Updated version of my "Secure input and output handling" talk for the ViennaPHP Meetup on March 23rd, 2016

1. Secure input and
output handling
How not to suck at data
validation and output

2. Anna Völkl / @rescueAnn
 Hi, I'm Anna. http://anna.voelkl.at
 I'm a Magento Certified Developer.
5 years Magento, Java/PHP since 2004
 I love IT & Telecommunication and IT- & Information-
Security. 
 I work at . Web Agency in Vienna/AT

3. What is Magento?
●
eCommerce Plaform
●
Initial release 2008
●
Varien  eBay  Permira private equity fund
●
Editions
– Community Edition (CE, Open Source)
– Enterprise Edition (EE)
●
Matthias Talk
– https://github.com/viennaphp/talks/blob/master/201505/01-outlook-on-magento-2.pdf

4. What is Magento?
http://blog.aheadworks.com/2016/03/magento-2-contributes-to-the-global-ecommerce-platforms-market/

5. Why is Magento cool?
●
Feature rich
●
Highly customizeable
●
Multiple stores/languages/currencies
●
Medium-large enterprises, Small-Business Team
●
Very active developer community
(magento.stackexchange.com, Twitter, Slack, IRC,
official Forum, Reddit,...)
●
Magento 2 ;-)

6. Magento 2

7. Magento 2 technology stack
●
Apache 2.x/Nginx 1.7+
●
PHP 5.5, 5.6x, 7.0
●
MySQL 5.6.x/MySQL Percona 5.6.x
●
Optional
– Varnish 3.x/4.x
– Redis 2.x/3.x, Memcache 1.4.x (Cache Storage)
– Solr 4.x (ElasticSearch planned)

8. Magento 2 technology stack
●
HTML 5, CSS 3 (LESS)
●
Jquery, RequireJS
●
Zend Framework 1, Zend Framework 2, Symfony
●
Coding standards PSR-0 (autoloading standard),
PSR-1 (basic coding standards), and PSR-2 (coding
style guide), PSR-3, PSR-4
●
Composer (dependency management)

9. Magento 2 testing
●
Automated testing suite
– Integration
– Functional areas
– Performance
●
PHPUnit (unit tests)
●
Selenium (functional tests)

10. Once upon a time...

11. academic titles?!
Teamwork also involves being a good teammate, which is why we are very proud
シャネル デコ
FC Barcelona and was presenting partner of the Fan Zone event prior to the gamehqn
Лечебные грязи Сакского озера
Trying to find for a approach to raise male power and endurance.
New year2013 best now41
Импотенция вы поглядите !
how to write an essay explaining why you deserve a scholarship
Sophisticated
Men
High-heeled shoes
A Wise Choice
http://onemilliondollarhomepage.ru/
how to write up divorce paper
write your name really cool
shady lady free download
driver samsung hd160jj p

12. Our daily business

13. Input

Process

Output

14. Security-Technology, Department of Defense Computer
Security Initiative, 1980

15. OWASP Top 10
1) Injection
2)Broken Authentication and
Session Management
3)Cross Site Scripting (XSS)
4)Insecure Direct Object
References
5)Security Misconfiguration
6)Sensitive Data Exposure
7)Missing Function Level
Access Control
8)Cross-Site Request Forgery
(CSRF)
9)Using Components with
known Vulnerabilities
10)Unvalidated Redirects and
Forwards

16. Stop „Last Minute Security“
●
Do the coding, spend last X hours on „making it
secure“
●
Secure coding doesn't really take longer
●
Data quality  software quality  security
●
Always keep security in mind

17. Every feature adds a risk.

Every input/output adds a risk.

18. http://blogs.technet.com/b/rhalbheer/archive/2011/01/14/real-physical-security.aspx

19. Input

20. Frontend input validation
●
User experience
●
Stop unwanted input when it occurs
●
Do not bother your server with crazy input
●
Only store, what you expect
Don't fill up your database with garbage.

21. Magento Frontend Validation
Magento 1 (51 validation rules)
js/prototype/validation.js
Magento 2 (74 validation rules)
app/code/Magento/Ui/view/base/web/js/lib/validati
on/rules.js

22. app/code/Magento/Ui/view/base/web/js/lib/validation/rules.js
min_text_length
max_text_length
max-words
min-words
range-words
letters-with-basic-punc
alphanumeric
letters-only
no-whitespace
zip-range
integer
vinUS
dateITA
dateNL
time
time12h
phoneUS
phoneUK
mobileUK
stripped-min-length
email2
url2
credit-card-types
ipv4
ipv6
pattern
validate-no-html-tags
validate-select
validate-no-empty
validate-alphanum-with-spaces
validate-data
validate-street
validate-phoneStrict
validate-phoneLax
validate-fax
validate-email
validate-emailSender
validate-password
validate-admin-password
validate-url
validate-clean-url
validate-xml-identifier
validate-ssn
validate-zip-us
validate-date-au
validate-currency-dollar
validate-not-negative-number
validate-zero-or-greater
validate-greater-than-zero
validate-css-length
validate-number
validate-number-range
validate-digits
validate-digits-range
validate-range
validate-alpha
validate-code
validate-alphanum
validate-date
validate-identifier
validate-zip-international
validate-state
less-than-equals-to
greater-than-equals-to
validate-emails
validate-cc-number
validate-cc-ukss
required-entry
checked
not-negative-amount
validate-per-page-value-list
validate-new-password
validate-item-quantity
equalTo

