Andreas von Studnitz - Security in Magento Shops
Transcript of Andreas von Studnitz - Security in Magento Shops
![Page 1: Andreas von Studnitz - Security in Magento Shops](https://reader036.fdocuments.net/reader036/viewer/2022070520/58f09d9c1a28ab002f8b4615/html5/thumbnails/1.jpg)
![Page 2: Andreas von Studnitz - Security in Magento Shops](https://reader036.fdocuments.net/reader036/viewer/2022070520/58f09d9c1a28ab002f8b4615/html5/thumbnails/2.jpg)
What could possibly go wrong?Security in Magento Shops
• integer_net (Aken / Germany)• Consultant / Developer / Trainer / CEO• Specialist for Magento and Solr• @avstudnitz
PHOTO
Andreas von Studnitz
![Page 3: Andreas von Studnitz - Security in Magento Shops](https://reader036.fdocuments.net/reader036/viewer/2022070520/58f09d9c1a28ab002f8b4615/html5/thumbnails/3.jpg)
PHOTO
Real Life Example• One line of code added
• Reads all requests in admin and checkout areas
• Encodes and stores data in media/cache_6e0a32[…]d53ee065da
![Page 4: Andreas von Studnitz - Security in Magento Shops](https://reader036.fdocuments.net/reader036/viewer/2022070520/58f09d9c1a28ab002f8b4615/html5/thumbnails/4.jpg)
PHOTO
Real Life Example• Active for 6 months!• 5,628 datasets
(email address, name, telephone)• 1,612 passwords• All admin usernames and passwords
![Page 5: Andreas von Studnitz - Security in Magento Shops](https://reader036.fdocuments.net/reader036/viewer/2022070520/58f09d9c1a28ab002f8b4615/html5/thumbnails/5.jpg)
Overview
Consequences of Attacks
Types of Attack
Prevention
![Page 6: Andreas von Studnitz - Security in Magento Shops](https://reader036.fdocuments.net/reader036/viewer/2022070520/58f09d9c1a28ab002f8b4615/html5/thumbnails/6.jpg)
PHOTO
What can possibly go wrong?Consequences of Attacks
![Page 7: Andreas von Studnitz - Security in Magento Shops](https://reader036.fdocuments.net/reader036/viewer/2022070520/58f09d9c1a28ab002f8b4615/html5/thumbnails/7.jpg)
PHOTO
www.ibm.com/security/data-breach/
![Page 8: Andreas von Studnitz - Security in Magento Shops](https://reader036.fdocuments.net/reader036/viewer/2022070520/58f09d9c1a28ab002f8b4615/html5/thumbnails/8.jpg)
PHOTO
Stolen User Data
Consequences
![Page 9: Andreas von Studnitz - Security in Magento Shops](https://reader036.fdocuments.net/reader036/viewer/2022070520/58f09d9c1a28ab002f8b4615/html5/thumbnails/9.jpg)
PHOTO
Stolen Login Data
Consequences
![Page 10: Andreas von Studnitz - Security in Magento Shops](https://reader036.fdocuments.net/reader036/viewer/2022070520/58f09d9c1a28ab002f8b4615/html5/thumbnails/10.jpg)
PHOTO
Stolen Payment Data
Consequences
![Page 11: Andreas von Studnitz - Security in Magento Shops](https://reader036.fdocuments.net/reader036/viewer/2022070520/58f09d9c1a28ab002f8b4615/html5/thumbnails/11.jpg)
PHOTO
This guy lost more than 50,000 $ in a data breach
![Page 12: Andreas von Studnitz - Security in Magento Shops](https://reader036.fdocuments.net/reader036/viewer/2022070520/58f09d9c1a28ab002f8b4615/html5/thumbnails/12.jpg)
PHOTO
Server Attacks
Consequences
![Page 13: Andreas von Studnitz - Security in Magento Shops](https://reader036.fdocuments.net/reader036/viewer/2022070520/58f09d9c1a28ab002f8b4615/html5/thumbnails/13.jpg)
PHOTO
![Page 14: Andreas von Studnitz - Security in Magento Shops](https://reader036.fdocuments.net/reader036/viewer/2022070520/58f09d9c1a28ab002f8b4615/html5/thumbnails/14.jpg)
PHOTO
