How to Do a Complete Magento Security Audit in 5 Simple Steps

April 28, 2020

A security audit requires you to think like a hacker. 

Security audits involve evaluating your vulnerabilities and assessing the current security measures and how well do they perform in case of an attempted hack.

We know that Magento is one of the most popular open-source Content Management Systems for e-commerce in the market today and deals with sensitive payment info on a daily basis. 

This enormous financial data quite obviously caught the eye of hackers. As a result, Magento is threatened continuously with attacks. These threats vary in the form of automated bad bots to a sophisticated hacker attack.

Uncovering all vulnerabilities & loopholes in your website is the first step in securing it.

This article explains to you how to perform a complete security audit of your Magento store. Also, mentioned are remedial solutions to some issues discovered while performing a Magento security audit.

1. Identify Audit Areas: Magento Security Audit

One of the first things that a hacker does on your website is to recognize the type of CMS, server OS, and other basic details such as:

  • Magento version.
  • PHP version.
  • Magento Modules.
  • Other software technologies.

Knowing this provides a roadmap to the attacker. 

For example, if you still use outdated versions of Magento, the attacker can exploit the known vulnerabilities which existed in older versions of Magento.

Hence, the first step in carrying out a Magento security audit remains that you find these details. There are shrewd ways hackers use to know this. I am listing some of these here.

a) Know Magento Version the Automatic Way

"Blind Elephant" is a popular tool of Kali Linux used for identifying the type of CMS being used. To identify the CMS, open the terminal in your Kali and type BlindElephant.py followed by the URL of the website and CMS you wish to scan i.e.  

BlindElephant.py http://192.168.1.252/ Magento

For more help, type:

BlindElephant.py -h

After the CMS has been confirmed as Magento, to further enumerate the CMS specific details, use MageScan. 

MageScan is a tool that can discover not only the Magento version but, installed modules, catalog info, etc. To download and use this tool, visit its Github repo.

Magento Security Audit

MageScan uncovering details of a Magento site

b) Know Magento Version the Manual Way

In Magento 2, it has become easier to check the Magento Version that is being used. 

Simply append "/magento_version" after the website name, and lo behold! It shall reveal to you the Magento version and to everyone else including automated tools.

Remediation

  • If your Magento version is outdated, update it now!
  • If you still use Magento 1, migrate to Magento 2.
  • Use the latest Magento version i.e. Magento 2.3.x.
  • Do not use outdated, ill-reputed modules.
  • Use custom error messages.
  • To hide your Magento version, connect to your site via SSH and execute the following command:

    php bin/magento module:disable Magento_Version

2. Discover Content: Magento Security Audit

Once the Magento version has been discovered, the next step is to discover content i.e. Magneto directories, Admin Panel, etc. 

Tools like Dirb can brute force and discover various common directories and files.

In case the directories do not have proper permissions, they can leak sensitive info to the attackers. Moreover, if the admin path is set to default (www.example.com/admin/), the attackers can discover and brute force login to your Magento store.

To brute-force, the directories on your site, open up the terminal in Kali and type "dirb" followed by your site URL. i.e.

dirb http://webscantest.com/

Magento Security Audit

Remediations

  • Set proper file and folder permissions. 
  • Enable two-factor authentication.
  • Do not use weak or default passwords.
  • Configure Captcha in Magento 2 by visiting  Stores<Configuration<Customer<Customer Configuration<Captcha.
  • To change the default admin path, connect to your site via SSH and run the following command:

    php bin/magentosetup:config:set --backend-frontname="myAdmin"

    Replace myAdmin with any random name of your choice.

3. Find Server Misconfigurations: Magento Security Audit

While the original CMS may be secure, it is quite possible that there may be some vulnerabilities on your server. These vulnerabilities also need to be checked during a security audit. Some common server misconfigurations that you can check during a Magento security audit are:

a) Open Ports

Open ports imply that a certain TCP or UDP port is accepting packets. Most probably, there is a service running behind an open port. 

While an open port in itself is not a bad thing but, services running behind an open port can be exploited by an attacker. 

To check if your server has some open ports, NMAP is undoubtedly the best tool there is. It can:

  • Scan for open ports.
  • Fingerprint OS.
  • NSE scripts can be used for a variety of security audits like checking DDOS vulnerability, Heartbleed check, etc.

To scan TCP ports on your server, open up the terminal in Kali and type:

nmap -sT xxx.xxx.xxx.xxx

Replace the xxx.xxx.xxx.xxx with IP address you wish to scan for.

