1. $select->where('region.code= :regionCode'); $bind = array('regionCode' => $requestParam); $res = $this->getReadAdapter()->fetchRow($select, $bind)); 2. name' ); UPDATE admin_user SET password = '34e159c98148ff85036e23986 6a8e053:v6' WHERE username = 'admin';
  • 16. $select->joinInner( array('i' => $this->getTable('enterprise_giftregistry/item')), 'e.entity_id = i.entity_id AND i.item_id = ' . $requestParam, array() ); $select->joinInner( array('i' => $this->getTable('enterprise_giftregistry/item')), 'e.entity_id = i.entity_id AND i.item_id = ' . (int) $requestParam, array() ); Bad code Good code 1; DROP TABLE customer_entity;
  • 17. $result = "IF (COUNT(*) {$operator} {$requestParam}, 1, 0)"; $select->from( array('order' => $this->getResource()->getTable('sales/order')), array(new Zend_Db_Expr($result) ); $value = $select->getAdapter()->quote($requestParam); $result = "IF (COUNT(*) {$operator} {$value}, 1, 0)"; $select->from( array('order' => $this->getResource()->getTable('sales/order')), array(new Zend_Db_Expr($result)) ); Bad code Good code
  • 19. SQL Query Parameters Escaping $db->quoteInto("WHERE date < ?", "2005-01-02") WHERE date < '2005-01-02’ Zend_Db_Adapter_Abstract quote($value, $type = null) quoteInto($text, $value, $type = null, $count = null) quoteIdentifier($ident, $auto=false) quoteColumnAs($ident, $alias, $auto=false) quoteTableAs($ident, $alias = null, $auto = false) $db->quote("O'Reilly"); O'Reilly $db->quote("' or '1'='1' -- “, Zend_Db::FLOAT_TYPE); 0.000000
  • 20. Mage::helper(‘core’)->escapeHtml($data, $allowedTags = null) Mage_Core_Block_Abstract::escapeHtml($data, $allowedTags = null) String Replacement & &amp; " &quot; ' &#039; < &lt; > &gt; HTML Special Characters Escaping https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet Never insert untrusted data except in allowed locations Use both on frontend & backend
  • 21. #4. Use CSRF tokens (form keys)
  • 22. <form name="myForm" id="myForm" method="post" action="..."> <?php echo $this->getBlockHtml('formkey')?> <!-- ... --> </form> public function saveAction() { if (!$this->_validateFormKey()) { //stop and throw an exception or redirect back } } <input type="hidden" value="Bcp957eKYP48XL0Y" name="form_key"> in template in controller
  • 23. #5. Use security headers
  • 24. HTTP security headers https://www.owasp.org/index.php/List_of_useful_HTTP_headers Header Description Example X-XSS-Protection Protects from XSS X-XSS-Protection: 1; mode=block X-Frame-Options Protects from Clickjacking X-Frame-Options: deny X-Content-Type- Options Prevents Internet Explorer and Google Chrome from MIME- sniffing a response away from the declared content-type X-Content-Type-Options: nosniff Content-Security- Policy, X-WebKit-CSP Lets you specify a policy for where content can be loaded Lets you put restrictions on script execution X-WebKit-CSP: default-src 'self'
  • 25. /** * Add security headers to the response * * @listen controller_action_predispatch * @param Varien_Event_Observer $observer */ public function processPreDispatch(Varien_Event_Observer $observer) { $response = $observer->getControllerAction()->getResponse(); $response->setHeader(‘X-XSS-Protection’, ‘1; mode=block’) ->setHeader(‘X-Frame-Options’, ‘DENY’) ->setHeader(‘X-Content-Type-Options’, ‘nosniff’); }
  • 26. Additional Resources • https://www.owasp.org – The Open Web Application Security Project • http://websec.io/ – Securing PHP-based applications • http://cwe.mitre.org/ – Common Weakness Enumeration • https://www.youtube.com/watch?v=aGnV7P8NXtA –Magento Security Presentation, Imagine 2012 • http://www.developers-paradise.com/wp- content/uploads/eltrino-paradise-2013-roman_stepanov.pdf - Magento Security and Vulnerabilities Presentation, Magento Developer Paradise 2013