Secure input and output handling - Meet Magento Romania 2016

Meet Magento Romania 2016 | @rescueAnn

Secure input and output handling

How not to suck at datavalidation and output

Anna Völkl


Hi, I’m Anna!

I do Magento things6 years of Magento, PHP since 2004

I love IT & Information SecurityMagento Security Best Practises, anyone?!

I work at E-CONOMIXMagento & Typo3 ❤ Linz, Austria


What this talk is all about:★ XSS★ Frontend input validation★ Backend input validation★ Output escaping


Once upon a time...


Academic titles - what we expected

BA PhD

BSc MA

DI MSc

Mag. MBA

Dr. LL.M.


Academic titles - what we got


XSS is real.


index.php?name=Anna<script>alert('XSS');</script>


“Cross-Site Scripting (XSS) attacks occur when:

1. Data enters a Web application through an untrusted source, most frequently a web request.

2. The data is included in dynamic content that is sent to a web user without being validated for malicious content.”

Source: https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)

https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)


XSS in latest SUPEEs

SUPEE-8788

● 17 vulnerabilities● 4 XSS (1 high, 4 medium)

SUPEE-7405

● 20 vulnerabilities● 7 XSS (2 critical, 1 high, 2 medium, 2 low)


Every feature adds a risk.

⬇

Every input/output adds a risk.


Input⬇

Process⬇

Output

Meet Magento Romania 2016 | @rescueAnnSource: http://transferready.co.uk/index.php/blog/function-machines/

http://transferready.co.uk/index.php/blog/function-machines/

Meet Magento Romania 2016 | @rescueAnnSource: http://transferready.co.uk/index.php/blog/function-machines/

http://transferready.co.uk/index.php/blog/function-machines/


e-mail address

password

Logged in customer


Security-Technology, Department of Defense Computer Security Initiative, 1980


Stop “Last Minute Security”

Do the coding, spend last X hours on „making it secure“

Secure coding doesn't really take longer

Data quality ⇔ software quality ⇔ security

Always keep security in mind.


Source: http://blogs.technet.com/b/rhalbheer/archive/2011/01/14/real-physical-security.aspx

http://blogs.technet.com/b/rhalbheer/archive/2011/01/14/real-physical-security.aspx


Input


Frontend input validation

● User experience● Stop unwanted input when it occurs● Do not bother your server with crazy input

requests

Don't fill up your database with garbage.


Magento Frontend Validation

Magento 1 (51 validation rules)

js/prototype/validation.js

Magento 2 (74 validation rules)

app/code/Magento/Ui/view/base/web/js/lib/validation/rules.js



M2



min_text_lengthmax_text_lengthmax-wordsmin-wordsrange-wordsletters-with-basic-puncalphanumericletters-onlyno-whitespacezip-rangeintegervinUSdateITAdateNLtimetime12hphoneUSphoneUKmobileUK

stripped-min-lengthemail2url2credit-card-typesipv4ipv6patternvalidate-no-html-tagsvalidate-selectvalidate-no-emptyvalidate-alphanum-with-spacesvalidate-datavalidate-streetvalidate-phoneStrictvalidate-phoneLaxvalidate-faxvalidate-emailvalidate-emailSendervalidate-password

validate-admin-passwordvalidate-urlvalidate-clean-urlvalidate-xml-identifiervalidate-ssnvalidate-zip-usvalidate-date-auvalidate-currency-dollarvalidate-not-negative-numbervalidate-zero-or-greatervalidate-greater-than-zerovalidate-css-lengthvalidate-numbervalidate-number-rangevalidate-digitsvalidate-digits-rangevalidate-rangevalidate-alphavalidate-code

validate-alphanumvalidate-datevalidate-identifiervalidate-zip-internationalvalidate-stateless-than-equals-togreater-than-equals-tovalidate-emailsvalidate-cc-numbervalidate-cc-ukssrequired-entrycheckednot-negative-amountvalidate-per-page-value-listvalidate-new-passwordvalidate-item-quantityequalTo

