Automated security check against injected malicious JavaScript

From time to time we have guest posts on the blog. Today’s post is from Konstantin Gerasimov at goivvy.com.

E-commerce sites can suffer from hackers injecting pieces of JavaScript to sniff credit card or other sensitive data.

It’s usually a checkout page with payment forms where JS code could be placed.

There is a simple yet effective way to catch it.

You store the original checkout page HTML and then regularly compare your current checkout page against ‘the gold standard’.

In this article I’ll describe one way of automating this security check using a $10 linux box.

 

1. Test Case

 

We will use a Magento 2 e-commerce site as an example.

The script will visit the website, add an item to the cart, proceed to checkout and compare the checkout page HTML against the template we have stored on the server.

If there is a mismatch, it indicates the page has been altered and needs to be reviewed.

 

2. Installation

 

We will use a 2G RAM linux box running Debian 10.

1.1 Facebook/Webdriver

Firstly, we need to install facebook/webdriver. That’s a PHP wrapper to work with a browser.

sudo apt update
sudo apt-get install composer
mkdir /home/username/security && cd /home/username/security
sudo apt-get install php-cli php-zip unzip wget php-curl
composer require facebook/webdriver

1.2 Google Chrome Browser

Next, we will install a google chrome web browser:

wget https://dl.google.com/linux/direct/google-chrome-stable_current_amd64.deb
apt-get install ./google-chrome-stable_current_amd64.deb

 

1.3 ChromeDriver

ChromeDriver is a standalone server that can talk to Google Chrome browser.

Versions of ChromeDriver and Google Chrome browser should match.

wget https://chromedriver.storage.googleapis.com/92.0.4515.107/chromedriver_linux64.zip
unzip chromedriver_linux64.zip
sudo cp chromedriver /usr/bin/

1.4 Xvfb

Xvfb is a virtual X server. We need it to run Google Chrome properly as we don’t have a monitor connected to our server.

apt-get install xvfb

1.5 PHP script to visit a checkout page

Below is the script that visits the Magento 2 website, adds an item to the cart, proceeds to the checkout and compares the checkout page HTML to what we have stored on the server.

/home/username/security/check.php:

namespace FacebookWebDriver;
use FacebookWebDriverRemoteDesiredCapabilities;
use FacebookWebDriverRemoteRemoteWebDriver;
require_once(‘vendor/autoload.php’);
$host = ‘http://localhost:4444/’;
$capabilities = DesiredCapabilities::chrome();
$driver = RemoteWebDriver::create($host, $capabilities);
$driver->get(‘https://domain.com/’);
$driver->wait()->until(
WebDriverExpectedCondition::titleContains(‘Professional Grade Security’)
);
$driver->wait()->until(
WebDriverExpectedCondition::elementToBeClickable(WebDriverBy::cssSelector(‘.action.tocart.primary’))
);
$nextButton = $driver->findElement(
WebDriverBy::cssSelector(‘.action.tocart.primary’)
);
$nextButton->submit();
$driver->wait()->until(
WebDriverExpectedCondition::visibilityOfElementLocated(WebDriverBy::cssSelector(‘.add-to-cart-dialog’))
);
$driver->get(‘https://domain.com/checkout/’);
$driver->wait()->until(
WebDriverExpectedCondition::visibilityOfElementLocated(WebDriverBy::cssSelector(‘.checkout-shipping-method’))
);
$driver->get(‘view-source:’.$driver->getCurrentUrl());
$paymentPage = $driver->getPageSource();
$old = file_get_contents(‘/home/username/security/payment.html’);
if($old != $paymentPage)
echo ‘hack’;
$driver->quits();

1.6 Bash wrapper script

Here is a final bash wrapper script that starts chromedriver server, Xvfb and executes the checkout PHP script.

/home/username/security/script.sh:

#!/bin/bash
/usr/bin/Xvfb :0 -ac -screen 0 1024x768x24 &
DISPLAY=:0 /usr/bin/chromedriver –port=4444 &
sleep 5
echo ‘running the test’
response=`/usr/bin/php /home/username/security/check.php`
echo $response
if [[ $response = “hack” ]]
then
echo ‘not good’
fi
kill -9 `pidof chromedriver`
kill -9 `pidof Xvfb`

Instead of ‘echo ‘not good’’, a simple sendmail command could be placed to send a notification email.

About the author: Konstantin Gerasimov is a Magento certified developer with Goivvy.com. He specializes in speed optimization, migration and general Magento support.

​Tweet E-commerce sites can suffer from hackers injecting pieces of JavaScript to sniff credit card or other sensitive data. It’s usually a checkout page with payment forms where JS code could be placed. There is a simple yet effective way to catch it. You store the original checkout page HTML and then regularly compare your

Related posts:
Are All of Your Web Pages Free of Security Errors?
One Simple Security Warning Can Ruin Sales
What goes into a Magento Security Patch at LexiConn – SUPEE-9767