magento 2 design guide

Protecting your Magento store from Scripting attacks

by Sharon James

Ecommerce as a business channel is perhaps the fastest growing channel and one of the most competitive one too.

But along with the growth opportunities, there has been a proportionate rise in issues related to security of both the ecommerce stores and its visitors.

Consider this:

  • In the past 6 months alone, over 7,300 Magento stores have been attacked and rendered dangerous for anyone visiting them.
  • Attacks continue at about 50 to 60 every day, which about 1500 to 1800 every month.
  • On the other hand, one in five small retail business fall prey to credit card frauds.

That’s not all. Let’s take a detailed look at ecommerce security issues.

What are the risks associated with ecommerce stores

In a broad sense, all ecommerce sites have to battle the following online risks

  1. Incorrect Authentication: Is visitor really who she claims to be? Attacks steal identities so this becomes a major headache.
  2. Insufficient Privacy Protection: How do you keep confidential information from falling into wrong hands? Confidentiality becomes a tricky business because all attacks ultimately seek to crack open private information and misuse it.
  3. Improper Authorization: Is the visitor authorized to carry out the activities she is engaged in? Every ecommerce store is keen to make sure visitors aren’t doing anything unauthorized because corrections are costly.
  4. Crippling of Service: Can the attacker completely stop the ecommerce store from functioning? Unless the store has taken the right steps, service denial attacks are real and absolutely possible.
  5. Smurf Attacks: How much load can the system handle? Malicious load intended to only slow down or crash the system by using up all the bandwidth is a major challenge.
  6. Phishing Attacks: How does a store make sure attackers don’t masquerade as genuine sites? Phishing attacks trap visitors into believing they are visiting a genuine site, whereas in reality it is a fake site that is made to look like the original one - and thereby collect vital personal information.
  7. Scripting Attacks: In what way does a system tackle malicious script attack? Injected script is one relatively unsophisticated but potentially very dangerous style of attacking sites and / or their visitors and stealing vital information.

So, Let’s dive a little deep and understand the type of attacks and how you can save your store -

OK, So what are Cross Site Scripting attacks all about ?

Cross-Site Scripting attacks, often shortened to XSS attacks, are cyber-attacks where an unauthorized, malicious script is injected into another user’s session. The paradox is that the attack itself isn’t highly sophisticated yet, it can hugely compromise security and potentially lead to identity theft.

A typical approach how an XSS attack is carried out -

An attacker will add a couple of lines of JavaScript code to a web application. This code then flows into the browser of a user who trusts the website she’s visiting and has no idea of the associated risk. After that, the attacker will have access to the cookies associated with the website.

As a result, sensitive information from the cookies is now easily available to the attacker.

One of the most common security threats, XSS are notorious and belong to the OWASP Top 10; Akamai reported 8% of all web attacks originate from XSS.

These attacks are directed at site visitors. As a result, online stores are naturally vulnerable to such attacks if they haven’t taken adequate steps to fortify their security for their visitors. There are many variations of the cross-site scripting attacks, but the underlying theme remains the same.

What kind of damage can XSS do ?

XSS can be lethal because there are quite a few harmful things that can be done by an XSS. Here are the three major damages:

  1. Cookie thefts: User’s information seated inside cookies can be stolen.
  2. Malafide redirecting: Using window.locate, you may be redirected to phishing sites. These sites masquerade as genuine ones and trick visitors into divulging confidential information.
  3. Reading up: XSS may be able to read the referring URL. The next step will be to expose your name and form key from the document.

What are the types of XSS ?

Most commonly, you see two kinds of XSS vulnerabilities

1. Reflected XSS vulnerability

This is how it happens: A user makes a request on a website. (Actually, the attacker has convinced the user into clicking on a malicious URL.) Against the request, the server fails to send a secure or safe response to the browser of the user. The user will be tricked into following a URL that will inject the malicious code.

Next, the attacker proceeds by sending an email, a message or even a link that is actually from a third-party website. Consequently, the attacker might be successful in stealing the user’s personal details. This can be done by altering the login function. This will send the username and password details to the attacker.

Alternatively, the attacker can introduce fake content into the website the user is visiting.

2. Stored XSS vulnerability:

Here, attacker will use a different tactic. While in reflected XSS the attacker was targeting the user, in stored XSS the attacker places the malicious code in the application itself.

That means the attacker does not have to find users every time. The malicious code sits in the application itself and hooks on to every unsuspecting visitor browsing the website.

Stored XSS can become very dangerous, especially with busy websites. That’s because with bigger numbers, the malicious code gets distributed faster. That means the range as well as the size of the damage can be substantially higher.

Sometimes, there is a third type too. It’s called Document Object Model or DOM XSS. The most dangerous part of the DOM XSS is that it renders firewalls almost powerless. That’s because the DOM XSS attacks do not need to interact with the web server at all and instead exploit the modification vulnerabilities in the dynamic content.

How to protect your Magento store against XSS attacks

Now that you’ve understood XSS attacks and the kind of damage they can do, it’s time to understand how you can protect your online store from XSS attacks.

Here are three ways to protect yours website from XSS attacks:

1. Escaping:

Probably the most obvious method to protect your Magento store from XSS vulnerabilities in your web applications is by simply escaping from any potentially dangerous inputs from the user. You can take the data your web application has received from the user, but instead of directly pushing it further, you ensure it’s secure. Only after your checks give you a green signal will the data be rendered for the end user.

Technically, it boils down to hard censoring: look at every incoming line with suspicion. That way, key characters will be stopped from being used in any malicious way.

May be your web page is a form or a blog that allows users to add rich text. In that case, you can completely escape all HTML by using a replacement format for HTML, something lightweight like Creole, Markdown or Pendown. Alternatively, you can choose which all HTML entities you’d like to accept and which ones you’d escape.

In some cases, your webpage may not allow users to add their own code to the page. The next step is easy: just let go of all JavaScript and HTML lines, and even any URLs coming from the user-end.

2. Validating

Validating every input is the second thing you could do to protect your store from cross-scripting attacks.

In some ways, input validation is setting default status to ‘suspicious’ for every data originating outside your system. In other words, if there’s any data or strings over which you have little or no control because they are coming from a third-party source, you may allow it in only after due diligence. Ensure that an application renders only the correct data coming from elsewhere.

Additionally, input validation is effective in preventing XSS in forms. That’s because with validation, you can also prevent users from adding special characters into the fields. If the user tries to use special characters, your system will reject the request.

3. Sanitizing

This is the third important thing you could do to prevent cross-site scripting attacks.

You can simply clean or sanitize the user’s input data. That way, all HTML or JavaScript that the user has fed into the system will automatically be rendered useless. If your system spots there is some doubtful input line keyed in by a user, it will automatically convert that data into a standardized, acceptable format.

The limitation of this process is that it will severely limit what kind of things a user can feed. For instance, format restrictions will come in (no italics, no underline, no hyperlink etc) but that’s where you’ll want to assess your requirements and balance the limitations against potential benefits.

Summing up

Every Magento store is at risk. Hence, a great deal of the damage depends on who takes care of security of your online store.

If you’re doing everything yourself, there are two things you must do.

One, remember to always keep your systems upgraded. Bugs, attacks and malicious codes are way more powerful with older versions than with newer ones.

Two, get familiar with the documentation Magento 2 provides. Go through it and you’ll have a good idea of where to begin.

If, on the other hand, you’ve an efficient Magento development company like us doing it for you, they pretty much have your back. Often, the service provider will fix bugs or immediately carry out the damage control before you see any impact on your store.

Do get in touch for a bug or vulnerability assessment of your store and we can help you investigate the problem before it gets too late.

}