- PDF Free Download

Size: px

Start display at page:

Download "https://tale.sh/mlin17"

Robert Briggs
6 years ago
Views:

1 First Steps to Building Secure Magento Extensions Page 1

2 Talesh Seeparsan CTO Bit79 Page 2

3 There is no such thing as an unhackable site

4 You just need to be able to run faster than your friends

6 PART 1 PART 2 Lower level tools and strategies Useful for building a single extension Use during SDLC Architecture level Useful for planning an entire site build Useful for securing live sites Page 6

7 Theme for our strategies: Don t negatively affect team productivity. Let the computers do the work for us. Page 7

8 Part 1: Securing at a code level

9 Tool #1 : Use PHPCS Scans our code and flags dangerous parts ECG Ruleset understands Magento 2 Comes with built in security scans Page 9

10 $ composer require \ magento-ecg/coding-standard Page 10

11 $ phpcs --config-set installed_paths /./vendor/magento-ecg/coding-standard Page 11

12 $ phpcs --standard=ecgm2 /path/to/code Page 12

13 Page 13

14 Page 14

15 PHPCS Best Practices Run as a git/svn hook automatically Page 15

16 PHPCS Best Practices Fix any issues raised immediately Page 16

17 Tool #2 : OWASP ZAP Scans inputs instead of code Used by Magento HQ Industry standard Page 17

18 XSS attack string <script>alert(document.cookie);</script> Page 18

19 XSS attack string <IMG SRC=&# &# &# &# &# &# &# &# &# &# &# &# &# &# &# &# &# &# &# &# &# &# &# > Page 19

20 OWASP GUI Page 20

21 OWASP ZAP Demo Page 21

22 OWASP ZAP Best Practices Let it run overnight/over the weekend, working while you sleep. Page 22

23 OWASP ZAP Best Practices Create tickets in Asana/Jira for each problem it finds. Page 23

25 Builtin Magento 2 security features And how/when to use them Page 25

26 Use the Magento 2 ORM 26 Handcoded SQL queries Robust framework that facilitates Server side input validation Page 26 Defends against Injection and XSS

27 The Magento 2 Escaper 27 Implementation: /lib/internal/magento/framework/escaper.php Usage: <?php echo $this->escapehtml( ($this->variable);?> Page 27 Defends against XSS

28 CSRF Defense : Anti Forgery Tokens 28 <?php echo $this->getblockhtml('formkey')?> Page 28 Defends against CSRF

29 CSRF explanation 29 Trick an authenticated user to POST information on your site POST Page 29

30 CSRF Defense : Anti Forgery Tokens 30 <?php echo $this->getblockhtml('formkey')?> Page 30 Defends against CSRF

31 CSRF Defense : Anti Forgery Tokens 31 Page 31 Defends against CSRF

32 Pay attention to cookie permissions 32 HttpOnly flag is set on some important cookies eg: admin cookie PHPSESSID cookie X-Magento-Vary cookie Secure flag is set on some important cookies eg: admin cookie X-Magento-Vary cookie Page 32 Defends against Broken Authentication

33 Rely on the CustomerSession Object 33 public function construct( Context $context, CustomerSession $customersession ) { parent:: construct($context, $customersession); } Page 33 Defends against risks: Insecure Direct object references Missing function Access control

34 Don t roll your own Crypto! 34 <field id="password" translate="label" type="obscure" showinstore="0 > <label>password</label> <backend_model>magento\config\model\config\backend\encrypted</backend_model> </field> Defends against risks: Security Misconfigurations Sensitive data exposure Missing function level access control Page 34

36 Part 2: Securing at an architecture level

37 Patches Subscribe to Patch quickly, plan your time for patches Easiest way to get hacked Page 37

38 Production is sacrosanct No unecessary files there No DB backups No git/svn data No test files No file backups File permissions must be impeccable No unnecessary tools like Magmi Page 38

39 Magento Malware scanner wget git.io/mwscan.txt grep -Erlf mwscan.txt /path/to/magento Page 39

40 Magento Security Council Promotes & facilitates secure Magento stores globally. Page 40

41 External Site scanners Magento Security Scan from Magento Inc. (currently in Beta) ( Page 41

42 Keep your Admin URL random Use the randomly generated one in Magento 2 Generate your own in Magento 1 Don t use /admin /console /backoffice or anything similar Consider limiting access via IP Whitelist or even VPN Page 42

43 2FA for your admin URL Page 43

44 Check your composer for known vulnerabilities Upload your composer.lock file on php checker security:check /path/to/composer.lock Page 44

45 Stronger password hashing Page 45

47 PROCESS > TOOLS Page 47

48 PEOPLE > PROCESS > TOOLS Page 48

50 Page 50

51 धन यव द Thank you Page 51

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

Attacks Against Websites 3 The OWASP Top 10 Tom Chothia Computer Security, Lecture 14 OWASP top 10. The Open Web Application Security Project Open public effort to improve web security: Many useful documents.