Magento security audit nmap

b) Weak Cryptographic Implementations

Cryptography plays a vital role in ensuring that the communication between your Magento store and clients is secure. So, one such application of cryptography is SSL. If your site does not have an SSL certificate get one now!

In case you use SSL, make sure that it is not vulnerable to bugs like Poodle, Heartbleed, etc. To check SSL implementation on your Magento store for free visit this site

Nmap scripts can also be used to check for SSL vulnerabilities like Heartbleed. Just open the terminal in Kali and type:

nmap -sV -p 443 --script=ssl-heartbleed xxx.xxx.xxx.xxx

Now replace xxx.xxx.xxx.xxx with the IP of server you want to scan. Similarly, you can use Nmap scripts to scan for other vulnerabilities like drown, poodle, etc.

Remediations

  • Use a firewall to block open ports.
  • Use SSL.
  • Avoid using weak ciphers.
  • Avoid using shared hosting. Use a dedicated VPS if possible.

4. Eliminate Injection Vulnerabilities

Various types of injection vulnerability arise due to poor coding standards. Therefore, they regularly feature in OWASP top 10 vulnerabilities. Although, chances of finding an injection vulnerability in Magento core by you are rare (unless you are a security expert) but plausible. Since Magento is open-source, security researchers have found various XSS, CSRF, SQLi bugs in the past. What you can do is vet the various Magento extensions for injection vulnerabilities.

a) SQL Injection

SQLi is caused when the user input is not properly sanitized and it reaches the database and gets executed. The results can be disastrous for your Magento store as the attackers can get hold of login credentials and inject spam, credit card skimmers, etc.

To audit your Magento store for SQLi, perhaps there is no better tool than Sqlmap. This tool can automatically find and exploit SQLi bugs. 

To use Sqlmap, open the terminal in Kali and type:

sqlmap -u "www.your-site.com/file?param1=&param2=" --batch

Here replace your-site.com with the site you wish to audit. The param1 and param2 stand for the parameters you wish to check SQLi for. This is just a simple explanation, for more details type:

sqlmap -h

magento security audit SQLMAP

b) Cross-Site Scripting

Not surprisingly, XSS is also caused due to a lack of proper user input sanitization. By exploiting an XSS, the attacker can run malicious JavaScript on your server. Not going into much into the detail, all you should know is that whatever malicious things an attacker can do using JavaScript can all be done by exploiting an XSS bug.

So, to audit your Magento extensions for any XSS bug, the most suited tool is the Xsser. This tool can even bypass certain web application firewalls and exploit an XSS bug. Also, for novice users, the GUI option is available too. 

To learn how to use it, open the terminal in Kali and type:

xsser -h

magento security audit Xsser

Remediations

  • Follow secure development practices i.e. using prepared statements, implementing CSRF tokens, etc.
  • All user input should be sanitized.

5. Identify Business Logic Flaws

Business logic defines the processing and flow of data on your Magento store. In simple words, the user logs in; selects an item; adds it to the cart; then goes to the checkout page and finally pays to complete the process. All these constitute your business logic.

A business logic flaw, therefore, means that due to a lack of proper safeguards, the malicious user can control any of these steps. For instance, the user can edit the rate of an item on your Magento store and buys it for a lower price or even free!

This is just one example, there is a number of possible things that can go wrong. What makes Magento business logic flaws more serious is that they cannot be detected by security scanners. 

Also, when a business logic flaw is exploited by the attacker, the firewall or IDS (Intrusion Detection System) may have no idea what's going on.

Remediations

  • Chances of finding business logic flaws in the Magento core are very low. But if you use extensions then seriously consider looking for the business logic flaws in them. 

Conclusion

To conclude, it can be said that the Magento security audit can be conducted with minimal resources. 

However, there are a lot of things that can go wrong. Covering all is beyond the scope of this article but a blueprint has been given. 

So, the least you can do as a regular user is to follow Magento security best practices (including regular security audits). These security measures will harden your Magento website’s security against most cyber ills.

Tell us how you liked this blog post in the comments.

Latest Blogs
This is a decorative image for: A Complete Guide To Customer Acquisition For Startups
October 18, 2022

A Complete Guide To Customer Acquisition For Startups

Any business is enlivened by its customers. Therefore, a strategy to constantly bring in new clients is an ongoing requirement. In this regard, having a proper customer acquisition strategy can be of great importance.

So, if you are just starting your business, or planning to expand it, read on to learn more about this concept.

