Andrea Zwirner - Magento security and hardening strategies

Mar 2, 2017Meet Magento 2017, Milan

Andrea Zwirner – LinkspiritMagento security and hardening strategies 2

Magento security and hardening strategies

Andrea Zwirner

[email protected]

@AndreaZwirner

Sicurezza informatica



● Linux, Apache, MariaDB, PHP

● Magento 1.9.x.y

– We will be as platform independent as possible

Environment



● Magento is a good product, security is never underestimated

– Fast security patches for both 1.9.x and 2.x versions

– URL protection (via secret keys addition)

– Sessions validation (session poisoning, hijacking, fixation attacks)

– CSRF protection

– CAPCHA for admin login (brute force)

Magento average security



● Sensitive data are encrypted via additional encryption key (cards, integration passwords)

● There also is a lot of documentation on security and hardening




● Anyway, the team is doing a great job!

● But it might all be useless if…




A secure platform in an insecure world

Hardware

Operating System

LibrariesApplication Services



Full of unprepared users...

Hardware

Operating System

LibrariesApplication

User

Services



● Workstations that work with the backend need to be hardened

● The same applies to the environment in which workstations work

– And the environments it is connected to, including suppliers, clients, etc

● Users need to be made aware of the risks they might expose the application to

Backend security



What’s the strategy?



“Ensuring cybersecurity is a common responsibility. End users play a crucial

role in ensuring the security of networks and information systems: they need to

be made aware of the risks they face online and be empowered to take simple

steps to guard against them.”

Cybersecurity Strategy of the European Union

European Commision, Feb 2013

Never understimate end users importance

Ok, let’s start!



● If you want to crack it, you need to know it

● The quieter you become, the more you’re able to hear

● You can’t just try every single weapon you have in your armory

● This would alarm any kind of IPS at any level

Enumeration is the key



Enumeration – /magento_version



Enumeration - /downloader



● /skin/frontend/default/default/css/styles.css

Enumeration – static files 1



Enumeration – static files 2



Enumeration in web application scanners



It’s attack time!

● We have to do a couple of assumptions

– Magento vulnerable version (1.9.1.0 CE or 1.14.1.0 EE)

– Not patched with SUPEE-5344

– It means RCE… Uh ohhh…



It’s attack time!



It’s attack time!



It’s attack time!



It’s attack time!

● backdoor.tgz adds backdoor.php (a meterpreter reverse shell) in /errors



It’s attack time!

● Misconfigurations

– Downloader is exposed and unprotected

– File system permissions has not been reset (maybe after last extension install)



TCP reverse shell



Getting DB credentials



It’s attack time!



DB dump!



Passwords

● md5/sha-256(salt+password):salt no bcrypt, scrypt, pbkdf2 :-(



Let’s crack them, with hashcat!



Option two: frontend malware (common!)



And your card number is?



● Using vulnerable components (at any level of the stack)

– It doesn’t matter the Magento version you use, it has to be (quickly) patched!

Why all this stuff works?



● Using vulnerable components (at any level of the stack)

– It doesn’t matter the Magento version you use, it has to be (quickly) patched!

● Misconfigurations

– Who works inside the environment has to (well) know what he is doing!

Why all this stuff works?



● Monitor issues for every single component of the stack, and patch accordingly

● Restrict access to administrative functions from specific IP addesses

● Hide sensitive URLs (admin / downloader / extensions) with custom URLs

● Block access to development / staging / test environments

So, let’s harden it – basic



● Run Magento inside a dedicated environment

● Always apply the principle of the least privilege

● Automate the deployment process

– Extensions should not be installed in production

– Implement automated checks (unit test, static code analisys, etc)

● Audit user list and enable 2 factor authentication (Nexcess, miniOrange, etc)

So, let’s harden it – mid



● Check Admin Action Logs and compare with policies / timing / etc

● Check file integrity (compare production with clean version) / mtimes, etc

● Monitor all system logins and compare with policies / timing / etc

● Choose extensions accordingly (e.g. ASVS compliance / code review / pen-test)

– If possible, avoid using extensions with upload functions

So, let’s harden it - advanced



● Monitor for common malicious functions or code

– curl(, FILE_APPEND, file_put_, fwrite, , http.open, http.send, mail, <script, etc

● Monitor for files bigger than 2-3 Mb

– They can contain stolen data to be sent to the attacker

● Monitor for common backdoor code

– A lot: base64, exec, wget, system, move_uploaded_file, encodeURI, etc




● Do anything you can to make enumeration harder

– Remove service banners

– Metadata

– Remove/change static files

● *_version, README, etc

● *css, *js




A common attack: brute force



● Should we just wait for the attacker to guess the password?

● Intrusion Prevention Systems

– Policy verification trough log analysis

● Web application firewalls

– Configuration (platform dependent)

– Review (at least on application changes)

Intrusion Prevention



● Should we just wait for the attacker to find the right path?

● Attacks informations must be collected and analyzed

● You have to understand who is the attacker and what’s his goal

Know your enemy



● Make sure your governance level is granular enough to understand what’s happening

● You have to know what the system is doing and not just that it is “working”

● And if everything has been fucked up, the keywords are

– Backup– Restore– Disaster recovery plan

And then… Shit happens!



Magento security and hardening strategies

Andrea Zwirner

[email protected]

@AndreaZwirner

Sicurezza informatica

Presentations & Public Speaking

Andrea Zwirner - Magento security and hardening strategies