![Page 15: Andreas von Studnitz - Security in Magento Shops](https://reader036.fdocuments.net/reader036/viewer/2022070520/58f09d9c1a28ab002f8b4615/html5/thumbnails/15.jpg)
PHOTO
How can this happen with Magento?Vulnerabilities
![Page 16: Andreas von Studnitz - Security in Magento Shops](https://reader036.fdocuments.net/reader036/viewer/2022070520/58f09d9c1a28ab002f8b4615/html5/thumbnails/16.jpg)
PHOTO
Magento Unpatched• Neither installed the latest version
• Nor applied important security patches
• (Insecure PHP version)
Vulnerability
![Page 17: Andreas von Studnitz - Security in Magento Shops](https://reader036.fdocuments.net/reader036/viewer/2022070520/58f09d9c1a28ab002f8b4615/html5/thumbnails/17.jpg)
PHOTO
Example: Shoplift Bug
(patched February 2015)
Vulnerability
![Page 18: Andreas von Studnitz - Security in Magento Shops](https://reader036.fdocuments.net/reader036/viewer/2022070520/58f09d9c1a28ab002f8b4615/html5/thumbnails/18.jpg)
PHOTO
50,581
Vulnerability
Source: byte.nl, April 2016
Magento shops vulnerable to Shoplift:
(out of 255.558)
![Page 19: Andreas von Studnitz - Security in Magento Shops](https://reader036.fdocuments.net/reader036/viewer/2022070520/58f09d9c1a28ab002f8b4615/html5/thumbnails/19.jpg)
PHOTO
Weakly secured Admin Area• http://magento.site/admin/
• http://magento.site/downloader/
• Username “admin”
• Low security passwords
Vulnerability
![Page 20: Andreas von Studnitz - Security in Magento Shops](https://reader036.fdocuments.net/reader036/viewer/2022070520/58f09d9c1a28ab002f8b4615/html5/thumbnails/20.jpg)
PHOTO
What can an Attacker do with Admin Access? (1)1. Log in2. Upload a custom extension in the Magento
Connect Manager (downloader)
Vulnerability
![Page 21: Andreas von Studnitz - Security in Magento Shops](https://reader036.fdocuments.net/reader036/viewer/2022070520/58f09d9c1a28ab002f8b4615/html5/thumbnails/21.jpg)
PHOTO
What can an Attacker do with Admin Access? (2)1. Log in
2. Inject custom JavaScript in System => Configuration
Vulnerability
![Page 22: Andreas von Studnitz - Security in Magento Shops](https://reader036.fdocuments.net/reader036/viewer/2022070520/58f09d9c1a28ab002f8b4615/html5/thumbnails/22.jpg)
PHOTO
Vulnerability
![Page 23: Andreas von Studnitz - Security in Magento Shops](https://reader036.fdocuments.net/reader036/viewer/2022070520/58f09d9c1a28ab002f8b4615/html5/thumbnails/23.jpg)
PHOTO
Security issues in extensions• Custom or purchased extensions• SQL Injection, XSS, …• Backdoors• Installation service
Vulnerability
![Page 24: Andreas von Studnitz - Security in Magento Shops](https://reader036.fdocuments.net/reader036/viewer/2022070520/58f09d9c1a28ab002f8b4615/html5/thumbnails/24.jpg)
PHOTO
How can I prevent Attacks?
![Page 25: Andreas von Studnitz - Security in Magento Shops](https://reader036.fdocuments.net/reader036/viewer/2022070520/58f09d9c1a28ab002f8b4615/html5/thumbnails/25.jpg)
PHOTO
1. Follow basic Guidelines• Update Magento and PHP
• Secure the admin area
• Subscribe to the security mailing list
Prevention
![Page 26: Andreas von Studnitz - Security in Magento Shops](https://reader036.fdocuments.net/reader036/viewer/2022070520/58f09d9c1a28ab002f8b4615/html5/thumbnails/26.jpg)
PHOTO
Prevention2. Check your Site
![Page 27: Andreas von Studnitz - Security in Magento Shops](https://reader036.fdocuments.net/reader036/viewer/2022070520/58f09d9c1a28ab002f8b4615/html5/thumbnails/27.jpg)
PHOTO
3. Do security reviewsPrevention
Severe security issues found in more than 50% of my reviews