How not to suck at data validation and output: Security is an important aspect of web application development. In this talk we’ll have a look on methods and ways Magento 1 and 2 provide to increase security.
If you attended the talk, please leave a review it here: https://joind.in/event/mage-titans-mcr
why an Opensea Clone Script might be your perfect match.pdf
Secure input and output handling - Mage Titans Manchester 2016
1.
2. Hi, I’m Anna!
I do Magento things
6 years of Magento, PHP since 2004
I love IT & Information Security
Magento Security Best Practises, anyone?!
I work at E-CONOMIX
Magento & Typo3 ❤ Linz, Austria
3. What this talk is all about:
★ Cross-Site Scripting (XSS)
★ Frontend input validation
★ Backend input validation
★ Output escaping
11. “XSS flaws occur whenever an application takes
untrusted data and sends it to a web browser without
proper validation or escaping. XSS allows attackers to
execute scripts in the victim’s browser which can hijack
user sessions, deface web sites, or redirect the user to
malicious sites.”
Source: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
12. 65%
of all websites globally suffer from XSS
Source: http://security.stackexchange.com/questions/129447/why-does-xss-affect-so-many-websites
20. Stop “Last Minute Security”
Do the coding, spend last X hours on „making it secure“
Secure coding doesn't really take longer
Data quality ⇔ software quality ⇔ security
Always keep security in mind.
23. Frontend input validation
User experience
Stop unwanted input when it occurs
Do not bother your server with crazy input requests
Don't fill up your database with garbage.
47. MagentoFrameworkEscaper
/**
* Escape string for HTML context. allowedTags will not be escaped, except
the following: script, img, embed,
* iframe, video, source, object, audio
*
* @param string|array $data
* @param array|null $allowedTags
* @return string|array
*/
public function escapeHtml($data, $allowedTags = null)
{
...
...
}
48. $block->escapeHtml()
String output that should not contain HTML
$block->escapeXssInUrl() ⇒ $block->escapeUrl()
URL output
$block->escapeQuote()
Escape quotes inside html attributes
M
2
51. Static XSS Test
XssPhtmlTemplateTest.php in
devtestsstatictestsuiteMagentoTestPhp
See
http://devdocs.magento.com/guides/v2.0/frontend-dev
-guide/templates/template-security.html
55. Weird customers and customer data was removed
Frontend validation added - Dropdown (whitelist)
would have been an option too
Server side validation added
Output escaped
56. Summary
Think, act and design your software responsibly:
1. Client side validation
2. Server side validation
3. UTF-8 all the way
4. Escape at point of use
5. Use & run tests