際際滷

際際滷Share a Scribd company logo

Magento security 2015 best practices

Download as PPTX, PDF
NBS System
NBS System

This presentation sums up the Magento vulnerabilities known to date, but also the classic exploitable methods that do not include specific flaws, and other potentially exploitable security flaws on Magento. We will also show you how to secure the essential points for your Magento to be as safe as possible.

1 of 34
Download to read offline
Bargento 2015 Magento Security Best practices 2015 LEADER en INFOGERANCE ECOMMERCE EXPERT en TRES HAUTE SECURITE Grow your business safely WWW.NBS-SYSTEM.COM
E-commerce: the 60% rules >60% of web traffic is non-human >60% of attempts to steal databases target e-commerce websites >60% of growth for identity theft over three years A 2012 stufy showed that retailer websites are at risk 328 days/year An IP address is scanned around 40 times per day 2Pr辿sent辿 par Philippe Humeau
The triple loot 3Pr辿sent辿 par Philippe Humeau
A different time scale 4Pr辿sent辿 par Philippe Humeau T Seconds Minutes Hours Days Weeks Months Years Time between initial attack and compromission Time between compromission and discovery of it
A *very* bad year Magento performances Best practices 2015
A *very* bad year 6Pr辿sent辿 par Philippe Humeau Shoplift SQL Injection: https://github.com/joren485/Magento-Shoptlift-SQLI Order RSS: http://www.victim.org/rss/order/NEW Magmi : http://www.victim.org/magmi/web/magmi.php SUPEE & Shoplift
It all started with a big #fail (Shoplift) 7Pr辿sent辿 par Philippe Humeau A severe SQL Injection allowing to manipulate Magento To create admin users with chosen passwords To leverage any feature from the back office Or simply to write a file or execute code on the server side Shoplift
It all started with a big #fail (RSS orders) 8Pr辿sent辿 par Philippe Humeau
It all started with a big #fail (Magmi) 9Pr辿sent辿 par Philippe Humeau
Other SUrPrEEses 10Pr辿sent辿 par Philippe Humeau SUPEE 6285, 5994 & 1533 Privilege escalation XSS in whishlist & shopping cart Store path disclosure Wrong log permission XSS in the admin section Customer information leak Other SUPEEs
Magento cache leak 11Pr辿sent辿 par Philippe Humeau Magentos cache stores sensitive information in www.[site].com/var/resource_config.json If this var directory is browsable, one can recover all your sensitive login/pass connections: To MySQL To payment gateways To various shippers/freighters, etc. Your [site]/var directory should not be accessible
But there were others before Magento performances Best practices 2015
Did you take care of the previous ones? 13Pr辿sent辿 par Philippe Humeau Session XSS: http://www.victim.org/index.php/admin Username: 束 ><script>alert(xss)</script> 損 Downloader XSS: http://www.victim.org/downloader/?return=%22%3Cs cript%3Ealert(xss)%3C/script%3E Forgot password form XSS: http://www.victim.org/index.php/admin/index/forgotp assword/ Email address: 束 ><script>alert(xss)</script> 損
Did you take care of the previous ones? 14Pr辿sent辿 par Philippe Humeau XML-RPC-XXE: (Post method allowing to retrieve any files) Session XSS: http://www.victim.org/index.php/admin/ Username: 束 ><script>alert(xss)</script> 損 Google Dork: inurl:app/etc/local.xml
Did you take care of the previous ones? 15Pr辿sent辿 par Philippe Humeau The PayPal / Magento integration flaw (by NBS System)
NBS System will release a new vulnerability soon 16Pr辿sent辿 par Philippe Humeau We are still working on a fix This vulnerability is 束 multi vendor 損 It is, so far as we know, quite widely spread Well start working with Magento to fix it The flaw touches directly the payment gateway, allowing to spawn a shell on the victims server Its not unilaterally Magentos responsibility
Or even the ones that were not Magento specific? 17Pr辿sent辿 par Philippe Humeau Poodle Heartbleed Logjam Shellshock Venom
PHP: two versions behind, really? 18Pr辿sent辿 par Philippe Humeau PHP versions in use in our parc: PHP 5.2 3% PHP 5.3 51% PHP 5.4 37% PHP 5.5 9% 88% are outdated and not supported anymore No security fixes (and +12% to 40% performances to gain)
Easily exploitable things beyond classic vulnerabilities Magento performances Best practices 2015
When Magentos support is being creative 20Pr辿sent辿 par Philippe Humeau Magentos support is giving dangerous advice 束 Chmod 777 your document root 損 *REALLY?* 束 Magento is not compatible with reverse proxies 損 *Woot?* 束 Give me your root password so we can look 損 *NO KIDDING?* Etc Dont go to a car dealer to fix a bad tooth
Classic mistakes that cost 21Pr辿sent辿 par Philippe Humeau Leaving yout logs accessible, especially Debug ones Leaving payment gateway logs accessible to all Not hiding which Magento, PHP & Apache versions you use Using unaudited extensions, a lot are BAD Using weak passwords, along with no locking policies. Its a plague
Applicative level D.o.S attacks 22Pr辿sent辿 par Philippe Humeau Leaving import/export scripts, reindexers, crontabs accessible Trying to call pages that load very slowly Accessing directly the API to import/export Etc.
Securing Magento flaws Magento performances Best practices 2015
Securing Magento flaws Update to CE versions > 1.9 or EE versions > 1.14.1 Use PHP 5.6 Shoplift, Magmi, XML-RPC-XXE: filter the access with a .htaccess file (or an NGINX rule) 24Pr辿sent辿 par Philippe Humeau
Securing recent flaws Example with Magmi (using Apache) RewriteCond%{REQUEST_URI}^/(index.php/)?magmi/ [NC] RewriteCond %{REQUEST_ADDR}!^192.168.0.1 RewriteRule^(.*)$ http://%{HTTP_HOST}/ [R=302,L] Example with Magmi (using NGINX) location ~* ^/(index.php/)?magmi{ allow192.168.0.1; denyall; location ~* .(php) { includefastcgi_params;}} 25Pr辿sent辿 par Philippe Humeau
Protect your back office & updater Example using Apache <Location /wp-admin> AuthTypeBasic AuthName"RestrictedArea" AuthUserFile/etc/apache2/access/htpasswd Requirevalid-user Orderdeny,allow Allowfrom[MY_IP] Satisfyany </Location> Then, just add the user: htpasswdc /etc/apache2/access/htpasswd[user] 26Pr辿sent辿 par Philippe Humeau
Leveraging native Magento security Use HTTPS in your back office & order tunnel accesses Change your back office default URL Do *NOT* use a weak password (no, 束 tommy4242 損 is not safe) Put some limits to the number of failed login attempts Put a password expiration time and change it every 3 months Enforce the use of case sensitive passwords Disable email password recovery 27Pr辿sent辿 par Philippe Humeau
Securing Web applications Magento performances Best practices 2015
Organizational security Get a security review Keep track of vulnerabilities on Magento ecosystem Have serious passwords, change them every 3 months Do not keep information unless it is needed Pick a PCI/DSS certified hosting company Use 3D secure Keep up to date versions of Magento & PHP 29Pr辿sent辿 par Philippe Humeau
Infrastructure security Keep a daily backup Use a WAF. NAXSI is open-source, free and stable Put rate limits on your reverse proxies Filter your outgoing traffic Its the job of your managed services provider 30Pr辿sent辿 par Philippe Humeau
Host level security Change your back office default URL Disable directory indexing Set up correct permissions: file=644, directory=755 No follow, no index on your preproduction environment Use the best practices mentioned before Its the job of your managed services provider 31Pr辿sent辿 par Philippe Humeau
High end security Magento performances Best practices 2015
CerberHost 33Pr辿sent辿 par Philippe Humeau
Contact NBS System Adresse : 8 rue Bernard Buffet, Immeuble Le Cardinet 5竪me 辿tage 75017 Paris Mail : contact@nbs-system.com T辿l辿phone : +33.1.58.56.60.80 Support technique : +33.1.58.56.60.88 Fax : +33.1.58.56.60.81 34 Atelier pr辿sent辿 le 13 octobre 2015 au Bargento 2015 par Philippe Humeau Pr辿sent辿 par Philippe Humeau

