magento security 2015 best practices

Bargento 2015

Magento SecurityBest practices 2015

LEADER en INFOGERANCE ECOMMERCE EXPERT en TRES HAUTE SECURITE

Grow your business safely

WWW.NBS-SYSTEM.COM

E-commerce: the 60% rules

• >60% of web traffic is non-human• >60% of attempts to steal databases target e-

commerce websites• >60% of growth for identity theft over three years• A 2012 stufy showed that retailer websites are at

risk 328 days/year• An IP address is scanned around 40 times per day

2Présenté par Philippe Humeau

The triple loot


A different time scale


T

Seconds Minutes Hours Days Weeks Months Years

Time between initial attack and

compromission

Time between compromission and

discovery of it

A *very* bad year

Magento performancesBest practices 2015

A *very* bad year


• Shoplift SQL Injection:https://github.com/joren485/Magento-Shoptlift-SQLI

• Order RSS:http://www.victim.org/rss/order/NEW

• Magmi :http://www.victim.org/magmi/web/magmi.php

SUPEE & Shoplift

https://github.com/joren485/Magento-Shoptlift-SQLI

https://github.com/joren485/Magento-Shoptlift-SQLI

http://www.victim.org/rss/order/NEW

http://www.victim.org/magmi/web/magmi.php

http://www.victim.org/magmi/web/magmi.php

It all started with a big #fail (Shoplift)


• A severe SQL Injection allowing to manipulate Magento– To create admin users with chosen passwords– To leverage any feature from the back office– Or simply to write a file or execute code on the

server side

Shoplift

It all started with a big #fail (RSS orders)


It all started with a big #fail (Magmi)


Other SUrPrEEses


• SUPEE 6285, 5994 & 1533– Privilege escalation– XSS in whishlist & shopping cart– Store path disclosure– Wrong log permission– XSS in the admin section– Customer information leak

Other SUPEEs

Magento cache leak


• Magento’s cache stores sensitive information inwww.[site].com/var/resource_config.json

• If this var directory is browsable, one can recover all your sensitive login/pass connections:– To MySQL– To payment gateways– To various shippers/freighters, etc.

• Your [site]/var directory should not be accessible

http://www.site.com/var/resource_config.json

But there were others before


Did you take care of the previous ones?


• Session XSS:http://www.victim.org/index.php/adminUsername: « ><script>alert(‘xss’)</script> »

• Downloader XSS:http://www.victim.org/downloader/?return=%22%3Cscript%3Ealert(‘xss’)%3C/script%3E

• Forgot password form XSS:http://www.victim.org/index.php/admin/index/forgotpassword/

Email address: « ><script>alert(‘xss’)</script> »

http://www.victim.org/index.php/admin

http://www.victim.org/downloader/?return=%22%3Cscript%3Ealert(%E2%80%98xss%E2%80%99)%3C/script%3E




http://www.victim.org/index.php/admin/index/forgotpassword/

http://www.victim.org/index.php/admin/index/forgotpassword/



• XML-RPC-XXE: (Post method allowing to retrieve any files)

• Session XSS:http://www.victim.org/index.php/admin/ Username: « ><script>alert(‘xss’)</script> »

• Google Dork:inurl:app/etc/local.xml

http://www.victim.org/index.php/admin/



The PayPal / Magento integration flaw (by NBS System)

NBS System will release a new vulnerability soon


• We are still working on a fix• This vulnerability is « multi vendor »• It is, so far as we know, quite widely spread• We’ll start working with Magento to fix it• The flaw touches directly the payment gateway,

allowing to spawn a shell on the victim’s server• It’s not unilaterally Magento’s responsibility

Or even the ones that were not Magento specific?


• Poodle• Heartbleed• Logjam• Shellshock• Venom

PHP: two versions behind, really?


PHP versions in use in our parc:

PHP 5.23%

PHP 5.351%

PHP 5.437%

PHP 5.59%

88% are outdated and not supported anymore…

No security fixes

(and +12% to 40% performances to gain)

Easily exploitable things beyond classic vulnerabilities


When Magento’s support is being creative…


• Magento’s support is giving dangerous advice– « Chmod 777 your document root… » *REALLY?*– « Magento is not compatible with reverse

proxies » *Woot?*– « Give me your root password so we can look »

*NO KIDDING?*– Etc…

Don’t go to a car dealer to fix a bad tooth…

Classic mistakes that cost…


• Leaving yout logs accessible, especially Debug ones

• Leaving payment gateway logs accessible to all

• Not hiding which Magento, PHP & Apache versions you use

• Using unaudited extensions, a lot are BAD• Using weak passwords, along with no

locking policies. It’s a plague

Applicative level D.o.S attacks


• Leaving import/export scripts, reindexers, crontabs accessible

• Trying to call pages that load very slowly• Accessing directly the API to import/export• Etc.

Securing Magento flaws


Securing Magento flaws

• Update to CE versions > 1.9 or EE versions > 1.14.1

• Use PHP 5.6• Shoplift, Magmi, XML-RPC-XXE: filter the access

with a .htaccess file (or an NGINX rule)


Securing recent flaws

• Example with Magmi (using Apache)RewriteCond%{REQUEST_URI}^/(index.php/)?

magmi/ [NC]RewriteCond %{REQUEST_ADDR}!^192.168.0.1RewriteRule^(.*)$ http://%{HTTP_HOST}/ [R=302,L]

• Example with Magmi (using NGINX)location ~* ^/(index.php/)?magmi{allow192.168.0.1;denyall;location ~* .(php) {includefastcgi_params;}}


Protect your back office & updater

• Example using Apache<Location /wp-admin>AuthTypeBasicAuthName"RestrictedArea"AuthUserFile/etc/apache2/access/htpasswdRequirevalid-userOrderdeny,allowAllowfrom[MY_IP]Satisfyany</Location>

Then, just add the user:htpasswd–c /etc/apache2/access/htpasswd[user]


Leveraging native Magento security

• Use HTTPS in your back office & order tunnel accesses

• Change your back office default URL• Do *NOT* use a weak password (no,

« tommy4242 » is not safe)• Put some limits to the number of failed login

attempts• Put a password expiration time and change it

every 3 months• Enforce the use of case sensitive passwords• Disable email password recovery


Securing Web applications


Organizational security

• Get a security review• Keep track of vulnerabilities on Magento

ecosystem• Have serious passwords, change them every 3

months• Do not keep information unless it is needed• Pick a PCI/DSS certified hosting company• Use 3D secure• Keep up to date versions of Magento & PHP


Infrastructure security

• Keep a daily backup• Use a WAF. NAXSI is open-source, free and stable• Put rate limits on your reverse proxies• Filter your outgoing traffic

It’s the job of your managed services provider


Host level security

• Change your back office default URL• Disable directory indexing• Set up correct permissions: file=644,

directory=755• No follow, no index on your preproduction

environment• Use the best practices mentioned before

It’s the job of your managed services provider


High end security


CerberHost


Contact

NBS SystemAdresse : 8 rue Bernard Buffet, Immeuble Le Cardinet – 5ème étage75017 Paris

Mail : [email protected]éléphone : +33.1.58.56.60.80Support technique : +33.1.58.56.60.88Fax : +33.1.58.56.60.81

34

Atelier présenté le 13 octobre 2015 au Bargento 2015 par Philippe Humeau

Présenté par Philippe Humeau

magento security 2015 best practices

Technology