Automated security check against injected malicious JavaScript
E-commerce sites can suffer from hackers injecting pieces of JavaScript to sniff credit card or other sensitive data.
It’s usually a checkout page with payment forms where JS code could be placed.
There is a simple yet effective way to catch it.
You store the original checkout page HTML and then regularly compare your current checkout page against ‘the gold standard’.
In this article I’ll describe one way of automating this security check using a $10 linux box.
1. Test Case
We will use a Magento 2 e-commerce site as an example.
The script will visit the website, add an item to the cart, proceed to checkout and compare the checkout page HTML against the template we have stored on the server.
If there is a mismatch, it indicates the page has been altered and needs to be reviewed.
2. Installation
We will use a 2G RAM linux box running Debian 10.
1.1 Facebook/Webdriver
Firstly, we need to install facebook/webdriver. That’s a PHP wrapper to work with a browser.
1 2 3 4 5 |
sudo apt update sudo apt-get install composer mkdir /home/username/security && cd /home/username/security sudo apt-get install php-cli php-zip unzip wget php-curl composer require facebook/webdriver |
1.2 Google Chrome Browser
Next, we will install a google chrome web browser:
1 2 |
wget https://dl.google.com/linux/direct/google-chrome-stable_current_amd64.deb apt-get install ./google-chrome-stable_current_amd64.deb |
1.3 ChromeDriver
ChromeDriver is a standalone server that can talk to Google Chrome browser.
Versions of ChromeDriver and Google Chrome browser should match.
1 2 3 |
wget https://chromedriver.storage.googleapis.com/92.0.4515.107/chromedriver_linux64.zip unzip chromedriver_linux64.zip sudo cp chromedriver /usr/bin/ |
1.4 Xvfb
Xvfb is a virtual X server. We need it to run Google Chrome properly as we don’t have a monitor connected to our server.
1 |
apt-get install xvfb
|
1.5 PHP script to visit a checkout page
Below is the script that visits the Magento 2 website, adds an item to the cart, proceeds to the checkout and compares the checkout page HTML to what we have stored on the server.
/home/username/security/check.php:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 |
namespace Facebook\WebDriver; use Facebook\WebDriver\Remote\DesiredCapabilities; use Facebook\WebDriver\Remote\RemoteWebDriver; require_once('vendor/autoload.php'); $host = 'http://localhost:4444/'; $capabilities = DesiredCapabilities::chrome(); $driver = RemoteWebDriver::create($host, $capabilities); $driver->get('https://domain.com/'); $driver->wait()->until( WebDriverExpectedCondition::titleContains('Professional Grade Security') ); $driver->wait()->until( WebDriverExpectedCondition::elementToBeClickable(WebDriverBy::cssSelector('.action.tocart.primary')) ); $nextButton = $driver->findElement( WebDriverBy::cssSelector('.action.tocart.primary') ); $nextButton->submit(); $driver->wait()->until( WebDriverExpectedCondition::visibilityOfElementLocated(WebDriverBy::cssSelector('.add-to-cart-dialog')) ); $driver->get('https://domain.com/checkout/'); $driver->wait()->until( WebDriverExpectedCondition::visibilityOfElementLocated(WebDriverBy::cssSelector('.checkout-shipping-method')) ); $driver->get('view-source:'.$driver->getCurrentUrl()); $paymentPage = $driver->getPageSource(); $old = file_get_contents('/home/username/security/payment.html'); if($old != $paymentPage) echo 'hack'; $driver->quits(); |
1.6 Bash wrapper script
Here is a final bash wrapper script that starts chromedriver server, Xvfb and executes the checkout PHP script.
/home/username/security/script.sh:
1 2 3 4 5 6 7 8 9 10 11 12 13 |
#!/bin/bash /usr/bin/Xvfb :0 -ac -screen 0 1024x768x24 & DISPLAY=:0 /usr/bin/chromedriver --port=4444 & sleep 5 echo 'running the test' response=`/usr/bin/php /home/username/security/check.php` echo $response if [[ $response = "hack" ]] then echo 'not good' fi kill -9 `pidof chromedriver` kill -9 `pidof Xvfb` |
Instead of ‘echo ‘not good’’, a simple sendmail command could be placed to send a notification email.
…
About the author: Konstantin Gerasimov is a Magento certified developer with Goivvy.com. He specializes in speed optimization, migration and general Magento support.
Looking for a web host that understands ecommerce and business hosting?
Check us out today!