Upload
anna-voelkl
View
306
Download
1
Embed Size (px)
Citation preview
Meet Magento Romania 2016 | @rescueAnn
Secure input and output handling
How not to suck at datavalidation and output
Anna Völkl
Meet Magento Romania 2016 | @rescueAnn
Hi, I’m Anna!
I do Magento things6 years of Magento, PHP since 2004
I love IT & Information SecurityMagento Security Best Practises, anyone?!
I work at E-CONOMIXMagento & Typo3 ❤ Linz, Austria
Meet Magento Romania 2016 | @rescueAnn
What this talk is all about:★ XSS★ Frontend input validation★ Backend input validation★ Output escaping
Meet Magento Romania 2016 | @rescueAnn
Once upon a time...
Meet Magento Romania 2016 | @rescueAnn
Academic titles - what we expected
BA PhD
BSc MA
DI MSc
Mag. MBA
Dr. LL.M.
Meet Magento Romania 2016 | @rescueAnn
Academic titles - what we got
Meet Magento Romania 2016 | @rescueAnn
XSS is real.
Meet Magento Romania 2016 | @rescueAnn
index.php?name=Anna<script>alert('XSS');</script>
Meet Magento Romania 2016 | @rescueAnn
“Cross-Site Scripting (XSS) attacks occur when:
1. Data enters a Web application through an untrusted source, most frequently a web request.
2. The data is included in dynamic content that is sent to a web user without being validated for malicious content.”
Source: https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
Meet Magento Romania 2016 | @rescueAnn
XSS in latest SUPEEs
SUPEE-8788
● 17 vulnerabilities● 4 XSS (1 high, 4 medium)
SUPEE-7405
● 20 vulnerabilities● 7 XSS (2 critical, 1 high, 2 medium, 2 low)
Meet Magento Romania 2016 | @rescueAnn
Every feature adds a risk.
⬇
Every input/output adds a risk.
Meet Magento Romania 2016 | @rescueAnn
Input⬇
Process⬇
Output
Meet Magento Romania 2016 | @rescueAnnSource: http://transferready.co.uk/index.php/blog/function-machines/
Meet Magento Romania 2016 | @rescueAnnSource: http://transferready.co.uk/index.php/blog/function-machines/
Meet Magento Romania 2016 | @rescueAnn
e-mail address
password
Logged in customer
Meet Magento Romania 2016 | @rescueAnn
Security-Technology, Department of Defense Computer Security Initiative, 1980
Meet Magento Romania 2016 | @rescueAnn
Stop “Last Minute Security”
Do the coding, spend last X hours on „making it secure“
Secure coding doesn't really take longer
Data quality ⇔ software quality ⇔ security
Always keep security in mind.
Meet Magento Romania 2016 | @rescueAnn
Source: http://blogs.technet.com/b/rhalbheer/archive/2011/01/14/real-physical-security.aspx
Meet Magento Romania 2016 | @rescueAnn
Input
Meet Magento Romania 2016 | @rescueAnn
Frontend input validation
● User experience● Stop unwanted input when it occurs● Do not bother your server with crazy input
requests
Don't fill up your database with garbage.
Meet Magento Romania 2016 | @rescueAnn
Magento Frontend Validation
Magento 1 (51 validation rules)
js/prototype/validation.js
Magento 2 (74 validation rules)
app/code/Magento/Ui/view/base/web/js/lib/validation/rules.js
Meet Magento Romania 2016 | @rescueAnn
app/code/Magento/Ui/view/base/web/js/lib/validation/rules.js
M2
Meet Magento Romania 2016 | @rescueAnn
app/code/Magento/Ui/view/base/web/js/lib/validation/rules.js
min_text_lengthmax_text_lengthmax-wordsmin-wordsrange-wordsletters-with-basic-puncalphanumericletters-onlyno-whitespacezip-rangeintegervinUSdateITAdateNLtimetime12hphoneUSphoneUKmobileUK
stripped-min-lengthemail2url2credit-card-typesipv4ipv6patternvalidate-no-html-tagsvalidate-selectvalidate-no-emptyvalidate-alphanum-with-spacesvalidate-datavalidate-streetvalidate-phoneStrictvalidate-phoneLaxvalidate-faxvalidate-emailvalidate-emailSendervalidate-password
validate-admin-passwordvalidate-urlvalidate-clean-urlvalidate-xml-identifiervalidate-ssnvalidate-zip-usvalidate-date-auvalidate-currency-dollarvalidate-not-negative-numbervalidate-zero-or-greatervalidate-greater-than-zerovalidate-css-lengthvalidate-numbervalidate-number-rangevalidate-digitsvalidate-digits-rangevalidate-rangevalidate-alphavalidate-code
validate-alphanumvalidate-datevalidate-identifiervalidate-zip-internationalvalidate-stateless-than-equals-togreater-than-equals-tovalidate-emailsvalidate-cc-numbervalidate-cc-ukssrequired-entrycheckednot-negative-amountvalidate-per-page-value-listvalidate-new-passwordvalidate-item-quantityequalTo
M2
Meet Magento Romania 2016 | @rescueAnn
Add your own validator
define([ 'jquery', 'jquery/ui', 'jquery/validate', 'mage/translate'], function ($) { $.validator.addMethod('validate-custom-name', function (value) { return (value !== 'anna'); }, $.mage.__('Enter valid name'));});
M2
Meet Magento Romania 2016 | @rescueAnn
<form> <div class="field required"> <input type="email" id="email_address" data-validate="{required:true, 'validate-email':true}" aria-required="true"> </div></form>
Adding frontend-validationM2
Meet Magento Romania 2016 | @rescueAnn
Bonus
Meet Magento Romania 2016 | @rescueAnn
<form> <div class="field required"> <input type="email" id="email_address" data-validate="{required:true, 'validate-email':true}" aria-required="true"> </div></form>
Adding frontend-validationM2
Meet Magento Romania 2016 | @rescueAnnSource: https://quadhead.de/cola-hack-sicherheitsluecke-auf-meinecoke-de/
Why frontend validation is not enough...