Recommended

BarCamp: Web Hosting -18th Feb 07
BarCamp: Web Hosting -18th Feb 07BarCamp: Web Hosting -18th Feb 07
BarCamp: Web Hosting -18th Feb 07
3en
WordPress Security - The "No-BS" Version
WordPress Security - The "No-BS" VersionWordPress Security - The "No-BS" Version
WordPress Security - The "No-BS" Version
Tony Perez
Benchmark des solutions e-commerceBenchmark des solutions e-commerce
Benchmark des solutions e-commerce
NBS System
2016 - B2B, e-commerce et s辿curit辿2016 - B2B, e-commerce et s辿curit辿
2016 - B2B, e-commerce et s辿curit辿
NBS System
Livre blanc des connecteurs de paiementLivre blanc des connecteurs de paiement
Livre blanc des connecteurs de paiement
NBS System
Magento performances 2015 best practices
Magento performances 2015 best practicesMagento performances 2015 best practices
Magento performances 2015 best practices
NBS System
2015 - Concilier exploitabilit辿 & S辿curit辿 : challenge relev辿 !2015 - Concilier exploitabilit辿 & S辿curit辿 : challenge relev辿 !
2015 - Concilier exploitabilit辿 & S辿curit辿 : challenge relev辿 !
NBS System
Benchmark of e-commerce solutions
Benchmark of e-commerce solutionsBenchmark of e-commerce solutions
Benchmark of e-commerce solutions
NBS System
Magento security best practices 2015
Magento security best practices 2015Magento security best practices 2015
Magento security best practices 2015
Philippe Humeau
Merchants guide to protecting Magento Storefronts (Meet Magento India 2020)
Merchants guide to protecting Magento Storefronts (Meet Magento India 2020)Merchants guide to protecting Magento Storefronts (Meet Magento India 2020)
Merchants guide to protecting Magento Storefronts (Meet Magento India 2020)
Tarun Sharma
Comment pirater le site de mon concurrent.. et securiser le mien
Comment pirater le site de mon concurrent.. et securiser le mienComment pirater le site de mon concurrent.. et securiser le mien
Comment pirater le site de mon concurrent.. et securiser le mien
Julien Dereumaux
2010 11 pubcon_hendison-hosting
2010 11 pubcon_hendison-hosting2010 11 pubcon_hendison-hosting
2010 11 pubcon_hendison-hosting
shendison
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021
Teemu Tiainen
Seven steps to better security
Seven steps to better securitySeven steps to better security
Seven steps to better security
Michael Pignataro
LoginCat - Zero Trust Integrated Cybersecurity
LoginCat - Zero Trust Integrated CybersecurityLoginCat - Zero Trust Integrated Cybersecurity
LoginCat - Zero Trust Integrated Cybersecurity
Rohit Kapoor
Shiny, Lets Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Lets Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Shiny, Lets Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Lets Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Michael Pirnat
Adminblast 2013
Adminblast 2013Adminblast 2013
Adminblast 2013
Gabriella Davis
Passwords are pass辿. WebAuthn is simpler, stronger and ready to go
Passwords are pass辿. WebAuthn is simpler, stronger and ready to goPasswords are pass辿. WebAuthn is simpler, stronger and ready to go
Passwords are pass辿. WebAuthn is simpler, stronger and ready to go
Michael Furman
Ahmadabad mule soft_meetup_11_october_2020_errorhanlingandmonitoringalerts
Ahmadabad mule soft_meetup_11_october_2020_errorhanlingandmonitoringalertsAhmadabad mule soft_meetup_11_october_2020_errorhanlingandmonitoringalerts
Ahmadabad mule soft_meetup_11_october_2020_errorhanlingandmonitoringalerts
Shekh Muenuddeen
Ahmadabad mule soft_meetup_11_october_2020_errorhanlingandmonitoringalerts
Ahmadabad mule soft_meetup_11_october_2020_errorhanlingandmonitoringalertsAhmadabad mule soft_meetup_11_october_2020_errorhanlingandmonitoringalerts
Ahmadabad mule soft_meetup_11_october_2020_errorhanlingandmonitoringalerts
Shekh Muenuddeen
Hire Magento 2 developer India, Call us for more
Hire Magento 2 developer India, Call us for more Hire Magento 2 developer India, Call us for more
Hire Magento 2 developer India, Call us for more
AResourcePool
How to Secure your WordPress Website - WordCamp UK 2014
How to Secure your WordPress Website - WordCamp UK 2014How to Secure your WordPress Website - WordCamp UK 2014
How to Secure your WordPress Website - WordCamp UK 2014
Primary Image Ltd
MuleSoft Meetup | Reading Meetup Group | Hosted by Integral Zone
MuleSoft Meetup | Reading Meetup Group | Hosted by Integral ZoneMuleSoft Meetup | Reading Meetup Group | Hosted by Integral Zone
MuleSoft Meetup | Reading Meetup Group | Hosted by Integral Zone
IntegralZone
Pedro Fortuna - Protecting Crypto Exchanges From a New Wave of Man-in-the-Bro...
Pedro Fortuna - Protecting Crypto Exchanges From a New Wave of Man-in-the-Bro...Pedro Fortuna - Protecting Crypto Exchanges From a New Wave of Man-in-the-Bro...
Pedro Fortuna - Protecting Crypto Exchanges From a New Wave of Man-in-the-Bro...
Hacken_Ecosystem
Hitachi ID Suite 9.0 Features and Technology
Hitachi ID Suite 9.0 Features and TechnologyHitachi ID Suite 9.0 Features and Technology
Hitachi ID Suite 9.0 Features and Technology
Hitachi ID Systems, Inc.
Tech campmemphis slides_post_session
Tech campmemphis slides_post_sessionTech campmemphis slides_post_session
Tech campmemphis slides_post_session
Stewart Whaley
Magento Live UK Nexcess Performance & Security Session
Magento Live UK Nexcess Performance & Security SessionMagento Live UK Nexcess Performance & Security Session
Magento Live UK Nexcess Performance & Security Session
Nexcess.net LLC
Bp101-Can Domino Be Hacked
Bp101-Can Domino Be HackedBp101-Can Domino Be Hacked
Bp101-Can Domino Be Hacked
Howard Greenberg
Kubernetes est-il soluble dans la s辿curit辿 ? NBS System & Doctolib - Assises ...Kubernetes est-il soluble dans la s辿curit辿 ? NBS System & Doctolib - Assises ...
Kubernetes est-il soluble dans la s辿curit辿 ? NBS System & Doctolib - Assises ...
NBS System
Risk Management : comment g辿rer la crise de s辿curit辿 ? - Christian Belval, Di...Risk Management : comment g辿rer la crise de s辿curit辿 ? - Christian Belval, Di...
Risk Management : comment g辿rer la crise de s辿curit辿 ? - Christian Belval, Di...
NBS System

