Download - Magento security 2015 best practices
![Page 1: Magento security 2015 best practices](https://reader035.vdocuments.us/reader035/viewer/2022062522/58e4a4721a28abf5428b6b41/html5/thumbnails/1.jpg)
Bargento 2015
Magento SecurityBest practices 2015
LEADER en INFOGERANCE ECOMMERCE EXPERT en TRES HAUTE SECURITE
Grow your business safely
WWW.NBS-SYSTEM.COM
![Page 2: Magento security 2015 best practices](https://reader035.vdocuments.us/reader035/viewer/2022062522/58e4a4721a28abf5428b6b41/html5/thumbnails/2.jpg)
E-commerce: the 60% rules
• >60% of web traffic is non-human• >60% of attempts to steal databases target e-
commerce websites• >60% of growth for identity theft over three years• A 2012 stufy showed that retailer websites are at
risk 328 days/year• An IP address is scanned around 40 times per day
2Présenté par Philippe Humeau
![Page 3: Magento security 2015 best practices](https://reader035.vdocuments.us/reader035/viewer/2022062522/58e4a4721a28abf5428b6b41/html5/thumbnails/3.jpg)
The triple loot
3Présenté par Philippe Humeau
![Page 4: Magento security 2015 best practices](https://reader035.vdocuments.us/reader035/viewer/2022062522/58e4a4721a28abf5428b6b41/html5/thumbnails/4.jpg)
A different time scale
4Présenté par Philippe Humeau
T
Seconds Minutes Hours Days Weeks Months Years
Time between initial attack and
compromission
Time between compromission and
discovery of it
![Page 5: Magento security 2015 best practices](https://reader035.vdocuments.us/reader035/viewer/2022062522/58e4a4721a28abf5428b6b41/html5/thumbnails/5.jpg)
A *very* bad year
Magento performancesBest practices 2015
![Page 6: Magento security 2015 best practices](https://reader035.vdocuments.us/reader035/viewer/2022062522/58e4a4721a28abf5428b6b41/html5/thumbnails/6.jpg)
A *very* bad year
6Présenté par Philippe Humeau
• Shoplift SQL Injection:https://github.com/joren485/Magento-Shoptlift-SQLI
• Order RSS:http://www.victim.org/rss/order/NEW
• Magmi :http://www.victim.org/magmi/web/magmi.php
SUPEE & Shoplift
![Page 7: Magento security 2015 best practices](https://reader035.vdocuments.us/reader035/viewer/2022062522/58e4a4721a28abf5428b6b41/html5/thumbnails/7.jpg)
It all started with a big #fail (Shoplift)
7Présenté par Philippe Humeau
• A severe SQL Injection allowing to manipulate Magento– To create admin users with chosen passwords– To leverage any feature from the back office– Or simply to write a file or execute code on the
server side
Shoplift
![Page 8: Magento security 2015 best practices](https://reader035.vdocuments.us/reader035/viewer/2022062522/58e4a4721a28abf5428b6b41/html5/thumbnails/8.jpg)
It all started with a big #fail (RSS orders)
8Présenté par Philippe Humeau
![Page 9: Magento security 2015 best practices](https://reader035.vdocuments.us/reader035/viewer/2022062522/58e4a4721a28abf5428b6b41/html5/thumbnails/9.jpg)
It all started with a big #fail (Magmi)
9Présenté par Philippe Humeau
![Page 10: Magento security 2015 best practices](https://reader035.vdocuments.us/reader035/viewer/2022062522/58e4a4721a28abf5428b6b41/html5/thumbnails/10.jpg)
Other SUrPrEEses
10Présenté par Philippe Humeau
• SUPEE 6285, 5994 & 1533– Privilege escalation– XSS in whishlist & shopping cart– Store path disclosure– Wrong log permission– XSS in the admin section– Customer information leak
Other SUPEEs
![Page 11: Magento security 2015 best practices](https://reader035.vdocuments.us/reader035/viewer/2022062522/58e4a4721a28abf5428b6b41/html5/thumbnails/11.jpg)
Magento cache leak
11Présenté par Philippe Humeau
• Magento’s cache stores sensitive information inwww.[site].com/var/resource_config.json
• If this var directory is browsable, one can recover all your sensitive login/pass connections:– To MySQL– To payment gateways– To various shippers/freighters, etc.
• Your [site]/var directory should not be accessible
![Page 12: Magento security 2015 best practices](https://reader035.vdocuments.us/reader035/viewer/2022062522/58e4a4721a28abf5428b6b41/html5/thumbnails/12.jpg)
But there were others before
Magento performancesBest practices 2015
![Page 13: Magento security 2015 best practices](https://reader035.vdocuments.us/reader035/viewer/2022062522/58e4a4721a28abf5428b6b41/html5/thumbnails/13.jpg)
Did you take care of the previous ones?
