array_diff(array, string) does(n't) work as expected

This is an old problem, quite a few security researchers already wrote about. But repeating things, helps learning them (especially me).

In MageSetup we read posted agreements (terms and conditions) and compare them with all the agreements we expect.

This looks like that:

$requiredAgreements = $this->_getCustomerCreateAgreements();
$controller = $observer->getEvent()->getControllerAction();
$postedAgreements = array_keys($controller->getRequest()->getPost('agreement', array()));

if ($diff = array_diff($requiredAgreements, $postedAgreements)) {
    // ERROR

Today I discovered a nasty bug: if you submit no array for agreement, you end up with:

array_diff([1,2,3,4], null);

Which throws two warnings:

Warning: array_keys() expects parameter 1 to be array, string given
Warning: array_diff(): Argument #2 is not an array

If developer mode is on, the warning is transformed into an exception and thrown, which "solves" the problem. But if dev mode is off, array_keys returns null first, and then array_diff() does the same.

So we don't have the expected check against our $requiredAgreements.

Please make sure, you are handling arrays, before passing them into array_* functions!

SSL Everywhere or HSTS

We have to secure all the data of our users, not only registration, checkout and login. We need to secure the session data too.

SSL Everywhere or HTTP Strict Transport Security

(I hope) Everyone knows, that it is important to secure (read as encrypt) our customer’s data. Because of all the evil hackers in the world and the bad ISPs which intercept all our data.


Use HTTP Strict Transport Security!

The first problem: unencrypted personal data

But the real problems are the all-day security problems:

  • I’m sitting at Starbucks, surfing over their unencrypted wifi, enjoy my coffee and work. Hopefully, all connections are encrypted: email, jabber, VPN to the office, what’s app... But often this is not the case. What happens, if a connection is not encrypted? Everyone in the wifi can listen.

You can encrypt the wifi, but for example WEP doesn't solve the problem, because it doesn't have user isolation. But WPA helps.

If the connection is not encrypted, one can read your emails, your whats app messages or your email login.

First solution: TLS (formerly known as SSL)

Because of the painted scenario all our login and registration pages are SSL secured. We encrypt every transmission, where important data are sent. You can use TLS for nearly everything:

  • POP3 -> POP3S
  • and so on

Second problem: unencrypted session data

Do you only encrypt the login and registration page? Oh, the checkout too. Great! But what is with all the other pages, like »Home«, »Privacy Policy«, »About Us« and so on?
Do you think there are no important data transmitted? You are wrong. With every request there is the session ID sent in a cookie. This means, you convey (a maybe authorized session id) unencrypted personal data in your HTTP header.

The attack vector might be (in Magento):

  • getting personal data: address, order history, wishlist, payment data
  • order with the cusomer’s account to a different address, billing the account owner
  • spending the bonus points or the customer’s credit
  • download already paid virtual content which is found in the account

Second solution: SSL Everywhere

Use SSL everywhere. On every request. If the user comes to your page redirect him directly on HTTPS. Use an official signed certificate, so the user knows, he can trust you.

Third problem: SSL Stripping and ARP Spoofing

There is still at least one problem left. It is called "HTTPS stripping attacks". Moxie Marlinspike implemented a tool called sslstrip and recorded a nice video to demonstrate it.

A hacker can pipe all your traffic (under the correct circumstances) through his own machine and transform all the secured (https) links to insecure links (http).

ARP Spoofing

ARP is a protocol to find the shortest path to another address inside the network, for example between your computer and the router in the network.
Alt text
visualization made by 0x55534C, thanks for that.

ARP Spoofing means, you flood the network with ARP packets and define the way through your computer as the fastest way to the router. This way, all the traffic is piped through your machine.

Now you have the full control over all the traffic. You can read it, you can change it or you can drop some or all packets.

Encryption helps

If your packets are encrypted, you don't have this problem. Because the man-in-the-middle (MITM) can't do anything without your recognition. SSL checks itself for integrity.

The precise problem: Redirection at the beginning

But you remember? The very first connection to your shop is to HTTP:// This means, the connection is unencrypted and an attacker can do his job.

The attacker (let's call him Mallory) ARP spoofs the victims (Alice) laptop, reroutes Alice's traffic through his machine and removes the HTTP Location header. Then Mallory loads the https version of the site Alice wants, changes every https:// to http:// and pipes it to Alice's computer. Now Mallory can do her evil work.

It is important to understand, that most users don't realize or check, wether they are on a https:// site. Or wether their address bar is green or blue. Don't rely on the user.

Third/Final solution: Use HTTP Strict Transport Security (HSTS)

HSTS is a server side HTTP Header, specified in RFC 6796.

It does two things:

  1. It ensures, that the connection is secure. If it is not possible to connect to the server on a secure connection, then an error is shown. This is applied in Chrome, Firefox and Opera so, that a connection via http is no longer possible.
  2. It transforms every link on the page from http to https.

How HSTS works

HSTS is a HTTP Header:

Strict-Transport-Security "max-age=31536000"
Strict-Transport-Security "max-age=31536000; includeSubDomains"

This means: Don't allow insecure connections for the next 365 days to my domain, with or without subdomains.

There is still one problem: The very first request may still be http. This consideration is correct. But the idea is: Hopefully the user are at home or in any secure network, when the user makes this request. If not, he is doomed. ;-)

However, if this first request is made, he is secure for the next 365 (or whatever the timespan is) days (on this device!).

As you can see: This final solution I showed to you doesn't guarantee complete security but they minimize the risk for a security breach.