More Related Content

Similar to Magento security 2015 best practices (20)

Magento security best practices 2015
Magento security best practices 2015Magento security best practices 2015
Magento security best practices 2015
Philippe Humeau
Merchants guide to protecting Magento Storefronts (Meet Magento India 2020)
Merchants guide to protecting Magento Storefronts (Meet Magento India 2020)Merchants guide to protecting Magento Storefronts (Meet Magento India 2020)
Merchants guide to protecting Magento Storefronts (Meet Magento India 2020)
Tarun Sharma
Comment pirater le site de mon concurrent.. et securiser le mien
Comment pirater le site de mon concurrent.. et securiser le mienComment pirater le site de mon concurrent.. et securiser le mien
Comment pirater le site de mon concurrent.. et securiser le mien
Julien Dereumaux
2010 11 pubcon_hendison-hosting
2010 11 pubcon_hendison-hosting2010 11 pubcon_hendison-hosting
2010 11 pubcon_hendison-hosting
shendison
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021
Teemu Tiainen
Seven steps to better security
Seven steps to better securitySeven steps to better security
Seven steps to better security
Michael Pignataro
LoginCat - Zero Trust Integrated Cybersecurity
LoginCat - Zero Trust Integrated CybersecurityLoginCat - Zero Trust Integrated Cybersecurity
LoginCat - Zero Trust Integrated Cybersecurity
Rohit Kapoor
Shiny, Lets Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Lets Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Shiny, Lets Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Lets Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Michael Pirnat
Adminblast 2013
Adminblast 2013Adminblast 2013
Adminblast 2013
Gabriella Davis
Passwords are pass辿. WebAuthn is simpler, stronger and ready to go
Passwords are pass辿. WebAuthn is simpler, stronger and ready to goPasswords are pass辿. WebAuthn is simpler, stronger and ready to go
Passwords are pass辿. WebAuthn is simpler, stronger and ready to go
Michael Furman
Ahmadabad mule soft_meetup_11_october_2020_errorhanlingandmonitoringalerts
Ahmadabad mule soft_meetup_11_october_2020_errorhanlingandmonitoringalertsAhmadabad mule soft_meetup_11_october_2020_errorhanlingandmonitoringalerts
Ahmadabad mule soft_meetup_11_october_2020_errorhanlingandmonitoringalerts
Shekh Muenuddeen
Ahmadabad mule soft_meetup_11_october_2020_errorhanlingandmonitoringalerts
Ahmadabad mule soft_meetup_11_october_2020_errorhanlingandmonitoringalertsAhmadabad mule soft_meetup_11_october_2020_errorhanlingandmonitoringalerts
Ahmadabad mule soft_meetup_11_october_2020_errorhanlingandmonitoringalerts
Shekh Muenuddeen
Hire Magento 2 developer India, Call us for more
Hire Magento 2 developer India, Call us for more Hire Magento 2 developer India, Call us for more
Hire Magento 2 developer India, Call us for more
AResourcePool
How to Secure your WordPress Website - WordCamp UK 2014
How to Secure your WordPress Website - WordCamp UK 2014How to Secure your WordPress Website - WordCamp UK 2014
How to Secure your WordPress Website - WordCamp UK 2014
Primary Image Ltd
MuleSoft Meetup | Reading Meetup Group | Hosted by Integral Zone
MuleSoft Meetup | Reading Meetup Group | Hosted by Integral ZoneMuleSoft Meetup | Reading Meetup Group | Hosted by Integral Zone
MuleSoft Meetup | Reading Meetup Group | Hosted by Integral Zone
IntegralZone
Pedro Fortuna - Protecting Crypto Exchanges From a New Wave of Man-in-the-Bro...
Pedro Fortuna - Protecting Crypto Exchanges From a New Wave of Man-in-the-Bro...Pedro Fortuna - Protecting Crypto Exchanges From a New Wave of Man-in-the-Bro...
Pedro Fortuna - Protecting Crypto Exchanges From a New Wave of Man-in-the-Bro...
Hacken_Ecosystem
Hitachi ID Suite 9.0 Features and Technology
Hitachi ID Suite 9.0 Features and TechnologyHitachi ID Suite 9.0 Features and Technology
Hitachi ID Suite 9.0 Features and Technology
Hitachi ID Systems, Inc.
Tech campmemphis slides_post_session
Tech campmemphis slides_post_sessionTech campmemphis slides_post_session
Tech campmemphis slides_post_session
Stewart Whaley
Magento Live UK Nexcess Performance & Security Session
Magento Live UK Nexcess Performance & Security SessionMagento Live UK Nexcess Performance & Security Session
Magento Live UK Nexcess Performance & Security Session
Nexcess.net LLC
Bp101-Can Domino Be Hacked
Bp101-Can Domino Be HackedBp101-Can Domino Be Hacked