M2


Add your own validator

define([ 'jquery', 'jquery/ui', 'jquery/validate', 'mage/translate'], function ($) { $.validator.addMethod('validate-custom-name', function (value) { return (value !== 'anna'); }, $.mage.__('Enter valid name'));});

M2


<form> <div class="field required"> <input type="email" id="email_address" data-validate="{required:true, 'validate-email':true}" aria-required="true"> </div></form>

Adding frontend-validationM2


Bonus


<form> <div class="field required"> <input type="email" id="email_address" data-validate="{required:true, 'validate-email':true}" aria-required="true"> </div></form>

Adding frontend-validationM2

Meet Magento Romania 2016 | @rescueAnnSource: https://quadhead.de/cola-hack-sicherheitsluecke-auf-meinecoke-de/

Why frontend validation is not enough...

https://quadhead.de/cola-hack-sicherheitsluecke-auf-meinecoke-de/


Don’t trust the user.Don’t trust the input!



EAV Backend validation input rules

Magento 1

Mage_Eav_Attribute_Data_Abstract

Magento 2

Magento\Eav\Model\Attribute\Data\AbstractData


Magento\Eav\Model\Attribute\Data\AbstractData

Input Validation Rules:

● alphanumeric● numeric● alpha● email● url● date

M2


Zend\Validator Standard Validation Classes

Alnum ValidatorAlpha ValidatorBarcode ValidatorBetween ValidatorCallback ValidatorCreditCard ValidatorDate ValidatorDb\RecordExists and Db\NoRecordExists ValidatorsDigits ValidatorEmailAddress Validator

File Validation ClassesGreaterThan ValidatorHex ValidatorHostname ValidatorIban ValidatorIdentical ValidatorInArray ValidatorIp ValidatorIsbn ValidatorIsFloatIsIntLessThan Validator

NotEmpty ValidatorPostCode ValidatorRegex ValidatorSitemap ValidatorsStep ValidatorStringLength ValidatorTimezone ValidatorUri Validator


Output


Is input validation not enough?!


Magento 2 Templates XSS security


getXXXHtml()

<?php echo $block->getTitleHtml() ?><?php echo $block->getHtmlTitle() ?><?php echo $block->escapeHtml($block->getTitle()) ?>

M2



Type casting and PHP function count()

<h1><?php echo (int)$block->getId() ?></h1><?php echo count($var); ?>

M2



Output in single or double quotes

<?php echo 'some text' ?><?php echo "some text" ?>

M2



Use specific escape functions

<a href="<?php echo $block->escapeXssInUrl( $block->getUrl()) ?>"> <?php echo $block->getAnchorTextHtml() ?></a>

M2



Use these. Also Magento does it!

$block->escapeHtml()

$block->escapeQuote()

$block->escapeUrl()

$block->escapeXssInUrl()

M2


$block->escapeHtml()Whitelist: allowed Tags, htmlspecialchars

M2


Magento\Framework\EscaperM2


$block->escapeHtml()Whitelist: allowed Tags, htmlspecialchars

$block->escapeQuote()Escape quotes inside html attributes$addSlashes = false for escaping js inside html attribute (onClick, onSubmit etc)

M2


$block->escapeUrl()Escape HTML entities in URL (htmlspecialchars)

$block->escapeXssInUrl()eliminating 'javascript' + htmlspecialchars

M2



Testing


Static XSS Test

XssPhtmlTemplateTest.php in dev\tests\static\testsuite\Magento\Test\Php\

See http://devdocs.magento.com/guides/v2.0/frontend-dev-guide/templates/template-security.html

http://devdocs.magento.com/guides/v2.0/frontend-dev-guide/templates/template-security.html




$ magento dev:tests:run static


$ magento dev:tests:run static


What happened to the little attribute?!


Weird customers and customer data was removed Frontend validation added - Dropdown (whitelist)

would have been an option tooServer side validation added

Output escaped


Summary

Think, act and design your software responsibly:

1. Client side validation2. Server side validation3. UTF-8 all the way4. Escape at point of use5. Use & run tests


Questions?

Right here, right nowor later @resueAnn

Software

Secure input and output handling - Meet Magento Romania 2016