Blog
How Magento Generates Form Keys
Published: February 12, 2018
As a follow up to my recent article “How Magento Generates Admin Secret URL Keys” I’ve decided to take a look at yet another mechanism Magento uses to protect against CSRF attacks…form keys. In this post we’ll dig into Magento’s core code to understand how exactly, they are generated in both Magento 1 and Magento 2.
How Magento Generates Admin Secret URL Keys
Published: February 11, 2018
Recently, while looking into a vulnerability for the Magento Bug Bounty I needed to generate the secret key for an admin URL. While I’d long known that Magento adds these keys for security purposes (specifically to prevent against CSRF attacks) I never understood how exactly these keys are generated. In this post, I’ll document my findings.
Checking SSL / TLS Version Support of a Remote Host from the Command Line
Published: February 1, 2018
A few days back I received an alert from New Relic that a site was down.
I checked the New Relic UI for more details and saw the following…
“fatal alert: protocol_version” 
I did a little bit of research and arrived at the New Relic forums where I found a question titled “Availability report - connection error (Received fatal alert: protocol_version)”. There I found the following answer…
The legacy Availability Monitor in APM only supports TLS 1.0 which is why it began throwing errors once you disabled older TLS protocols.
My next course of action was to check whether or not the site in question supported TLS 1.0. In post, let’s review our options for checking SSL / TLS version support from the command line.
Setting a php_value in PHP‑FPM
Published: January 29, 2018
NOTE: The example used in this post is setting PHP's error_reporting level, which is no longer supported as of PHP 7.0. Regardless approaches documented in this post are still applicable for setting other php_values
Recently I needed to adjust PHP’s error_reporting level.
The goal was to set it to E_ALL & ~E_NOTICE which would silences notices.
The project in question was a Magento deployment, where it’s never advisable to modify core files (e.g. index.php). As such, I Googled “htaccess error_reporting E_ALL & ~E_NOTICE”, with hopes of making the change in the .htaccess file.
Magento 1 Enterprise Random 404s on the Product Detail Page (/catalog/product/view)
Published: January 26, 2018
Recently, I received the following email from a client…
Help! My best selling product is 404-ing! We need this resolved ASAP!!!
Ruh-roh 
My first step, of course, was to visit the URL for myself. Indeed, I got a 404.
Next up I added ?no_cache=1 at the end of the URL. This trick will bypass the full page cache in Magento 1 Enterprise, which the site in question was using. I refreshed the page and lo and behold the 404 was gone.
Digging in (after flushing page cache), I ultimately found a bug that can cause cache poisoning with a 404 response on any product details page if session is considered “invalid”.
In this post, let’s look at the issue, and how it can be solved.
Converting Numeric Data to Alphanumeric in PHP with base_convert
Published: January 25, 2018
Recently a client came to me with the following request…
We’re planning publish “offer codes” in our print circulars so that customers can search for more details on our website. The offer codes our system generates are long and will be cumbersome for users to enter into the search field on the website. What can we do about this?
The offer codes looked something like this…
- PRE-0018004350
- PRE-0027806700
- PRE-1004204400
I thought about it a little and then a lightbulb went off in my head 
This could be solved by stripping the “PRE-“ (which was consistent across every offer code) and converting the remaining numeric data to alphanumeric via a base-10 to base-36 conversion. The result would be short alphanumeric codes that looked something like this…
- APW8U
- GJZSC
- GLVL2O
In this post we’ll look at how this can be achieved in PHP.