Bp101-Can Domino Be Hacked
Howard Greenberg
Magento security best practices 2015
Magento security best practices 2015Magento security best practices 2015
Magento security best practices 2015
Philippe Humeau
Merchants guide to protecting Magento Storefronts (Meet Magento India 2020)
Merchants guide to protecting Magento Storefronts (Meet Magento India 2020)Merchants guide to protecting Magento Storefronts (Meet Magento India 2020)
Merchants guide to protecting Magento Storefronts (Meet Magento India 2020)
Tarun Sharma
Comment pirater le site de mon concurrent.. et securiser le mien
Comment pirater le site de mon concurrent.. et securiser le mienComment pirater le site de mon concurrent.. et securiser le mien
Comment pirater le site de mon concurrent.. et securiser le mien
Julien Dereumaux
2010 11 pubcon_hendison-hosting
2010 11 pubcon_hendison-hosting2010 11 pubcon_hendison-hosting
2010 11 pubcon_hendison-hosting
shendison
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021
Teemu Tiainen
Seven steps to better security
Seven steps to better securitySeven steps to better security
Seven steps to better security
Michael Pignataro
LoginCat - Zero Trust Integrated Cybersecurity
LoginCat - Zero Trust Integrated CybersecurityLoginCat - Zero Trust Integrated Cybersecurity
LoginCat - Zero Trust Integrated Cybersecurity
Rohit Kapoor
Shiny, Lets Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Lets Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Shiny, Lets Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Lets Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Michael Pirnat
Adminblast 2013
Adminblast 2013Adminblast 2013
Adminblast 2013
Gabriella Davis
Passwords are pass辿. WebAuthn is simpler, stronger and ready to go
Passwords are pass辿. WebAuthn is simpler, stronger and ready to goPasswords are pass辿. WebAuthn is simpler, stronger and ready to go
Passwords are pass辿. WebAuthn is simpler, stronger and ready to go
Michael Furman
Ahmadabad mule soft_meetup_11_october_2020_errorhanlingandmonitoringalerts
Ahmadabad mule soft_meetup_11_october_2020_errorhanlingandmonitoringalertsAhmadabad mule soft_meetup_11_october_2020_errorhanlingandmonitoringalerts
Ahmadabad mule soft_meetup_11_october_2020_errorhanlingandmonitoringalerts
Shekh Muenuddeen
Ahmadabad mule soft_meetup_11_october_2020_errorhanlingandmonitoringalerts
Ahmadabad mule soft_meetup_11_october_2020_errorhanlingandmonitoringalertsAhmadabad mule soft_meetup_11_october_2020_errorhanlingandmonitoringalerts
Ahmadabad mule soft_meetup_11_october_2020_errorhanlingandmonitoringalerts
Shekh Muenuddeen
Hire Magento 2 developer India, Call us for more
Hire Magento 2 developer India, Call us for more Hire Magento 2 developer India, Call us for more
Hire Magento 2 developer India, Call us for more
AResourcePool
How to Secure your WordPress Website - WordCamp UK 2014
How to Secure your WordPress Website - WordCamp UK 2014How to Secure your WordPress Website - WordCamp UK 2014
How to Secure your WordPress Website - WordCamp UK 2014
Primary Image Ltd
MuleSoft Meetup | Reading Meetup Group | Hosted by Integral Zone
MuleSoft Meetup | Reading Meetup Group | Hosted by Integral ZoneMuleSoft Meetup | Reading Meetup Group | Hosted by Integral Zone
MuleSoft Meetup | Reading Meetup Group | Hosted by Integral Zone
IntegralZone
Pedro Fortuna - Protecting Crypto Exchanges From a New Wave of Man-in-the-Bro...
Pedro Fortuna - Protecting Crypto Exchanges From a New Wave of Man-in-the-Bro...Pedro Fortuna - Protecting Crypto Exchanges From a New Wave of Man-in-the-Bro...
Pedro Fortuna - Protecting Crypto Exchanges From a New Wave of Man-in-the-Bro...
Hacken_Ecosystem
Hitachi ID Suite 9.0 Features and Technology
Hitachi ID Suite 9.0 Features and TechnologyHitachi ID Suite 9.0 Features and Technology
Hitachi ID Suite 9.0 Features and Technology
Hitachi ID Systems, Inc.
Tech campmemphis slides_post_session
Tech campmemphis slides_post_sessionTech campmemphis slides_post_session
Tech campmemphis slides_post_session
Stewart Whaley
Magento Live UK Nexcess Performance & Security Session
Magento Live UK Nexcess Performance & Security SessionMagento Live UK Nexcess Performance & Security Session
Magento Live UK Nexcess Performance & Security Session
Nexcess.net LLC
Bp101-Can Domino Be Hacked
Bp101-Can Domino Be HackedBp101-Can Domino Be Hacked
Bp101-Can Domino Be Hacked
Howard Greenberg

