Slides from my Talk at MageTitansIT in Milan at Feb 5th 2015. How not to suck at data validation and output encoding Security is an important aspect of web application development. In this talk we’ll have a look at the most common web application vulnerabilities and what you as a developer can do to prevent them. We’ll have a look at methods and ways Magento 1 and 2 provide to increase security.

1. Secure input and
output handling
How not to suck at data validation
and output encoding

2. Anna Völkl / @rescueAnn
 Hi, I'm Anna. http://anna.voelkl.at
 I'm a Magento Certified Developer.
5 years Magento, Java/PHP since 2004
 I love IT & Telecommunication and IT- & Information-
Security. 
 I work at LimeSoda. E-Commerce Agency in Vienna/AT

3. Once upon a time...

4. academic titles?!
Teamwork also involves being a good teammate, which is why we are very proud
シャネル デコ
FC Barcelona and was presenting partner of the Fan Zone event prior to the gamehqn
Лечебные грязи Сакского озера
Trying to find for a approach to raise male power and endurance.
New year2013 best now41
Импотенция вы поглядите !
how to write an essay explaining why you deserve a scholarship
Sophisticated
Men
High-heeled shoes
A Wise Choice
http://onemilliondollarhomepage.ru/
how to write up divorce paper
write your name really cool
shady lady free download
driver samsung hd160jj p

5. Our daily business

6. Input

Process

Output

7. Security-Technology, Department of Defense Computer
Security Initiative, 1980

8. XSS is real.
SUPEE-7405:
7 XSS (6 stored, 1 reflected)

9. Stop „Last Minute Security“
●
Do the coding, spend last X hours on „making it
secure“
●
Secure coding doesn't really take longer
●
Data quality  software quality  security
●
Always keep security in mind

10. Every feature adds a risk.

Every input/output adds a risk.

11. http://blogs.technet.com/b/rhalbheer/archive/2011/01/14/real-physical-security.aspx

12. Input

13. Frontend input validation
●
User experience
●
Stop unwanted input when it occurs
●
Do not bother your server with crazy input
●
Only store, what you expect
Don't fill up your database with garbage.

14. Magento Frontend Validation
Magento 1 (51 validation rules)
js/prototype/validation.js
Magento 2 (74 validation rules)
app/code/Magento/Ui/view/base/web/js/lib/validati
on/rules.js

15. app/code/Magento/Ui/view/base/web/js/lib/validation/rules.js
min_text_length
max_text_length
max-words
min-words
range-words
letters-with-basic-punc
alphanumeric
letters-only
no-whitespace
zip-range
integer
vinUS
dateITA
dateNL
time
time12h
phoneUS
phoneUK
mobileUK
stripped-min-length
email2
url2
credit-card-types
ipv4
ipv6
pattern
validate-no-html-tags
validate-select
validate-no-empty
validate-alphanum-with-spaces
validate-data
validate-street
validate-phoneStrict
validate-phoneLax
validate-fax
validate-email
validate-emailSender
validate-password
validate-admin-password
validate-url
validate-clean-url
validate-xml-identifier
validate-ssn
validate-zip-us
validate-date-au
validate-currency-dollar
validate-not-negative-number
validate-zero-or-greater
validate-greater-than-zero
validate-css-length
validate-number
validate-number-range
validate-digits
validate-digits-range
validate-range
validate-alpha
validate-code
validate-alphanum
validate-date
validate-identifier
validate-zip-international
validate-state
less-than-equals-to
greater-than-equals-to
validate-emails
validate-cc-number
validate-cc-ukss
required-entry
checked
not-negative-amount
validate-per-page-value-list
validate-new-password
validate-item-quantity
equalTo

16. Add your own validator
define([
'jquery',
'jquery/ui',
'jquery/validate',
'mage/translate'
], function ($) {
$.validator.addMethod('validate-custom-name',
function (value) {
return (value !== 'anna');
}, $.mage.__('Enter valid name'));
});
M
2

17. M
2

18. <form>
<div class="field required">
<input type="email" id="email_address"
data-validate="{required:true, 'validate-
email':true}"
aria-required="true">
</div>
</form>
M
2

19. <form>
<div class="field required">
<input type="email" id="email_address"
data-validate="{required:true, 'validate-
email':true}"
aria-required="true">
</div>
</form>
M
2

