260 likes | 392 Views
Join us in Ibiza June 4 th – 7 th 2011 . Security. Dmitriy Vasilenko <dimav@magento.com> Technical Project Manager. Table of contents. Introduction Open Web Application Security Project OWASP TOP 10 List Common issues in Web Applications XSS Injection Malicious file upload/execution
E N D
Security • DmitriyVasilenko <dimav@magento.com> • Technical Project Manager
Table of contents • Introduction • Open Web Application Security Project • OWASP TOP 10 List • Common issues in Web Applications • XSS Injection • Malicious file upload/execution • SQL Injection • 3rd party integrations • Magento Security Management
Introduction A vulnerability is a hole or a weakness in the application, which can be a design flaw or an implementation bug, that allows an attacker to cause harm to the stakeholders of an application. Stakeholders include the application owner, application users, and other entities that rely on the application.
Open Web Application Security Project The Open Web Application Security Project (OWASP, http://owasp.org/) is a 501c3 not-for-profit worldwide charitable organization focused on improving the security of application software. OWASP mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks. Everyone is free to participate in OWASP and all of OWASP materials are available under a free and open software license.
OWASP TOP 10 List The OWASP Top Ten provides a powerful awareness document for web application security. The OWASP Top Ten represents a broad consensus about what the most critical web application security flaws are. Project members include a variety of security experts from around the world who have shared their expertise to produce this list.
OWASP TOP 10 List A1: Injection A2: Cross-Site Scripting (XSS) A3: Broken Authentication and Session Management A4: Insecure Direct Object References A5: Cross-Site Request Forgery (CSRF) A6: Security Misconfiguration A7: Insecure Cryptographic Storage A8: Failure to Restrict URL Access A9: Insufficient Transport Layer Protection A10: Unvalidated Redirects and Forwards
OWASP TOP 10 List OWASP top 10 list gets update each year as new type of attacks can appear or one of existing can gain popularity. For example from the past years which actually could be found in modern Web Applications and used any time: A3 from TOP 10 of 2007 year - Malicious File Execution
Common issues in Web Applicatons • XSS Injection • Malicious file upload/execution • SQL Injection • 3rd party integrations
XSS Injection XSS flaws occur whenever an application takes user supplied data and sends it to a web browser without first validating or encoding that content. XSS allows attacker to execute script in the victim's browser • Attacker stores malicious code into the vulnerable page • User authenticates in the application • User visits vulnerable page • Malicious code is executed by the user's browser
XSS Injection Demonstration of XSS injection from Frontend • Frontend user enters malicious code on frontend • Admin user without any suspicion views not sanitized data
XSS Injection So how to prevent it ? • If it is possible, sanitize data on input • Always escape special characters on output in templates • Use WhiteBox testing. All variables used in input forms should be analyzed • Remember, that stored XSS does not need a malicious link to be exploited. A successful exploitation occurs when a user visits a page with a stored XSS
Malicious file upload/execution Attacker can upload script as a common customer on server and execute it or even admin user can execute it without knowing that this is script. Such script will be executed with permissions of http server and can • Delete files on server • Inject parts of malicious data into source code • Ability to get local.xml file contents • Etc
Malicious file upload/execution Demonstration scenario of malicious file upload attack • Upload modified .htaccess file • Upload executable script (PHP, Perl, etc) • Execute malicious script on backend
Malicious file upload/execution So how to prevent it ? • Always check if file extension is allowed for uploading • If it is possible, never give users ability to upload files with extensions like ".htaccess", ".php", ".pl" and similar ones • Reject relative paths, like "../../../folder", except the places when they are necessary
SQL Injection Injection occurs when user-supplied data is sent to an interpreter as part of a command or query. The attacker's hostile data tricks the interpreter into executing unintended commands or changing data.
SQL Injection Usually - any database manipulation • Delete values, rows, dropping tables • Update(change) values in DB, for example, change admin password, update reward points/store credits balance, etc.
SQL Injection Demonstration of SQL injection from Frontend side • Determining that data not validated on backend • Frontend user can execute any kind of SQL query
SQL Injection So how to prevent it ? • Parameter values in SQL statements should be quoted • Single and double quotes in values should be escaped • Minimize the list of places, where data from user's input are inserted directly into the SQL query • If parameter can have only numeric value, add conversion to integer/float before inserting it into SQL query
3rd party integrations Most of eCommerce solutions required integration with 3rd part systems like • ERP system • CRM system In result of incorrect implementation • Sensitive information about your client or his customers could be exposed to attacker • Attacker can change workflow in system for his own needs
3rd party integrations How to prevent it? • If 3rd party system allows usage of some secret keys/words/hashes/.../etc always perform validation for this parameters for each request • Don’t place export files with sensitive information into folders accessible through the web • If it’s possible accept connections only from certain IP range
Magento Security Management How we deal with everything in Magento… • Code review • Dedicated “A-Team” • Information and education inside company • Additional code review of new functionality • Communication • security@magento.com • http://www.magentocommerce.com/company/contact-us