More from NBS System (6)

Kubernetes est-il soluble dans la s辿curit辿 ? NBS System & Doctolib - Assises ...Kubernetes est-il soluble dans la s辿curit辿 ? NBS System & Doctolib - Assises ...
Kubernetes est-il soluble dans la s辿curit辿 ? NBS System & Doctolib - Assises ...
NBS System
Risk Management : comment g辿rer la crise de s辿curit辿 ? - Christian Belval, Di...Risk Management : comment g辿rer la crise de s辿curit辿 ? - Christian Belval, Di...
Risk Management : comment g辿rer la crise de s辿curit辿 ? - Christian Belval, Di...
NBS System
AWS et NBS System pr辿sentent la Tr竪s Haute S辿curit辿 - Emile HeitorAWS et NBS System pr辿sentent la Tr竪s Haute S辿curit辿 - Emile Heitor
AWS et NBS System pr辿sentent la Tr竪s Haute S辿curit辿 - Emile Heitor
NBS System
AWS S辿curit辿 et Compliance : Fantasmes vs R辿alit辿 - Philippe Humeau NBS Syste...AWS S辿curit辿 et Compliance : Fantasmes vs R辿alit辿 - Philippe Humeau NBS Syste...
AWS S辿curit辿 et Compliance : Fantasmes vs R辿alit辿 - Philippe Humeau NBS Syste...
NBS System
Le Darwinisme DigitalLe Darwinisme Digital
Le Darwinisme Digital
NBS System
Evaluer et contr担ler la s辿curit辿 de ses prestataires Cloud, PaaS ou SaaSEvaluer et contr担ler la s辿curit辿 de ses prestataires Cloud, PaaS ou SaaS
Evaluer et contr担ler la s辿curit辿 de ses prestataires Cloud, PaaS ou SaaS
NBS System
Kubernetes est-il soluble dans la s辿curit辿 ? NBS System & Doctolib - Assises ...Kubernetes est-il soluble dans la s辿curit辿 ? NBS System & Doctolib - Assises ...
Kubernetes est-il soluble dans la s辿curit辿 ? NBS System & Doctolib - Assises ...
NBS System
Risk Management : comment g辿rer la crise de s辿curit辿 ? - Christian Belval, Di...Risk Management : comment g辿rer la crise de s辿curit辿 ? - Christian Belval, Di...
Risk Management : comment g辿rer la crise de s辿curit辿 ? - Christian Belval, Di...
NBS System
AWS et NBS System pr辿sentent la Tr竪s Haute S辿curit辿 - Emile HeitorAWS et NBS System pr辿sentent la Tr竪s Haute S辿curit辿 - Emile Heitor
AWS et NBS System pr辿sentent la Tr竪s Haute S辿curit辿 - Emile Heitor
NBS System
AWS S辿curit辿 et Compliance : Fantasmes vs R辿alit辿 - Philippe Humeau NBS Syste...AWS S辿curit辿 et Compliance : Fantasmes vs R辿alit辿 - Philippe Humeau NBS Syste...
AWS S辿curit辿 et Compliance : Fantasmes vs R辿alit辿 - Philippe Humeau NBS Syste...
NBS System
Le Darwinisme DigitalLe Darwinisme Digital
Le Darwinisme Digital
NBS System
Evaluer et contr担ler la s辿curit辿 de ses prestataires Cloud, PaaS ou SaaSEvaluer et contr担ler la s辿curit辿 de ses prestataires Cloud, PaaS ou SaaS
Evaluer et contr担ler la s辿curit辿 de ses prestataires Cloud, PaaS ou SaaS
NBS System

Recently uploaded (20)

