Upload
anna-voelkl
View
2.589
Download
4
Tags:
Embed Size (px)
Citation preview
Anna Völkl / @rescueAnn• Magento Certified Developer• IT & Telecommunication, IT-Security• PHP (2004), Magento (2011)• LimeSoda (Vienna, AT)
Anna Völkl / @rescueAnn• 200 Magento Installations*• 68 good passwords**• 10 endless loops***• 3 forgotten phpinfo.php• 1 Stroopwafel purchase
* roughly estimated, including test-setups
** thanks to KeePass
*** last one 12/2012
Magento Application Security Logins & Passwords Admin Backend protected SSL installed
…there‘s more!
Magento Application Security
Magento Application Security
Software Development Life Cycle
Software Development Life Cycle
UserUser
DatabaseDatabaseWebserverWebserver
Version control & delivery
Version control & delivery
RequirementsRequirements
Software-DesignSoftware-Design DevelopmentDevelopment Extensions /3rd Party
Extensions /3rd Party
Out of serviceOut of service
Updates & PatchesUpdates & Patches
LoginsLogins
PasswordsPasswords
Web-Application Firewall
Web-Application Firewall
FirewallFirewallFile owner & permissionsFile owner & permissions
Config filesConfig files
IDS, IPSIDS, IPS
Potential attackers✗ (organized) criminals✗ Defacer✗ Script-Kiddies✗ Former developers, agencies✗ Competitors✗ The merchant theirselves
Most critical web application security flawsA1 Injection
A2 Broken Authentication and Session Management
A3 Cross-Site Scripting (XSS)
A4 Insecure Direct Object References
A5 Security Misconfiguration
More: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
web application security flaws
OWASP Top 10 2013,
https://www.owasp.org/images/4/42/OWASP_Top_10_2013_DE_Version_1_0.pdf, modified version
Longest place name (1 word)
Taumatawhakatangihangakoauauotamateaturipukakapikimaungahoronukupokaiwhenuakitanatahu
(New Zealand, 85 letters)
Be curious!Read, learn, try to understand.
Secure Coding Guidelines:OWASP Secure Coding Practices
Secure Coding
User:allowed to access a resource?
Admins:ACLsMage::getSingleton('admin/session')
->isAllowed('admin/sales/order/actions/create');
Secure Coding
● PHPSniffer● Magento ECG Coding Standard● Dependencies:
Sensio Labs composer.lock check
Security Testing
● .git, .git/config● composer.lock● Standard /admin path● /downloader● app/etc/local.xml● Logfiles● phpinfo.php● Database-Dumps: livedb.sql.gz
Block access to
●Magento Community Edition 1.9.1.1 & Enterprise Edition 1.14.2 contain SUPEE-5344
●Magento Shoplift Bug Tester: https://shoplift.byte.nl
●Coming soon: Magento Alert Registry●@magesecurity
Patch!