13Présenté par Philippe Humeau
• Session XSS:http://www.victim.org/index.php/adminUsername: « ><script>alert(‘xss’)</script> »
• Downloader XSS:http://www.victim.org/downloader/?return=%22%3Cscript%3Ealert(‘xss’)%3C/script%3E
• Forgot password form XSS:http://www.victim.org/index.php/admin/index/forgotpassword/
Email address: « ><script>alert(‘xss’)</script> »
![Page 14: Magento security 2015 best practices](https://reader035.vdocuments.us/reader035/viewer/2022062522/58e4a4721a28abf5428b6b41/html5/thumbnails/14.jpg)
Did you take care of the previous ones?
14Présenté par Philippe Humeau
• XML-RPC-XXE: (Post method allowing to retrieve any files)
• Session XSS:http://www.victim.org/index.php/admin/ Username: « ><script>alert(‘xss’)</script> »
• Google Dork:inurl:app/etc/local.xml
![Page 15: Magento security 2015 best practices](https://reader035.vdocuments.us/reader035/viewer/2022062522/58e4a4721a28abf5428b6b41/html5/thumbnails/15.jpg)
Did you take care of the previous ones?
15Présenté par Philippe Humeau
The PayPal / Magento integration flaw (by NBS System)
![Page 16: Magento security 2015 best practices](https://reader035.vdocuments.us/reader035/viewer/2022062522/58e4a4721a28abf5428b6b41/html5/thumbnails/16.jpg)
NBS System will release a new vulnerability soon
16Présenté par Philippe Humeau
• We are still working on a fix• This vulnerability is « multi vendor »• It is, so far as we know, quite widely spread• We’ll start working with Magento to fix it• The flaw touches directly the payment gateway,
allowing to spawn a shell on the victim’s server• It’s not unilaterally Magento’s responsibility
![Page 17: Magento security 2015 best practices](https://reader035.vdocuments.us/reader035/viewer/2022062522/58e4a4721a28abf5428b6b41/html5/thumbnails/17.jpg)
Or even the ones that were not Magento specific?
17Présenté par Philippe Humeau
• Poodle• Heartbleed• Logjam• Shellshock• Venom
![Page 18: Magento security 2015 best practices](https://reader035.vdocuments.us/reader035/viewer/2022062522/58e4a4721a28abf5428b6b41/html5/thumbnails/18.jpg)
PHP: two versions behind, really?
18Présenté par Philippe Humeau
PHP versions in use in our parc:
PHP 5.23%
PHP 5.351%
PHP 5.437%
PHP 5.59%
88% are outdated and not supported anymore…
No security fixes
(and +12% to 40% performances to gain)
![Page 19: Magento security 2015 best practices](https://reader035.vdocuments.us/reader035/viewer/2022062522/58e4a4721a28abf5428b6b41/html5/thumbnails/19.jpg)
Easily exploitable things beyond classic vulnerabilities
Magento performancesBest practices 2015
![Page 20: Magento security 2015 best practices](https://reader035.vdocuments.us/reader035/viewer/2022062522/58e4a4721a28abf5428b6b41/html5/thumbnails/20.jpg)
When Magento’s support is being creative…
20Présenté par Philippe Humeau
• Magento’s support is giving dangerous advice– « Chmod 777 your document root… » *REALLY?*– « Magento is not compatible with reverse
proxies » *Woot?*– « Give me your root password so we can look »
*NO KIDDING?*– Etc…
Don’t go to a car dealer to fix a bad tooth…
![Page 21: Magento security 2015 best practices](https://reader035.vdocuments.us/reader035/viewer/2022062522/58e4a4721a28abf5428b6b41/html5/thumbnails/21.jpg)
Classic mistakes that cost…
21Présenté par Philippe Humeau
• Leaving yout logs accessible, especially Debug ones
• Leaving payment gateway logs accessible to all
• Not hiding which Magento, PHP & Apache versions you use
• Using unaudited extensions, a lot are BAD• Using weak passwords, along with no
locking policies. It’s a plague
![Page 22: Magento security 2015 best practices](https://reader035.vdocuments.us/reader035/viewer/2022062522/58e4a4721a28abf5428b6b41/html5/thumbnails/22.jpg)
Applicative level D.o.S attacks
22Présenté par Philippe Humeau
• Leaving import/export scripts, reindexers, crontabs accessible
• Trying to call pages that load very slowly• Accessing directly the API to import/export• Etc.
