mm13de_tech en.pdf - Fabian Blechschmidt
mm13de_tech en.pdf - Fabian Blechschmidt
mm13de_tech en.pdf - Fabian Blechschmidt
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Web- and Mag<strong>en</strong>to-Security<br />
<strong>Fabian</strong> <strong>Blechschmidt</strong><br />
& Bastian Ike<br />
Di<strong>en</strong>stag, 4. Juni 13
Di<strong>en</strong>stag, 4. Juni 13<br />
Security
Who we are<br />
Bastian Ike<br />
2006: Security<br />
2011: Certification<br />
2012: Talks at Imagine,<br />
Meet-Mag<strong>en</strong>to, Developers<br />
Paradise<br />
<strong>Fabian</strong> <strong>Blechschmidt</strong><br />
2011: Certification<br />
2010: Security-Ext<strong>en</strong>sions<br />
2013: Talk at Imagine<br />
Di<strong>en</strong>stag, 4. Juni 13
Security? Again!?<br />
• Insecure community modules<br />
• attackable paym<strong>en</strong>t gateways<br />
– PayPal<br />
– GoogleCheckout<br />
– Moneybookers<br />
Di<strong>en</strong>stag, 4. Juni 13
Security? Sure!<br />
• Plan your software<br />
• Think about it from the beginning<br />
• Think first, code afterwards<br />
Di<strong>en</strong>stag, 4. Juni 13
Conceptionall problems<br />
• insecure object refer<strong>en</strong>ces<br />
• blind trust in third party ext<strong>en</strong>sions<br />
• op<strong>en</strong> redirect<br />
Di<strong>en</strong>stag, 4. Juni 13
Di<strong>en</strong>stag, 4. Juni 13<br />
Problems in PHP
Problems in PHP<br />
strcmp(”foo”, ”bar”) !== 0<br />
strcmp(Array(), ”something“) === NULL<br />
md5(”240610708”) == ”0e462097431906509019562988736854”<br />
md5(”240610708”) == ”0”<br />
=== instead of ==<br />
Di<strong>en</strong>stag, 4. Juni 13
Di<strong>en</strong>stag, 4. Juni 13<br />
Mag<strong>en</strong>to
Mag<strong>en</strong>to security issues<br />
• 3x XSS (1x persist<strong>en</strong>t)<br />
• 2x File Disclosure (get.php, Z<strong>en</strong>d_XmlRpc)<br />
• 3x Attacking the API<br />
• Mag<strong>en</strong>to 2 alpha: write files<br />
Di<strong>en</strong>stag, 4. Juni 13
unserialize() in Mag<strong>en</strong>to 2<br />
• unserialize() calls:<br />
__wakeup()<br />
__destruct()<br />
unserialize($_COOKIE[”some_cookie”])<br />
Mage_Core_Model_Design_Fallback_CachingProxy::<br />
__destruct():<br />
$this->_filesystem-><br />
write($filePath, serialize($section['data']));<br />
Di<strong>en</strong>stag, 4. Juni 13
Di<strong>en</strong>stag, 4. Juni 13<br />
Impact
Impact<br />
• backdoors<br />
• data theft<br />
• proxy/s<strong>en</strong>ding spam<br />
Di<strong>en</strong>stag, 4. Juni 13
Di<strong>en</strong>stag, 4. Juni 13<br />
precautious measures
Schutzmaßnahm<strong>en</strong><br />
• prev<strong>en</strong>tion instead of patching<br />
... ordo you detect fast <strong>en</strong>ough an attack?<br />
• think like an attacker<br />
• check third party code<br />
– have an eye on it! It doesn‘t hurt.<br />
• think before you code<br />
Di<strong>en</strong>stag, 4. Juni 13
Frameworks against mistakes<br />
• template <strong>en</strong>gine (Twig) instead of XSS<br />
• PDO instead of MySQL injection<br />
• TLS (HSTS) to prev<strong>en</strong>t MITM<br />
... but still no 100% protection :-(<br />
Di<strong>en</strong>stag, 4. Juni 13
SSL<br />
• SSL in the back<strong>en</strong>d<br />
• s<strong>en</strong>d HSTS header<br />
• NO FTP! (use SCP instead, it is secure)<br />
• correct SSL certificates for customers<br />
• IF self-signed certificates, implem<strong>en</strong>t your<br />
own CA<br />
Di<strong>en</strong>stag, 4. Juni 13
Di<strong>en</strong>stag, 4. Juni 13<br />
Conclusion
Thanks<br />
Bastian Ike<br />
@b_ike<br />
<strong>Fabian</strong> <strong>Blechschmidt</strong><br />
@<strong>Fabian</strong>_ikono<br />
Di<strong>en</strong>stag, 4. Juni 13