Agentic AI: The 2025 Next-Gen Automation Guide
Agentic AI: The 2025 Next-Gen Automation GuideAgentic AI: The 2025 Next-Gen Automation Guide
Agentic AI: The 2025 Next-Gen Automation Guide
Thoughtminds
AI in Medical Diagnostics The Future of Healthcare
AI in Medical Diagnostics The Future of HealthcareAI in Medical Diagnostics The Future of Healthcare
AI in Medical Diagnostics The Future of Healthcare
Vadim Nareyko
Predictive vs. Preventive Maintenance Which One is Right for Your Factory
Predictive vs. Preventive Maintenance Which One is Right for Your FactoryPredictive vs. Preventive Maintenance Which One is Right for Your Factory
Predictive vs. Preventive Maintenance Which One is Right for Your Factory
Diagsense ltd
Caching for Performance Masterclass: The In-Memory Datastore
Caching for Performance Masterclass: The In-Memory DatastoreCaching for Performance Masterclass: The In-Memory Datastore
Caching for Performance Masterclass: The In-Memory Datastore
ScyllaDB
AI Trends and Fun Demos Sothebys Rehoboth Presentation
AI Trends and Fun Demos Sothebys Rehoboth PresentationAI Trends and Fun Demos Sothebys Rehoboth Presentation
AI Trends and Fun Demos Sothebys Rehoboth Presentation
Ethan Holland
SECURE BLOCKCHAIN FOR ADMISSION PROCESSING IN EDUCATIONAL INSTITUTIONS.pdf
SECURE BLOCKCHAIN FOR ADMISSION PROCESSING IN EDUCATIONAL INSTITUTIONS.pdfSECURE BLOCKCHAIN FOR ADMISSION PROCESSING IN EDUCATIONAL INSTITUTIONS.pdf
SECURE BLOCKCHAIN FOR ADMISSION PROCESSING IN EDUCATIONAL INSTITUTIONS.pdf
spub1985
UiPath Agentic Automation Capabilities and Opportunities
UiPath Agentic Automation Capabilities and OpportunitiesUiPath Agentic Automation Capabilities and Opportunities
UiPath Agentic Automation Capabilities and Opportunities
DianaGray10
William Maclyn Murphy McRae - A Seasoned Professional Renowned
William Maclyn Murphy McRae - A Seasoned Professional RenownedWilliam Maclyn Murphy McRae - A Seasoned Professional Renowned
William Maclyn Murphy McRae - A Seasoned Professional Renowned
William Maclyn Murphy McRae
DevNexus - Building 10x Development Organizations.pdf
DevNexus - Building 10x Development Organizations.pdfDevNexus - Building 10x Development Organizations.pdf
DevNexus - Building 10x Development Organizations.pdf
Justin Reock
Understanding Traditional AI with Custom Vision & MuleSoft.pptx
Understanding Traditional AI with Custom Vision & MuleSoft.pptxUnderstanding Traditional AI with Custom Vision & MuleSoft.pptx
Understanding Traditional AI with Custom Vision & MuleSoft.pptx
shyamraj55
UiPath Automation Developer Associate Training Series 2025 - Session 1
UiPath Automation Developer Associate Training Series 2025 - Session 1UiPath Automation Developer Associate Training Series 2025 - Session 1
UiPath Automation Developer Associate Training Series 2025 - Session 1
DianaGray10
DealBook of Ukraine: 2025 edition | AVentures Capital
DealBook of Ukraine: 2025 edition | AVentures CapitalDealBook of Ukraine: 2025 edition | AVentures Capital
DealBook of Ukraine: 2025 edition | AVentures Capital
Yevgen Sysoyev
Temporary Compound microscope slide .pptx
Temporary Compound microscope slide .pptxTemporary Compound microscope slide .pptx
Temporary Compound microscope slide .pptx
Samir Sharma
MIND Revenue Release Quarter 4 2024 - Finacial Presentation
MIND Revenue Release Quarter 4 2024 - Finacial PresentationMIND Revenue Release Quarter 4 2024 - Finacial Presentation
MIND Revenue Release Quarter 4 2024 - Finacial Presentation
MIND CTI
Dev Dives: Unlock the future of automation with UiPath Agent Builder
Dev Dives: Unlock the future of automation with UiPath Agent BuilderDev Dives: Unlock the future of automation with UiPath Agent Builder
Dev Dives: Unlock the future of automation with UiPath Agent Builder
UiPathCommunity
Q4 2024 Earnings and Investor Presentation
Q4 2024 Earnings and Investor PresentationQ4 2024 Earnings and Investor Presentation
Q4 2024 Earnings and Investor Presentation
Dropbox
Unlocking DevOps Secuirty :Vault & Keylock
Unlocking DevOps Secuirty :Vault & KeylockUnlocking DevOps Secuirty :Vault & Keylock
Unlocking DevOps Secuirty :Vault & Keylock
HusseinMalikMammadli
Revolutionizing Field Service: How LLMs Are Powering Smarter Knowledge Access...
Revolutionizing Field Service: How LLMs Are Powering Smarter Knowledge Access...Revolutionizing Field Service: How LLMs Are Powering Smarter Knowledge Access...
Revolutionizing Field Service: How LLMs Are Powering Smarter Knowledge Access...
Earley Information Science
2025-02-27 Tech & Play_ Fun, UX, and Community.pdf
2025-02-27 Tech & Play_ Fun, UX, and Community.pdf2025-02-27 Tech & Play_ Fun, UX, and Community.pdf
2025-02-27 Tech & Play_ Fun, UX, and Community.pdf
katalinjordans1
Webinar: LF Energy GEISA: Addressing edge interoperability at the meter
Webinar: LF Energy GEISA: Addressing edge interoperability at the meterWebinar: LF Energy GEISA: Addressing edge interoperability at the meter
Webinar: LF Energy GEISA: Addressing edge interoperability at the meter
DanBrown980551