Advertisement: Magento Module for HSTS

I implemented a module, which does all this for magento: Ikonoshirt_StrictTransportSecurity

More Information

German OWASP Day 2012

Ich war gestern auf dem German OWASP Day 2012. Die OWASP ist das "Open Web Application Security Project". Eine offene, kostenlose Organisation, die Security in der IT voranbringen will.

Es folgen Notizen.

Keynote: Volkmar Lotz (SAP)

Part 1: Build Knowledge

Auch mit Frameworks kann man Sicherheit nicht ohne den Entwickler garantieren -> Entwickler sind die Basis alles Sicherheit!

Warum jetzt?
Entwicklung der technologie brauch mehr sicherheit: mobile, cloud, business ecosystems.
Systeme werden komplexer und heterogener -> Outsourcing (Partner schreiben Software, nicht alles inhouse!)

Sicherheitskonferenzen berichten über SAP und SAP-Software. SAP rückt in den Focus von hackern.

awarness and responibility by every developer is important!

Target Audience: all, Entwkcleru und Architekten 3 Tage, alle anderen (Manager, product owner, technical writer, tester, quality manager, ...) 1 tag

Nicht nur schwachstellen vermeiden, sondern auch die reaktion und der umgang mit gefunden bugs wird gelehrt.

1,5 Tage secure programming: buffer overflow, etc.

Übungen, demonstrationen

Identity and Access management 1 tag

Macht' s nicht selber, benutzt was da ist und benutzt es richtig!

Bookshop (Lab):

Von XSS bis Code Injection funktioniert da alles.

Lessons learned

"One size fits all" does not work

Verschiedene Formen von Training, Übungen, LAbore, Ausprobieren

Trennen zwischen Programmiersprachen!

Trennen zwischen Frameworks, damit der Entwickler weiß, was er in der täglichen arbeit beachten muss

Deal with contradicting feedback (nicht gleich beim ersten schlechten feedback inhalte oder art des trainings ändern)

Trainer role is critical

Training steht und fällt mit dem engagement des TRainiers

Trainer müssen sich austauschen

Provide interactive content and different media

Videos, Bilder, Übungen, Demos, ...

Secure Coding: geschätzt 2/3 ist diskussion und coding

Run pilots (more than one!)

Because of the contradicting feedback

Cultural specifics need to be considered

Put business units in charge

Trainer mitnehmen, mit Entwicklern reden, was sie wollen - nicht von Außen aufdrücken!

Part 2: Retain Knowledge

Weiterführen in einzelnen modulen

  • frontend security (HTML 5)
  • database security
  • mobile security
  • threat modelling
  • ...

Integration in die allgemeinen trainnigs einbetten, z.B. HTML5 in das training für webentwickler

Keep Motivation High and Costs Low

Virtual, Interactive, self-controlled, entertaining, rewarding

-> Gamification (not Serious Gaming)

1st Your need, your choice

Lernen wie man will, aber alles muss gelernt werden

2nd Raise the exitement

anschließend zusätzliche Möglichkeiten, Hack Me, Penetration Test Challenge, etc.

3rd your progress is the KEY

Profilseite: Awards, Achievments, Punkte sammeln, historie, ...

Lessons Learned
Gamificatin funktioniert sehr gut
-> über alle Kulturen hinweg

Nicht jeder mag es, nicht jeder möchte sein profil öffentlich, jeder hat die wahl

Enge Absprache mit den Betriebsräten weltweit umgesetzt

XSS von 1999 bis 2013 - Die Doctrine Classique der Websicherheit (Mario Heiderich)

Ecommerce: Pizza hut online shop

Brendan Eich erfindet SOP (Same Origin Policy), LiveScript (JavaScript) und damit auch XSS.

Browserkriege kommen 1999
HTML4 + DOM -> JS kann DOM manipulieren

Security nightmare, weil Browser Features brauchten.

2001 500 Mio. Internetnutzer

HTML stagniert

AJAX und Web 2.0 (Facebook wird geboren)

Browser bauen eigene Features XML, WML, E4X, VBS, XDR, LiveConnect, Drag & Drop, Clipboard, WBXML, Behaviours, WD-XSL, CSS, Expressions, SSE, SVG, HTML+TIME, SMIL, SAMI, ASX, ActiveX, XDR


1 Mrd Internet benutzer

hoch komplexe Webanwendungen: GMail

HTML 5 entsteht, WHATWG vs. W3C

Erste XSS Würmer (Sammy Wurm)

Wieder Browserkriege -> Feature die nicht rein gehören

1,6 Mrd User

Über-Browser: Cloud, Mobile, Social Networks, Venture Capital

XSS ist Allgegenwertig!

Wenn wir eine Million Hühner haben und eine Million Tastaturen und da einfach Körner reinstreuen, exploiten die auf irgendeiner Internetseite XSS.

Lost in Translation: Missverständnisse zwischen Mensch/Mensch und Mensch/Maschine und deren Auswirkungen auf Web-Security (Sebastian Schinzel)

Das ist ein Awarness talk

wir brauchen demut vor der technik und die nötige offenheit um sichere anwendungen zu bauen

Post-Penetrationstest-Phase oft frustrierend

  • Report fängt Staub
  • Gegenmaßnahmen nur, wenn Explot gezeigt wurde
  • Beratungsresistenz bei den Entwicklern

PHP Quellcode ist missverständlich.

Hintertür im Linux Kernel

Zuweisung auf der rechten Seite

"Meinen Stundenten würde ich abraten, mit PHP coden zu lernen"