20. <form>
<fieldset data-hasrequired="* Required Fields">
<input type="password"
data-validate="{required:true, 'validate-
password':true}" id="password" aria-
required="true">
<input type="password"
data-validate="{required:true,
equalTo:'#password'}" id="password-
confirmation" aria-required="true">
</fieldset>
</form>
M
2

21. <form>
<fieldset data-hasrequired="* Required Fields">
<input type="password"
data-validate="{required:true, 'validate-
password':true}" id="password" aria-
required="true">
<input type="password"
data-validate="{required:true,
equalTo:'#password'}" id="password-
confirmation" aria-required="true">
</fieldset>
</form>
M
2

22. Why frontend validation is not enough...
https://quadhead.de/cola-hack-sicherheitsluecke-auf-meinecoke-de/

23. Don't trust the user.
Don't trust the input!

24. Why validate input?
User form input
Database query results
Web Services
Server variables
Cookies

25. Validate input rules
Magento 1
Mage_Eav_Attribute_Data_Abstract
Magento 2
MagentoEavModelAttributeDataAbstractData

26. MagentoEavModelAttributeDataAbstractData
Input Validation Rules
– alphanumeric
– numeric
– alpha
– email
– url
– date
M
2

27. ZendValidator
Standard Validation Classes
Alnum Validator
Alpha Validator
Barcode Validator
Between Validator
Callback Validator
CreditCard Validator
Date Validator
DbRecordExists and
DbNoRecordExists
Validators
Digits Validator
EmailAddress
Validator
File Validation Classes
GreaterThan Validator
Hex Validator
Hostname Validator
Iban Validator
Identical Validator
InArray Validator
Ip Validator
Isbn Validator
IsFloat
IsInt
LessThan Validator
NotEmpty Validator
PostCode Validator
Regex Validator
Sitemap Validators
Step Validator
StringLength Validator
Timezone Validator
Uri Validator

28. Output

29. Is input validation not enough?
●
XSS
– Protect your users
– Protect yourself!
●
Store escaped data?
– Prepare the data where it's needed!

30. Use
$block->escapeHtml()
$block->escapeQuote()
$block->escapeUrl()
$block->escapeXssInUrl()
...also Magento does it!

31. $block->escapeHtml()
Whitelist: allowed Tags, htmlspecialchars
M
2

32. MagentoFrameworkEscaper
M
2

33. $block->escapeHtml()
Whitelist: allowed Tags, htmlspecialchars
$block->escapeQuote()
Escape quotes inside html attributes
$addSlashes = false for escaping js that inside
html attribute (onClick, onSubmit etc)
M
2

34. $block->escapeUrl()
Escape HTML entities in URL
(htmlspecialchars)
$block->escapeXssInUrl()
eliminating 'javascript' +
htmlspecialchars
M
2

35. Magento 2 Templates XSS security
<?php echo $block->getTitleHtml() ?>
<?php echo $block->getHtmlTitle() ?>
<?php echo $block->escapeHtml($block->getTitle()) ?>
<h1><?php echo (int)$block->getId() ?></h1>
<?php echo count($var); ?>
<?php echo 'some text' ?>
<?php echo "some text" ?>
<a href="<?php echo $block->escapeXssInUrl(
$block->getUrl()) ?>">
<?php echo $block->getAnchorTextHtml() ?>
</a>
Taken from http://devdocs.magento.com/guides/v2.0/frontend-dev-guide/templates/template-security.html

36. Magento 2 Templates XSS security
●
Static Test: XssPhtmlTemplateTest.php in
devtestsstatictestsuiteMagentoTestPhp
●
See
http://devdocs.magento.com/guides/v2.0/frontend-
dev-guide/templates/template-security.html

37. magento dev:tests:run static

38. What happend to the little
attribute?

39. ●
Weird customers and customer data was removed
●
Frontend validation added
•
Dropdown (whitelist) would have been an option too
●
Server side validation added
●
Output escaped

40. Summary
Think, act and design your software responsibly:
1) UTF-8 all the way
2) Client side validation, filter input
3) Server side validation
4) Data storage (database column size,...)
5) Escape output
6) Run tests

41. </happy>

42. Thank you!
Questions?
@rescueAnn
anna@voelkl.at