Agentic AI: The 2025 Next-Gen Automation Guide
Agentic AI: The 2025 Next-Gen Automation GuideAgentic AI: The 2025 Next-Gen Automation Guide
Agentic AI: The 2025 Next-Gen Automation Guide
Thoughtminds
AI in Medical Diagnostics The Future of Healthcare
AI in Medical Diagnostics The Future of HealthcareAI in Medical Diagnostics The Future of Healthcare
AI in Medical Diagnostics The Future of Healthcare
Vadim Nareyko
Predictive vs. Preventive Maintenance Which One is Right for Your Factory
Predictive vs. Preventive Maintenance Which One is Right for Your FactoryPredictive vs. Preventive Maintenance Which One is Right for Your Factory
Predictive vs. Preventive Maintenance Which One is Right for Your Factory
Diagsense ltd
Caching for Performance Masterclass: The In-Memory Datastore
Caching for Performance Masterclass: The In-Memory DatastoreCaching for Performance Masterclass: The In-Memory Datastore
Caching for Performance Masterclass: The In-Memory Datastore
ScyllaDB
AI Trends and Fun Demos Sothebys Rehoboth Presentation
AI Trends and Fun Demos Sothebys Rehoboth PresentationAI Trends and Fun Demos Sothebys Rehoboth Presentation
AI Trends and Fun Demos Sothebys Rehoboth Presentation
Ethan Holland
SECURE BLOCKCHAIN FOR ADMISSION PROCESSING IN EDUCATIONAL INSTITUTIONS.pdf
SECURE BLOCKCHAIN FOR ADMISSION PROCESSING IN EDUCATIONAL INSTITUTIONS.pdfSECURE BLOCKCHAIN FOR ADMISSION PROCESSING IN EDUCATIONAL INSTITUTIONS.pdf
SECURE BLOCKCHAIN FOR ADMISSION PROCESSING IN EDUCATIONAL INSTITUTIONS.pdf
spub1985
UiPath Agentic Automation Capabilities and Opportunities
UiPath Agentic Automation Capabilities and OpportunitiesUiPath Agentic Automation Capabilities and Opportunities
UiPath Agentic Automation Capabilities and Opportunities
DianaGray10
William Maclyn Murphy McRae - A Seasoned Professional Renowned
William Maclyn Murphy McRae - A Seasoned Professional RenownedWilliam Maclyn Murphy McRae - A Seasoned Professional Renowned
William Maclyn Murphy McRae - A Seasoned Professional Renowned
William Maclyn Murphy McRae
DevNexus - Building 10x Development Organizations.pdf
DevNexus - Building 10x Development Organizations.pdfDevNexus - Building 10x Development Organizations.pdf
DevNexus - Building 10x Development Organizations.pdf
Justin Reock
Understanding Traditional AI with Custom Vision & MuleSoft.pptx
Understanding Traditional AI with Custom Vision & MuleSoft.pptxUnderstanding Traditional AI with Custom Vision & MuleSoft.pptx
Understanding Traditional AI with Custom Vision & MuleSoft.pptx
shyamraj55
UiPath Automation Developer Associate Training Series 2025 - Session 1
UiPath Automation Developer Associate Training Series 2025 - Session 1UiPath Automation Developer Associate Training Series 2025 - Session 1
UiPath Automation Developer Associate Training Series 2025 - Session 1
DianaGray10
DealBook of Ukraine: 2025 edition | AVentures Capital
DealBook of Ukraine: 2025 edition | AVentures CapitalDealBook of Ukraine: 2025 edition | AVentures Capital
DealBook of Ukraine: 2025 edition | AVentures Capital
Yevgen Sysoyev
Temporary Compound microscope slide .pptx
Temporary Compound microscope slide .pptxTemporary Compound microscope slide .pptx
Temporary Compound microscope slide .pptx
Samir Sharma
MIND Revenue Release Quarter 4 2024 - Finacial Presentation
MIND Revenue Release Quarter 4 2024 - Finacial PresentationMIND Revenue Release Quarter 4 2024 - Finacial Presentation
MIND Revenue Release Quarter 4 2024 - Finacial Presentation
MIND CTI
Dev Dives: Unlock the future of automation with UiPath Agent Builder
Dev Dives: Unlock the future of automation with UiPath Agent BuilderDev Dives: Unlock the future of automation with UiPath Agent Builder
Dev Dives: Unlock the future of automation with UiPath Agent Builder
UiPathCommunity
Q4 2024 Earnings and Investor Presentation
Q4 2024 Earnings and Investor PresentationQ4 2024 Earnings and Investor Presentation
Q4 2024 Earnings and Investor Presentation
Dropbox
Unlocking DevOps Secuirty :Vault & Keylock
Unlocking DevOps Secuirty :Vault & KeylockUnlocking DevOps Secuirty :Vault & Keylock
Unlocking DevOps Secuirty :Vault & Keylock
HusseinMalikMammadli
Revolutionizing Field Service: How LLMs Are Powering Smarter Knowledge Access...
Revolutionizing Field Service: How LLMs Are Powering Smarter Knowledge Access...Revolutionizing Field Service: How LLMs Are Powering Smarter Knowledge Access...
Revolutionizing Field Service: How LLMs Are Powering Smarter Knowledge Access...
Earley Information Science
2025-02-27 Tech & Play_ Fun, UX, and Community.pdf
2025-02-27 Tech & Play_ Fun, UX, and Community.pdf2025-02-27 Tech & Play_ Fun, UX, and Community.pdf
2025-02-27 Tech & Play_ Fun, UX, and Community.pdf
katalinjordans1
Webinar: LF Energy GEISA: Addressing edge interoperability at the meter
Webinar: LF Energy GEISA: Addressing edge interoperability at the meterWebinar: LF Energy GEISA: Addressing edge interoperability at the meter
Webinar: LF Energy GEISA: Addressing edge interoperability at the meter
DanBrown980551