![Page 23: Magento security 2015 best practices](https://reader035.vdocuments.us/reader035/viewer/2022062522/58e4a4721a28abf5428b6b41/html5/thumbnails/23.jpg)
Securing Magento flaws
Magento performancesBest practices 2015
![Page 24: Magento security 2015 best practices](https://reader035.vdocuments.us/reader035/viewer/2022062522/58e4a4721a28abf5428b6b41/html5/thumbnails/24.jpg)
Securing Magento flaws
• Update to CE versions > 1.9 or EE versions > 1.14.1
• Use PHP 5.6• Shoplift, Magmi, XML-RPC-XXE: filter the access
with a .htaccess file (or an NGINX rule)
24Présenté par Philippe Humeau
![Page 25: Magento security 2015 best practices](https://reader035.vdocuments.us/reader035/viewer/2022062522/58e4a4721a28abf5428b6b41/html5/thumbnails/25.jpg)
Securing recent flaws
• Example with Magmi (using Apache)RewriteCond%{REQUEST_URI}^/(index.php/)?
magmi/ [NC]RewriteCond %{REQUEST_ADDR}!^192.168.0.1RewriteRule^(.*)$ http://%{HTTP_HOST}/ [R=302,L]
• Example with Magmi (using NGINX)location ~* ^/(index.php/)?magmi{allow192.168.0.1;denyall;location ~* .(php) {includefastcgi_params;}}
25Présenté par Philippe Humeau
![Page 26: Magento security 2015 best practices](https://reader035.vdocuments.us/reader035/viewer/2022062522/58e4a4721a28abf5428b6b41/html5/thumbnails/26.jpg)
Protect your back office & updater
• Example using Apache<Location /wp-admin>AuthTypeBasicAuthName"RestrictedArea"AuthUserFile/etc/apache2/access/htpasswdRequirevalid-userOrderdeny,allowAllowfrom[MY_IP]Satisfyany</Location>
Then, just add the user:htpasswd–c /etc/apache2/access/htpasswd[user]
26Présenté par Philippe Humeau
![Page 27: Magento security 2015 best practices](https://reader035.vdocuments.us/reader035/viewer/2022062522/58e4a4721a28abf5428b6b41/html5/thumbnails/27.jpg)
Leveraging native Magento security
• Use HTTPS in your back office & order tunnel accesses
• Change your back office default URL• Do *NOT* use a weak password (no,
« tommy4242 » is not safe)• Put some limits to the number of failed login
attempts• Put a password expiration time and change it
every 3 months• Enforce the use of case sensitive passwords• Disable email password recovery
27Présenté par Philippe Humeau
![Page 28: Magento security 2015 best practices](https://reader035.vdocuments.us/reader035/viewer/2022062522/58e4a4721a28abf5428b6b41/html5/thumbnails/28.jpg)
Securing Web applications
Magento performancesBest practices 2015
![Page 29: Magento security 2015 best practices](https://reader035.vdocuments.us/reader035/viewer/2022062522/58e4a4721a28abf5428b6b41/html5/thumbnails/29.jpg)
Organizational security
• Get a security review• Keep track of vulnerabilities on Magento
ecosystem• Have serious passwords, change them every 3
months• Do not keep information unless it is needed• Pick a PCI/DSS certified hosting company• Use 3D secure• Keep up to date versions of Magento & PHP
29Présenté par Philippe Humeau
![Page 30: Magento security 2015 best practices](https://reader035.vdocuments.us/reader035/viewer/2022062522/58e4a4721a28abf5428b6b41/html5/thumbnails/30.jpg)
Infrastructure security
• Keep a daily backup• Use a WAF. NAXSI is open-source, free and stable• Put rate limits on your reverse proxies• Filter your outgoing traffic
It’s the job of your managed services provider
30Présenté par Philippe Humeau
![Page 31: Magento security 2015 best practices](https://reader035.vdocuments.us/reader035/viewer/2022062522/58e4a4721a28abf5428b6b41/html5/thumbnails/31.jpg)
Host level security
• Change your back office default URL• Disable directory indexing• Set up correct permissions: file=644,
directory=755• No follow, no index on your preproduction
environment• Use the best practices mentioned before
It’s the job of your managed services provider
31Présenté par Philippe Humeau
![Page 32: Magento security 2015 best practices](https://reader035.vdocuments.us/reader035/viewer/2022062522/58e4a4721a28abf5428b6b41/html5/thumbnails/32.jpg)
High end security
Magento performancesBest practices 2015
![Page 33: Magento security 2015 best practices](https://reader035.vdocuments.us/reader035/viewer/2022062522/58e4a4721a28abf5428b6b41/html5/thumbnails/33.jpg)
CerberHost
33Présenté par Philippe Humeau
![Page 34: Magento security 2015 best practices](https://reader035.vdocuments.us/reader035/viewer/2022062522/58e4a4721a28abf5428b6b41/html5/thumbnails/34.jpg)
Contact
NBS SystemAdresse : 8 rue Bernard Buffet, Immeuble Le Cardinet – 5ème étage75017 Paris
Mail : [email protected]éléphone : +33.1.58.56.60.80Support technique : +33.1.58.56.60.88Fax : +33.1.58.56.60.81
34
Atelier présenté le 13 octobre 2015 au Bargento 2015 par Philippe Humeau
Présenté par Philippe Humeau