Meet Magento Romania 2016 | @rescueAnn
Don’t trust the user.Don’t trust the input!
Meet Magento Romania 2016 | @rescueAnn
Meet Magento Romania 2016 | @rescueAnn
EAV Backend validation input rules
Magento 1
Mage_Eav_Attribute_Data_Abstract
Magento 2
Magento\Eav\Model\Attribute\Data\AbstractData
Meet Magento Romania 2016 | @rescueAnn
Magento\Eav\Model\Attribute\Data\AbstractData
Input Validation Rules:
● alphanumeric● numeric● alpha● email● url● date
M2
Meet Magento Romania 2016 | @rescueAnn
Zend\Validator Standard Validation Classes
Alnum ValidatorAlpha ValidatorBarcode ValidatorBetween ValidatorCallback ValidatorCreditCard ValidatorDate ValidatorDb\RecordExists and Db\NoRecordExists ValidatorsDigits ValidatorEmailAddress Validator
File Validation ClassesGreaterThan ValidatorHex ValidatorHostname ValidatorIban ValidatorIdentical ValidatorInArray ValidatorIp ValidatorIsbn ValidatorIsFloatIsIntLessThan Validator
NotEmpty ValidatorPostCode ValidatorRegex ValidatorSitemap ValidatorsStep ValidatorStringLength ValidatorTimezone ValidatorUri Validator
Meet Magento Romania 2016 | @rescueAnn
Output
Meet Magento Romania 2016 | @rescueAnn
Is input validation not enough?!
Meet Magento Romania 2016 | @rescueAnn
Magento 2 Templates XSS security
Meet Magento Romania 2016 | @rescueAnn
getXXXHtml()
<?php echo $block->getTitleHtml() ?><?php echo $block->getHtmlTitle() ?><?php echo $block->escapeHtml($block->getTitle()) ?>
M2
Magento 2 Templates XSS security
Meet Magento Romania 2016 | @rescueAnn
Type casting and PHP function count()
<h1><?php echo (int)$block->getId() ?></h1><?php echo count($var); ?>
M2
Magento 2 Templates XSS security
Meet Magento Romania 2016 | @rescueAnn
Output in single or double quotes
<?php echo 'some text' ?><?php echo "some text" ?>
M2
Magento 2 Templates XSS security
Meet Magento Romania 2016 | @rescueAnn
Use specific escape functions
<a href="<?php echo $block->escapeXssInUrl( $block->getUrl()) ?>"> <?php echo $block->getAnchorTextHtml() ?></a>
M2
Magento 2 Templates XSS security
Meet Magento Romania 2016 | @rescueAnn
Use these. Also Magento does it!
$block->escapeHtml()
$block->escapeQuote()
$block->escapeUrl()
$block->escapeXssInUrl()
M2
Meet Magento Romania 2016 | @rescueAnn
$block->escapeHtml()Whitelist: allowed Tags, htmlspecialchars
M2
Meet Magento Romania 2016 | @rescueAnn
Magento\Framework\EscaperM2
Meet Magento Romania 2016 | @rescueAnn
$block->escapeHtml()Whitelist: allowed Tags, htmlspecialchars
$block->escapeQuote()Escape quotes inside html attributes$addSlashes = false for escaping js inside html attribute (onClick, onSubmit etc)
M2
Meet Magento Romania 2016 | @rescueAnn
$block->escapeUrl()Escape HTML entities in URL (htmlspecialchars)
$block->escapeXssInUrl()eliminating 'javascript' + htmlspecialchars
M2
Meet Magento Romania 2016 | @rescueAnn
Meet Magento Romania 2016 | @rescueAnn
Testing
Meet Magento Romania 2016 | @rescueAnn
Static XSS Test
XssPhtmlTemplateTest.php in dev\tests\static\testsuite\Magento\Test\Php\
See http://devdocs.magento.com/guides/v2.0/frontend-dev-guide/templates/template-security.html
Meet Magento Romania 2016 | @rescueAnn
$ magento dev:tests:run static
Meet Magento Romania 2016 | @rescueAnn
$ magento dev:tests:run static
Meet Magento Romania 2016 | @rescueAnn
What happened to the little attribute?!
Meet Magento Romania 2016 | @rescueAnn
Weird customers and customer data was removed Frontend validation added - Dropdown (whitelist)
would have been an option tooServer side validation added
Output escaped
Meet Magento Romania 2016 | @rescueAnn
Summary
Think, act and design your software responsibly:
1. Client side validation2. Server side validation3. UTF-8 all the way4. Escape at point of use5. Use & run tests
Meet Magento Romania 2016 | @rescueAnn
Questions?
Right here, right nowor later @resueAnn