Magento Security Threats and Store’s Security Audit

Home / E-Commerce / Magento Security Threats and Store’s Security Audit
Magento Security

The world is familiar with a number of e-commerce websites today. Among all, Magento is the most preferred choice. Magento was aimed towards easing the process of managing and creating a store. It powers 1.2% of the internet and 12% of all eCommerce sites. Yet, it has its share of attacks, and a website security audit shows it clearly. Here are the CVE details of Magento: XSS (53.1%) was the biggest in the room followed by code execution (12.5%) and Gain information (12.5%). The hacking statistics in Magento is unnerving.

Let us talk about an actual Magento shoplift attack that occurred in 2015. The target URL to which malicious requests were made was something like this in this attack:

A parsing error was the reason behind this. The values entered in the filter key were wrongly parsed. The attackers inserted SQL statements as a value to the filter key which was parsed.

Here, we will venture into security threats & Magento security tips. We have put together the techniques to pull you out of such a crisis.

Magento Security Issues to Stay Beware Of


Cross-site Scripting (XSS) in Magento

It is a security vulnerability in web applications that allows attackers to inject malicious code/styles into a web page viewed by users. The introduction of these into codes should be avoided by Magento extension developers.

The three main types of XSS vulnerabilities are:

  1. Persisted XSS:  The source of unvalidated data comes from the Database or Backend permanent store.
  2. Reflected (Non-persistent) XSS: It occurs when data provided by a web client is used immediately by server-side scripts to parse and display a page to a user without properly sanitizing the request.
  3. DOM XSS: In this, the malicious data is reflected by the JavaScript code, fully on the client-side.

Preventing XSS

It can be prevented by validating and sanitizing user input as well as sanitizing dynamic values when rendering the view (HTML, mobile). A website security audit can easily point out the areas of trouble.

Input Processing:  It is always better to validate/sanitize values as close as possible to the view context. Only then one can be assured about the restrictions needed to be imposed on the dynamic values. Additionally, this also ensures that the security requirements for the business are not at risk.

The attackers can manipulate any data. It can contain malicious values such as:⁸

  1. False IDs in headers
  2. Tampered cookies
  3. Fake parts/query parameters in URIs
  4. Form fields filled with control characters(”<”,”>” etc)

From a business point of view, there is no reason to disallow < > symbols in the users’ ‘about me’ section. Allowing these characters wouldn’t be problematic by escaping control symbols while rendering HTML.  Where “{“ “}” could cause issues, the user  ‘about me’ data may be delivered via RESTful API. The user data would contain HTML control symbols (<,>) and would be damaged if it had been sanitized earlier.

Output Processing:  It is the main method of protecting your extension from XSS attacks. It involves sanitizing strings that may have come from external data sources before using it to render views.

Code Execution in Magento

Code Execution enables an attacker to execute arbitrary code on your Magento server.  It creates files with a .csv extension, creates writable directories, and changes the permission of existing files to world-writable (777). It can lead to executing files like php.csv. The ability to run code with a .csv extension is dangerous in itself. It can give way to other attacks such as targeting other software installed on the server.

Following a website security audit that identifies the problem, you must log in to the Magento server as a user with root privileges to resolve this. Apart from this, you can also log in as a user with permissions to change the webserver configuration.

SQL Injection Vulnerabilities

Database plays a vital role in managing a Magento store. Unsanitized user input can result in Magento SQL injection. One sloppy coding can expose the entire database and it is a significant threat. A Magento SQL injection can:

  1. Read the contents of the database
  2. Expose admin credentials and lead way to further attacks
  3. Delete the entire database
  4. Manipulate the database (modify the contents of the store)
  5. Obtain a reverse shell in some cases and then escalate the privileges
  6. Steal credit card details

Every month, new tricks to bypass Magento security audits and filters are developed. A lot can be prevented from happening in spite of the increase in the threat of the Magento SQL injection attack day-by-day.

Causes of Magento SQL Injection

  • Client-side implementation of code
  • Unsanitized inputs
  • Tautologies
  • Error messages
  • Database privileges
  • Encryption
  • Variable size filtering


  1. Protection Parameters: The specific protection parameters that come with each database help in avoiding Magento SQL injection.
  2. Use Prepared Statements: It is the alternate option to dynamic queries. These statements are prepared and parsed later on. The database checks the parameter first and once it’s sure that it’s not mischievous, executes the statements.
  3. Limit Privileges: You should ensure the encryption of the sensitive columns. The passwords should be strong.
  4. Use a Web Application Firewall: Using a firewall eases the tedious job of manual inspection of Magento SQL Injection. Astra has a great firewall and security solution designed to keep out the Magento SQL injection attack.

Magento Cross-Site Request Forgery (CSRF) Attacks

The Magento CSRF attacks coerce you into performing actions that you don’t want to. It can be anything from changing your account details to even deleting it. If you are visiting a malicious website without logging out of your Magento store,  attackers can trick you into carrying out unwanted actions in the absence of Magento CSRF Protection.  The attacker can embed a malicious form on the website and make your browser execute it and may thus have access to your account.

Causes of CSRF Vulnerabilities

Improper implementation of a CSRF token can lead to a CSRF vulnerability. Some common misconfigurations of a CSRF token are:

  1. The attackers can bypass the CSRF token if it is implemented for POST requests only. It can then execute the same malicious action using a GET request.
  2. Some web applications save one copy of the CSRF token in the cookie. The attacker can set the cookie in your browser and use it to conduct CSRF attacks.
  3. The attacker can obtain a CSRF token by other means if the CSRF token is not tied to the user’s session. It can be used to make your browser execute the malicious request.
  4. The attackers can make the browser drop the Referer header value if the Referer header is used to verify the origin of a request. This then helps execute the malicious request.
  5. If the CSRF token field is not present, the web application may entirely ignore it and execute the request leading to a CSRF attack.

5 CSRF Protection Tips

  1. Synchronizer Token Pattern
  2. Cookie-to-header Token
  3. Double Submit Cookie
  4. Same Site Cookie Attribute
  5. Client-side Magento CSRF Protection

Proper website security audit and security configurations give you the ability to control the lifetime of user sessions.

Brute Force Attacks in Magento

It is a trial and error based method used to acquire information such as a username or password. Automated software is used to generate a large number of consecutive guesses generally. It is advisable to use admin usernames that are not easily guessed and strong passwords to keep them safe. A regular website security audit should be a must by admin users in their system.

Tips to Protect from Brute Force Attacks

  1. Change Admin panel URL
  2. Update Admin Account Security
  3. Enable CAPTCHA
  4. Activate Security Scanning of your store
  5. Enable Two-Factor Authentification

How Can we help?

So now you know the various threats faced by Magento store users. A Magento security audit & VAPT  will show you that your website is under attack almost every day from all these invisible enemies. Everyone needs weapons to fight the enemy, and we can arm you with the best. Firewall and Malware Scanner are the best weapons to prevent these kinds of attacks. You’ll be more than satisfied using these. Don’t let these attacks stop your business.

Leave a Reply

Your email address will not be published.

  • Partner links