Secure input and output handling - Meet Magento Romania 2016
1. Meet Magento Romania 2016 | @rescueAnn
Secure input and output
handling
How not to suck at data
validation and output
Anna Völkl
2. Meet Magento Romania 2016 | @rescueAnn
Hi, I’m Anna!
I do Magento things
6 years of Magento, PHP since 2004
I love IT & Information Security
Magento Security Best Practises, anyone?!
I work at E-CONOMIX
Magento & Typo3 ❤ Linz, Austria
3. Meet Magento Romania 2016 | @rescueAnn
What this talk is all about:
★ XSS
★ Frontend input validation
★ Backend input validation
★ Output escaping
8. Meet Magento Romania 2016 | @rescueAnn
index.php?name=Anna<script>alert('XSS');</script>
9. Meet Magento Romania 2016 | @rescueAnn
“Cross-Site Scripting (XSS) attacks occur when:
1. Data enters a Web application through an untrusted
source, most frequently a web request.
2. The data is included in dynamic content that is sent
to a web user without being validated for malicious
content.”
Source: https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
13. Meet Magento Romania 2016 | @rescueAnnSource: http://transferready.co.uk/index.php/blog/function-machines/
14. Meet Magento Romania 2016 | @rescueAnnSource: http://transferready.co.uk/index.php/blog/function-machines/
15. Meet Magento Romania 2016 | @rescueAnn
e-mail address
password
Logged in
customer
16. Meet Magento Romania 2016 | @rescueAnn
Security-Technology, Department of Defense Computer
Security Initiative, 1980
17. Meet Magento Romania 2016 | @rescueAnn
Stop “Last Minute Security”
Do the coding, spend last X hours on „making it secure“
Secure coding doesn't really take longer
Data quality ⇔ software quality ⇔ security
Always keep security in mind.
18. Meet Magento Romania 2016 | @rescueAnn
Source: http://blogs.technet.com/b/rhalbheer/archive/2011/01/14/real-physical-security.aspx
20. Meet Magento Romania 2016 | @rescueAnn
Frontend input validation
● User experience
● Stop unwanted input when it occurs
● Do not bother your server with crazy input
requests
Don't fill up your database with garbage.
28. Meet Magento Romania 2016 | @rescueAnnSource: https://quadhead.de/cola-hack-sicherheitsluecke-auf-meinecoke-de/
Why frontend validation is not enough...
29. Meet Magento Romania 2016 | @rescueAnn
Don’t trust the user.
Don’t trust the input!
38. Meet Magento Romania 2016 | @rescueAnn
Type casting and PHP function count()
<h1><?php echo (int)$block->getId() ?></h1>
<?php echo count($var); ?>
M
2
Magento 2 Templates XSS security
39. Meet Magento Romania 2016 | @rescueAnn
Output in single or double quotes
<?php echo 'some text' ?>
<?php echo "some text" ?>
M
2
Magento 2 Templates XSS security
40. Meet Magento Romania 2016 | @rescueAnn
Use specific escape functions
<a href="<?php echo $block->escapeXssInUrl(
$block->getUrl()) ?>">
<?php echo $block->getAnchorTextHtml() ?>
</a>
M
2
Magento 2 Templates XSS security
41. Meet Magento Romania 2016 | @rescueAnn
Use these. Also Magento does it!
$block->escapeHtml()
$block->escapeQuote()
$block->escapeUrl()
$block->escapeXssInUrl()
M
2
42. Meet Magento Romania 2016 | @rescueAnn
$block->escapeHtml()
Whitelist: allowed Tags, htmlspecialchars
M
2
48. Meet Magento Romania 2016 | @rescueAnn
Static XSS Test
XssPhtmlTemplateTest.php in
devtestsstatictestsuiteMagentoT
estPhp
See
http://devdocs.magento.com/guides/v2.0/frontend-dev
-guide/templates/template-security.html
52. Meet Magento Romania 2016 | @rescueAnn
Weird customers and customer data was removed
Frontend validation added - Dropdown (whitelist)
would have been an option too
Server side validation added
Output escaped
53. Meet Magento Romania 2016 | @rescueAnn
Summary
Think, act and design your software responsibly:
1. Client side validation
2. Server side validation
3. UTF-8 all the way
4. Escape at point of use
5. Use & run tests
54. Meet Magento Romania 2016 | @rescueAnn
Questions?
Right here, right now
or later @resueAnn