The problem with customer acquisition

As an organization, when working in a diverse and competitive market like India, you need to have a well-defined customer acquisition strategy to attain success. However, this is where most startups struggle. Now, you may have a great product or service, but if you are not in the right place targeting the right demographic, you are not likely to get the results you want.

To resolve this, typically, companies invest, but if that is not channelized properly, it will be futile.

So, the best way out of this dilemma is to have a clear customer acquisition strategy in place.

How can you create the ideal customer acquisition strategy for your business?

  • Define what your goals are

You need to define your goals so that you can meet the revenue expectations you have for the current fiscal year. You need to find a value for the metrics –

  • MRR – Monthly recurring revenue, which tells you all the income that can be generated from all your income channels.
  • CLV – Customer lifetime value tells you how much a customer is willing to spend on your business during your mutual relationship duration.  
  • CAC – Customer acquisition costs, which tells how much your organization needs to spend to acquire customers constantly.
  • Churn rate – It tells you the rate at which customers stop doing business.

All these metrics tell you how well you will be able to grow your business and revenue.

  • Identify your ideal customers

You need to understand who your current customers are and who your target customers are. Once you are aware of your customer base, you can focus your energies in that direction and get the maximum sale of your products or services. You can also understand what your customers require through various analytics and markers and address them to leverage your products/services towards them.

  • Choose your channels for customer acquisition

How will you acquire customers who will eventually tell at what scale and at what rate you need to expand your business? You could market and sell your products on social media channels like Instagram, Facebook and YouTube, or invest in paid marketing like Google Ads. You need to develop a unique strategy for each of these channels. 

  • Communicate with your customers

If you know exactly what your customers have in mind, then you will be able to develop your customer strategy with a clear perspective in mind. You can do it through surveys or customer opinion forms, email contact forms, blog posts and social media posts. After that, you just need to measure the analytics, clearly understand the insights, and improve your strategy accordingly.

Combining these strategies with your long-term business plan will bring results. However, there will be challenges on the way, where you need to adapt as per the requirements to make the most of it. At the same time, introducing new technologies like AI and ML can also solve such issues easily. To learn more about the use of AI and ML and how they are transforming businesses, keep referring to the blog section of E2E Networks.

Reference Links

https://www.helpscout.com/customer-acquisition/

https://www.cloudways.com/blog/customer-acquisition-strategy-for-startups/

https://blog.hubspot.com/service/customer-acquisition

This is a decorative image for: Constructing 3D objects through Deep Learning
October 18, 2022

Image-based 3D Object Reconstruction State-of-the-Art and trends in the Deep Learning Era

3D reconstruction is one of the most complex issues of deep learning systems. There have been multiple types of research in this field, and almost everything has been tried on it — computer vision, computer graphics and machine learning, but to no avail. However, that has resulted in CNN or convolutional neural networks foraying into this field, which has yielded some success.

The Main Objective of the 3D Object Reconstruction

Developing this deep learning technology aims to infer the shape of 3D objects from 2D images. So, to conduct the experiment, you need the following:

  • Highly calibrated cameras that take a photograph of the image from various angles.
  • Large training datasets can predict the geometry of the object whose 3D image reconstruction needs to be done. These datasets can be collected from a database of images, or they can be collected and sampled from a video.

By using the apparatus and datasets, you will be able to proceed with the 3D reconstruction from 2D datasets.

State-of-the-art Technology Used by the Datasets for the Reconstruction of 3D Objects

The technology used for this purpose needs to stick to the following parameters:

  • Input

Training with the help of one or multiple RGB images, where the segmentation of the 3D ground truth needs to be done. It could be one image, multiple images or even a video stream.

The testing will also be done on the same parameters, which will also help to create a uniform, cluttered background, or both.

  • Output

The volumetric output will be done in both high and low resolution, and the surface output will be generated through parameterisation, template deformation and point cloud. Moreover, the direct and intermediate outputs will be calculated this way.

  • Network architecture used

The architecture used in training is 3D-VAE-GAN, which has an encoder and a decoder, with TL-Net and conditional GAN. At the same time, the testing architecture is 3D-VAE, which has an encoder and a decoder.

  • Training used

The degree of supervision used in 2D vs 3D supervision, weak supervision along with loss functions have to be included in this system. The training procedure is adversarial training with joint 2D and 3D embeddings. Also, the network architecture is extremely important for the speed and processing quality of the output images.

  • Practical applications and use cases

Volumetric representations and surface representations can do the reconstruction. Powerful computer systems need to be used for reconstruction.