Magento security 2015 best practices

  • 1. Bargento 2015 Magento Security Best practices 2015 LEADER en INFOGERANCE ECOMMERCE EXPERT en TRES HAUTE SECURITE Grow your business safely WWW.NBS-SYSTEM.COM
  • 2. E-commerce: the 60% rules >60% of web traffic is non-human >60% of attempts to steal databases target e-commerce websites >60% of growth for identity theft over three years A 2012 stufy showed that retailer websites are at risk 328 days/year An IP address is scanned around 40 times per day 2Pr辿sent辿 par Philippe Humeau
  • 3. The triple loot 3Pr辿sent辿 par Philippe Humeau
  • 4. A different time scale 4Pr辿sent辿 par Philippe Humeau T Seconds Minutes Hours Days Weeks Months Years Time between initial attack and compromission Time between compromission and discovery of it
  • 5. A *very* bad year Magento performances Best practices 2015
  • 6. A *very* bad year 6Pr辿sent辿 par Philippe Humeau Shoplift SQL Injection: https://github.com/joren485/Magento-Shoptlift-SQLI Order RSS: http://www.victim.org/rss/order/NEW Magmi : http://www.victim.org/magmi/web/magmi.php SUPEE & Shoplift
  • 7. It all started with a big #fail (Shoplift) 7Pr辿sent辿 par Philippe Humeau A severe SQL Injection allowing to manipulate Magento To create admin users with chosen passwords To leverage any feature from the back office Or simply to write a file or execute code on the server side Shoplift
  • 8. It all started with a big #fail (RSS orders) 8Pr辿sent辿 par Philippe Humeau
  • 9. It all started with a big #fail (Magmi) 9Pr辿sent辿 par Philippe Humeau
  • 10. Other SUrPrEEses 10Pr辿sent辿 par Philippe Humeau SUPEE 6285, 5994 & 1533 Privilege escalation XSS in whishlist & shopping cart Store path disclosure Wrong log permission XSS in the admin section Customer information leak Other SUPEEs
  • 11. Magento cache leak 11Pr辿sent辿 par Philippe Humeau Magentos cache stores sensitive information in www.[site].com/var/resource_config.json If this var directory is browsable, one can recover all your sensitive login/pass connections: To MySQL To payment gateways To various shippers/freighters, etc. Your [site]/var directory should not be accessible
  • 12. But there were others before Magento performances Best practices 2015
  • 13. Did you take care of the previous ones? 13Pr辿sent辿 par Philippe Humeau Session XSS: http://www.victim.org/index.php/admin Username: 束 ><script>alert(xss)</script> 損 Downloader XSS: http://www.victim.org/downloader/?return=%22%3Cs cript%3Ealert(xss)%3C/script%3E Forgot password form XSS: http://www.victim.org/index.php/admin/index/forgotp assword/ Email address: 束 ><script>alert(xss)</script> 損
  • 14. Did you take care of the previous ones? 14Pr辿sent辿 par Philippe Humeau XML-RPC-XXE: (Post method allowing to retrieve any files) Session XSS: http://www.victim.org/index.php/admin/ Username: 束 ><script>alert(xss)</script> 損 Google Dork: inurl:app/etc/local.xml
  • 15. Did you take care of the previous ones? 15Pr辿sent辿 par Philippe Humeau The PayPal / Magento integration flaw (by NBS System)
  • 16. NBS System will release a new vulnerability soon 16Pr辿sent辿 par Philippe Humeau We are still working on a fix This vulnerability is 束 multi vendor 損 It is, so far as we know, quite widely spread Well start working with Magento to fix it The flaw touches directly the payment gateway, allowing to spawn a shell on the victims server Its not unilaterally Magentos responsibility
  • 17. Or even the ones that were not Magento specific? 17Pr辿sent辿 par Philippe Humeau Poodle Heartbleed Logjam Shellshock Venom
  • 18. PHP: two versions behind, really? 18Pr辿sent辿 par Philippe Humeau PHP versions in use in our parc: PHP 5.2 3% PHP 5.3 51% PHP 5.4 37% PHP 5.5 9% 88% are outdated and not supported anymore No security fixes (and +12% to 40% performances to gain)
  • 19. Easily exploitable things beyond classic vulnerabilities Magento performances Best practices 2015
  • 20. When Magentos support is being creative 20Pr辿sent辿 par Philippe Humeau Magentos support is giving dangerous advice 束 Chmod 777 your document root 損 *REALLY?* 束 Magento is not compatible with reverse proxies 損 *Woot?* 束 Give me your root password so we can look 損 *NO KIDDING?* Etc Dont go to a car dealer to fix a bad tooth
  • 21. Classic mistakes that cost 21Pr辿sent辿 par Philippe Humeau Leaving yout logs accessible, especially Debug ones Leaving payment gateway logs accessible to all Not hiding which Magento, PHP & Apache versions you use Using unaudited extensions, a lot are BAD Using weak passwords, along with no locking policies. Its a plague
  • 22. Applicative level D.o.S attacks 22Pr辿sent辿 par Philippe Humeau Leaving import/export scripts, reindexers, crontabs accessible Trying to call pages that load very slowly Accessing directly the API to import/export Etc.
  • 23. Securing Magento flaws Magento performances Best practices 2015
  • 24. Securing Magento flaws Update to CE versions > 1.9 or EE versions > 1.14.1 Use PHP 5.6 Shoplift, Magmi, XML-RPC-XXE: filter the access with a .htaccess file (or an NGINX rule) 24Pr辿sent辿 par Philippe Humeau
  • 25. Securing recent flaws Example with Magmi (using Apache) RewriteCond%{REQUEST_URI}^/(index.php/)?magmi/ [NC] RewriteCond %{REQUEST_ADDR}!^192.168.0.1 RewriteRule^(.*)$ http://%{HTTP_HOST}/ [R=302,L] Example with Magmi (using NGINX) location ~* ^/(index.php/)?magmi{ allow192.168.0.1; denyall; location ~* .(php) { includefastcgi_params;}} 25Pr辿sent辿 par Philippe Humeau
  • 26. Protect your back office & updater Example using Apache <Location /wp-admin> AuthTypeBasic AuthName"RestrictedArea" AuthUserFile/etc/apache2/access/htpasswd Requirevalid-user Orderdeny,allow Allowfrom[MY_IP] Satisfyany </Location> Then, just add the user: htpasswdc /etc/apache2/access/htpasswd[user] 26Pr辿sent辿 par Philippe Humeau
  • 27. Leveraging native Magento security Use HTTPS in your back office & order tunnel accesses Change your back office default URL Do *NOT* use a weak password (no, 束 tommy4242 損 is not safe) Put some limits to the number of failed login attempts Put a password expiration time and change it every 3 months Enforce the use of case sensitive passwords Disable email password recovery 27Pr辿sent辿 par Philippe Humeau
  • 28. Securing Web applications Magento performances Best practices 2015
  • 29. Organizational security Get a security review Keep track of vulnerabilities on Magento ecosystem Have serious passwords, change them every 3 months Do not keep information unless it is needed Pick a PCI/DSS certified hosting company Use 3D secure Keep up to date versions of Magento & PHP 29Pr辿sent辿 par Philippe Humeau
  • 30. Infrastructure security Keep a daily backup Use a WAF. NAXSI is open-source, free and stable Put rate limits on your reverse proxies Filter your outgoing traffic Its the job of your managed services provider 30Pr辿sent辿 par Philippe Humeau
  • 31. Host level security Change your back office default URL Disable directory indexing Set up correct permissions: file=644, directory=755 No follow, no index on your preproduction environment Use the best practices mentioned before Its the job of your managed services provider 31Pr辿sent辿 par Philippe Humeau
  • 32. High end security Magento performances Best practices 2015
  • 34. Contact NBS System Adresse : 8 rue Bernard Buffet, Immeuble Le Cardinet 5竪me 辿tage 75017 Paris Mail : contact@nbs-system.com T辿l辿phone : +33.1.58.56.60.80 Support technique : +33.1.58.56.60.88 Fax : +33.1.58.56.60.81 34 Atelier pr辿sent辿 le 13 octobre 2015 au Bargento 2015 par Philippe Humeau Pr辿sent辿 par Philippe Humeau
AboutCopyright
息 2025 際際滷