Modified "Secure input and output handling talk" for the Magento Stammtisch/Meetup in Vienna on February 24th, 2016

1. Secure input and
output handling
How not to suck at data validation and
output encoding
Magento Meetup
Vienna Edition

2. Developer edition
http://de.slideshare.net/avoelkl/secure-input-and-output-handling-57946042

3. Anna Völkl / @rescueAnn
 Hi, I'm Anna. http://anna.voelkl.at
 I'm a Magento Certified Developer.
5 years Magento, Java/PHP since 2004
 I love IT & Telecommunication and IT- & Information-
Security. 
 I work at LimeSoda. E-Commerce Agency in Vienna/AT

4. Once upon a time...

6. academic titles?!
Teamwork also involves being a good teammate, which is why we are very proud
シャネル デコ
FC Barcelona and was presenting partner of the Fan Zone event prior to the gamehqn
Лечебные грязи Сакского озера
Trying to find for a approach to raise male power and endurance.
New year2013 best now41
Импотенция вы поглядите !
how to write an essay explaining why you deserve a scholarship
Sophisticated
Men
High-heeled shoes
A Wise Choice
http://onemilliondollarhomepage.ru/
how to write up divorce paper
write your name really cool
shady lady free download
driver samsung hd160jj p

7. Our daily business

8. Input

Process

Output

10. Security-Technology, Department of Defense Computer
Security Initiative, 1980

11. Wep Application Security Risks
1)Injection
2)Broken Authentication and Session
Management
3)Cross Site Scripting (XSS)
https://www.owasp.org/index.php/Top10#OWASP_Top_10_for_2013

12. Stop „Last Minute Security“
●
Do the coding, spend last X hours on „making it
secure“
●
Secure coding doesn't really take longer
●
Data quality  software quality  security
●
Always keep security in mind

13. Every feature adds a risk.

Every input/output adds a risk.

14. http://blogs.technet.com/b/rhalbheer/archive/2011/01/14/real-physical-security.aspx

15. Input

16. Frontend input validation
●
User experience
●
Stop unwanted input when it occurs
●
Do not bother your server with crazy input

17. Frontend input validation
●
User experience
●
Stop unwanted input when it occurs
●
Do not bother your server with crazy input
  

18. Frontend input validation

19. Frontend input validation
●
User experience
●
Stop unwanted input when it occurs
●
Do not bother your server with crazy input
●
Only store, what you expect
Don't fill up your database with garbage.

20. Magento Frontend Validation
Magento 1 (51 validation rules)
js/prototype/validation.js
Magento 2 (74 validation rules)
app/code/Magento/Ui/view/base/web/js/lib/validati
on/rules.js

21. app/code/Magento/Ui/view/base/web/js/lib/validation/rules.js
min_text_length
max_text_length
max-words
min-words
range-words
letters-with-basic-punc
alphanumeric
letters-only
no-whitespace
zip-range
integer
vinUS
dateITA
dateNL
time
time12h
phoneUS
phoneUK
mobileUK
stripped-min-length
email2
url2
credit-card-types
ipv4
ipv6
pattern
validate-no-html-tags
validate-select
validate-no-empty
validate-alphanum-with-spaces
validate-data
validate-street
validate-phoneStrict
validate-phoneLax
validate-fax
validate-email
validate-emailSender
validate-password
validate-admin-password
validate-url
validate-clean-url
validate-xml-identifier
validate-ssn
validate-zip-us
validate-date-au
validate-currency-dollar
validate-not-negative-number
validate-zero-or-greater
validate-greater-than-zero
validate-css-length
validate-number
validate-number-range
validate-digits
validate-digits-range
validate-range
validate-alpha
validate-code
validate-alphanum
validate-date
validate-identifier
validate-zip-international
validate-state
less-than-equals-to
greater-than-equals-to
validate-emails
validate-cc-number
validate-cc-ukss
required-entry
checked
not-negative-amount
validate-per-page-value-list
validate-new-password
validate-item-quantity
equalTo

22. Add your own validator
define([
'jquery',
'jquery/ui',
'jquery/validate',
'mage/translate'
], function ($) {
$.validator.addMethod('validate-custom-name',
function (value) {
return (value !== 'anna');
}, $.mage.__('Enter valid name'));
});
M
2

23. M
2

24. <form>
<div class="field required">
<input type="email" id="email_address"
data-validate="{required:true, 'validate-
email':true}"
aria-required="true">
</div>
</form>
M
2

25. Why frontend validation is not enough...
https://quadhead.de/cola-hack-sicherheitsluecke-auf-meinecoke-de/

26. Don't trust the user.
Don't trust the input!

27. Why validate input?
User form input
Database query results
Web Services
Server variables
Cookies

28. Validate input rules
Magento 1
Mage_Eav_Attribute_Data_Abstract
Magento 2
MagentoEavModelAttributeDataAbstractData

29. MagentoEavModelAttributeDataAbstractData
Input Validation Rules
– alphanumeric
– numeric
– alpha
– email
– url
– date
M
2

30. ZendValidator
Standard Validation Classes
Alnum Validator
Alpha Validator
Barcode Validator
Between Validator
Callback Validator
CreditCard Validator
Date Validator
DbRecordExists and
DbNoRecordExists
Validators
Digits Validator
EmailAddress
Validator
File Validation Classes
GreaterThan Validator
Hex Validator
Hostname Validator
Iban Validator
Identical Validator
InArray Validator
Ip Validator
Isbn Validator
IsFloat
IsInt
LessThan Validator
NotEmpty Validator
PostCode Validator
Regex Validator
Sitemap Validators
Step Validator
StringLength Validator
Timezone Validator
Uri Validator

31. Output

32. Is input validation not enough?
●
Cross Site Scripting (XSS)
– Protect your users
– Protect yourself!
●
Store escaped data?
– Prepare the data where it's needed!

33. Use
$block->escapeHtml()
$block->escapeQuote()
$block->escapeUrl()
$block->escapeXssInUrl()
...also Magento does it!

34. Magento 2 Templates XSS security
<?php echo $block->getTitleHtml() ?>
<?php echo $block->getHtmlTitle() ?>
<?php echo $block->escapeHtml($block->getTitle()) ?>
<h1><?php echo (int)$block->getId() ?></h1>
<?php echo count($var); ?>
<?php echo 'some text' ?>
<?php echo "some text" ?>
<a href="<?php echo $block->escapeXssInUrl(
$block->getUrl()) ?>">
<?php echo $block->getAnchorTextHtml() ?>
</a>
Taken from http://devdocs.magento.com/guides/v2.0/frontend-dev-guide/templates/template-security.html

35. Magento 2 Templates XSS security
●
Static Test: XssPhtmlTemplateTest.php in
devtestsstatictestsuiteMagentoTestPhp
●
See
http://devdocs.magento.com/guides/v2.0/frontend-
dev-guide/templates/template-security.html

36. magento dev:tests:run static

37. What happend to the little
attribute?

38. ●
Weird customers and customer data was removed
●
Frontend validation added
•
Dropdown (whitelist) would have been an option too
●
Server side validation added
●
Output escaped

39. Summary
Think, act and design your software responsibly:
1) UTF-8 all the way
2) Client side validation, filter input
3) Server side validation
4) Data storage (database column size,...)
5) Escape output
6) Run tests

40. </happy>

41. Thank you!
Questions?
@rescueAnn
a.voelkl@limesoda.com