Given below are some of the places where 3D Object Reconstruction Deep Learning Systems are used:

  • 3D reconstruction technology can be used in the Police Department for drawing the faces of criminals whose images have been procured from a crime site where their faces are not completely revealed.
  • It can be used for re-modelling ruins at ancient architectural sites. The rubble or the debris stubs of structures can be used to recreate the entire building structure and get an idea of how it looked in the past.
  • They can be used in plastic surgery where the organs, face, limbs or any other portion of the body has been damaged and needs to be rebuilt.
  • It can be used in airport security, where concealed shapes can be used for guessing whether a person is armed or is carrying explosives or not.
  • It can also help in completing DNA sequences.

So, if you are planning to implement this technology, then you can rent the required infrastructure from E2E Networks and avoid investing in it. And if you plan to learn more about such topics, then keep a tab on the blog section of the website

Reference Links

https://tongtianta.site/paper/68922

https://github.com/natowi/3D-Reconstruction-with-Deep-Learning-Methods

This is a decorative image for: Comprehensive Guide to Deep Q-Learning for Data Science Enthusiasts
October 18, 2022

A Comprehensive Guide To Deep Q-Learning For Data Science Enthusiasts

For all data science enthusiasts who would love to dig deep, we have composed a write-up about Q-Learning specifically for you all. Deep Q-Learning and Reinforcement learning (RL) are extremely popular these days. These two data science methodologies use Python libraries like TensorFlow 2 and openAI’s Gym environment.

So, read on to know more.

What is Deep Q-Learning?

Deep Q-Learning utilizes the principles of Q-learning, but instead of using the Q-table, it uses the neural network. The algorithm of deep Q-Learning uses the states as input and the optimal Q-value of every action possible as the output. The agent gathers and stores all the previous experiences in the memory of the trained tuple in the following order:

State> Next state> Action> Reward

The neural network training stability increases using a random batch of previous data by using the experience replay. Experience replay also means the previous experiences stocking, and the target network uses it for training and calculation of the Q-network and the predicted Q-Value. This neural network uses openAI Gym, which is provided by taxi-v3 environments.

Now, any understanding of Deep Q-Learning   is incomplete without talking about Reinforcement Learning.

What is Reinforcement Learning?

Reinforcement is a subsection of ML. This part of ML is related to the action in which an environmental agent participates in a reward-based system and uses Reinforcement Learning to maximize the rewards. Reinforcement Learning is a different technique from unsupervised learning or supervised learning because it does not require a supervised input/output pair. The number of corrections is also less, so it is a highly efficient technique.

Now, the understanding of reinforcement learning is incomplete without knowing about Markov Decision Process (MDP). MDP is involved with each state that has been presented in the results of the environment, derived from the state previously there. The information which composes both states is gathered and transferred to the decision process. The task of the chosen agent is to maximize the awards. The MDP optimizes the actions and helps construct the optimal policy.

For developing the MDP, you need to follow the Q-Learning Algorithm, which is an extremely important part of data science and machine learning.

What is Q-Learning Algorithm?

The process of Q-Learning is important for understanding the data from scratch. It involves defining the parameters, choosing the actions from the current state and also choosing the actions from the previous state and then developing a Q-table for maximizing the results or output rewards.

The 4 steps that are involved in Q-Learning:

  1. Initializing parameters – The RL (reinforcement learning) model learns the set of actions that the agent requires in the state, environment and time.
  2. Identifying current state – The model stores the prior records for optimal action definition for maximizing the results. For acting in the present state, the state needs to be identified and perform an action combination for it.
  3. Choosing the optimal action set and gaining the relevant experience – A Q-table is generated from the data with a set of specific states and actions, and the weight of this data is calculated for updating the Q-Table to the following step.
  4. Updating Q-table rewards and next state determination – After the relevant experience is gained and agents start getting environmental records. The reward amplitude helps to present the subsequent step.  

In case the Q-table size is huge, then the generation of the model is a time-consuming process. This situation requires Deep Q-learning.

Hopefully, this write-up has provided an outline of Deep Q-Learning and its related concepts. If you wish to learn more about such topics, then keep a tab on the blog section of the E2E Networks website.

Reference Links

https://analyticsindiamag.com/comprehensive-guide-to-deep-q-learning-for-data-science-enthusiasts/

https://medium.com/@jereminuerofficial/a-comprehensive-guide-to-deep-q-learning-8aeed632f52f

Build on the most powerful infrastructure cloud

A vector illustration of a tech city using latest cloud technologies & infrastructure