23. Add your own validator
define([
'jquery',
'jquery/ui',
'jquery/validate',
'mage/translate'
], function ($) {
$.validator.addMethod('validate-custom-name',
function (value) {
return (value !== 'anna');
}, $.mage.__('Enter valid name'));
});
M
2

24. M
2

25. <form>
<div class="field required">
<input type="email" id="email_address"
data-validate="{required:true, 'validate-
email':true}"
aria-required="true">
</div>
</form>
M
2

26. <form>
<div class="field required">
<input type="email" id="email_address"
data-validate="{required:true, 'validate-
email':true}"
aria-required="true">
</div>
</form>
M
2

27. <form>
<fieldset data-hasrequired="* Required Fields">
<input type="password"
data-validate="{required:true, 'validate-
password':true}" id="password" aria-
required="true">
<input type="password"
data-validate="{required:true,
equalTo:'#password'}" id="password-
confirmation" aria-required="true">
</fieldset>
</form>
M
2

28. <form>
<fieldset data-hasrequired="* Required Fields">
<input type="password"
data-validate="{required:true, 'validate-
password':true}" id="password" aria-
required="true">
<input type="password"
data-validate="{required:true,
equalTo:'#password'}" id="password-
confirmation" aria-required="true">
</fieldset>
</form>
M
2

29. Why frontend validation is not enough...
https://quadhead.de/cola-hack-sicherheitsluecke-auf-meinecoke-de/

30. Don't trust the user.
Don't trust the input!

31. Why validate input?
User form input
Database query results
Web Services
Server variables
Cookies

32. Validate input rules
Magento 1
Mage_Eav_Attribute_Data_Abstract
Magento 2
MagentoEavModelAttributeDataAbstractData

33. MagentoEavModelAttributeDataAbstractData
Input Validation Rules
– alphanumeric
– numeric
– alpha
– email
– url
– date
M
2

34. ZendValidator
Standard Validation Classes
Alnum Validator
Alpha Validator
Barcode Validator
Between Validator
Callback Validator
CreditCard Validator
Date Validator
DbRecordExists and
DbNoRecordExists
Validators
Digits Validator
EmailAddress
Validator
File Validation Classes
GreaterThan Validator
Hex Validator
Hostname Validator
Iban Validator
Identical Validator
InArray Validator
Ip Validator
Isbn Validator
IsFloat
IsInt
LessThan Validator
NotEmpty Validator
PostCode Validator
Regex Validator
Sitemap Validators
Step Validator
StringLength Validator
Timezone Validator
Uri Validator

35. Output

36. Is input validation not enough?
●
XSS
– Protect your users
– Protect yourself!
●
Store escaped data?
– Prepare the data where it's needed!

37. Use
$block->escapeHtml()
$block->escapeQuote()
$block->escapeUrl()
$block->escapeXssInUrl()
...also Magento does it!

38. $block->escapeHtml()
Whitelist: allowed Tags, htmlspecialchars
M
2

39. MagentoFrameworkEscaper
M
2

40. $block->escapeHtml()
Whitelist: allowed Tags, htmlspecialchars
$block->escapeQuote()
Escape quotes inside html attributes
$addSlashes = false for escaping js that inside html
attribute (onClick, onSubmit etc)
M
2

41. $block->escapeUrl()
Escape HTML entities in URL
(htmlspecialchars)
$block->escapeXssInUrl()
eliminating 'javascript' +
htmlspecialchars
M
2

42. Magento 2 Templates XSS security
<?php echo $block->getTitleHtml() ?>
<?php echo $block->getHtmlTitle() ?>
<?php echo $block->escapeHtml($block->getTitle()) ?>
<h1><?php echo (int)$block->getId() ?></h1>
<?php echo count($var); ?>
<?php echo 'some text' ?>
<?php echo "some text" ?>
<a href="<?php echo $block->escapeXssInUrl(
$block->getUrl()) ?>">
<?php echo $block->getAnchorTextHtml() ?>
</a>
Taken from http://devdocs.magento.com/guides/v2.0/frontend-dev-guide/templates/template-security.html

43. Magento 2 Templates XSS security
●
Static Test: XssPhtmlTemplateTest.php in
devtestsstatictestsuiteMagentoTestPhp
●
See
http://devdocs.magento.com/guides/v2.0/frontend-
dev-guide/templates/template-security.html

44. magento dev:tests:run static

45. What happend to the little
attribute?

46. ●
Weird customers and customer data was removed
●
Frontend validation added
•
Dropdown (whitelist) would have been an option too
●
Server side validation added
●
Output escaped

47. Summary
Think, act and design your software responsibly:
1) UTF-8 all the way
2) Client side validation, filter input
3) Server side validation
4) Data storage (database column size,...)
5) Escape output
6) Run tests

48. </happy>

49. Thank you!
Questions?
@rescueAnn
anna@voelkl.at