The development of an eCommerce site presents numerous challenges. Having a site that is fast, looks good and works well is a must. On many occasions we believe that this is enough, and we tend to ignore a very important aspect such as security.
eCommerce sites handle secure information that is very valuable to attackers, such as user data and credit card data. Many times, this aspect is relegated to the security that Magento already has, but the best practices of secure development are ignored.
In our most-recent security exercise, together with Damian Gambacorta, one of our Technical Leaders and Ethical Hacker (g4mb4 in the hacker community), we completed a capture the flag (CTF) so that our developers can experience how a Magento site can be vulnerable when mistakes are made when doing custom development.
What is a CTF?
A CTF (Capture the Flag) is a gamified exercise designed to test cybersecurity skills.
The goal of the game is to get the highest score by capturing the most flags.
What are the benefits of a CTF exercise?
When completing a CTF exercise, there are many benefits including:
- Developers and QA will be able to test their skills in cybersecurity and make them think like Hackers.
- The Dev. and QA teams can experience what an attacker can achieve when sites are not developed properly.
- We can engage developers on secure development.
In this CTF exercise, we focused on common bugs that all companies suffer from, such as:
- Information Disclosures: This is when a website does not adequately protect sensitive information, and it may be exposed to a party that should not have it.
- Cross Site Scripting (XSS): This is an attack where malicious scripts are injected into a website.
- Insecure Direct Object Reference (IDORs): This is when an application uses user-supplied input to access objects directly. This can create issues if the access control is not validated properly.
- SQL Injections: A SQL injection is a code injection technique that can provide an attacker access to a site’s database.
- Business Logic Bypass: A business logic bypass can allow a hacker to use flaws in the design and implementation of an application to achieve a malicious goal while using the site’s legitimate functionality.
By using these common bugs, our developers had the opportunity to experience what a hacker seeks to obtain (and do) on a Magento site, and how to address any issues that come up.
The successes of a CTF exercise:
Overall, 121’s event was a success! We competed in multidisciplinary teams of 5 and we received 60 reports with possible vulnerabilities. All of them were valid! As part of this exercise, we had our teams of 5 work in different teams than they typically work with on a day-to-day basis. This not only helped with the team building aspect, but with being able to test their problem-solving skills.
We take security seriously:
At 121eCommerce, and as a Gold Adobe Solution Provider, we believe that eCommerce security is a common responsibility, and gives our agency credibility. It is for this reason that we decided to share the CTF we created, so that other companies can use it and put themselves to the test.
Our CTF Extension is uploaded in our repository. If you want to be part of this initiative, contact us and we will provide you with the guide with instructions to carry it out, at no cost!
We can also provide training on cybersecurity and pentest your custom extensions as we do on our extensions.
In the next few weeks, another write up will be published by G4MB4 about a security vulnerability that affected Magento!
We are already preparing a new CTF with greater difficulty to continue our training in security!