Post by straightlight » Wed Sep 12, 2018 8:54 pm

That is correct. No admin module installation is required for this package as they are only new files to upload as it also covers HTML forms from the core. In OC v2.x releases, it may be possible, depending on the server you are on, that each template subfolders may involve the use of *.twig in the XML file. Since each cases may be different, as it is already different on the public forum since the beginning, it's the reason why a definite documentation can't be provided for this. However, this topic covers support for its use.

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by ddpneu » Wed Sep 12, 2018 9:50 pm

Ok. So if I understand right.
  • I should upload files
    replace .twig to .tpl in xml
    be sure that I have zlib compression and zlib output in my php.ini
and it should work. Am I right?
How I recognize that is really working or no?
And also a question. I´m using Journal2 will be compatible?

Thanks.

New member

Posts

Joined
Sat Sep 14, 2013 4:54 am

Post by straightlight » Wed Sep 12, 2018 11:39 pm

How I recognize that is really working or no?
Answered already above; by viewing the view-source code once the page has been refreshed with the help of the zlib output . As for Journal2, no words so far about its compatibility.

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by PSMDanny » Thu Nov 01, 2018 5:12 am

Hi and thank you for creating this wonderful extension and spending so much time here on helping users (that don't read).

Just wanted to note:
couple of minutes ago I downloaded the extension and started testing on Opencart 3020 with vqmod 2.6.2 Admin test was correct... frontend test was not correct (= no csrf tokens...)

So I started debuging the xml file and found out that in the current downloadable version (csrf.xml) there was code missing for the catalog/controller/common/header.php

So I added following code to the xml and everything seems to be working:
<file name="catalog/controller/common/header.php" error="skip">
<operation error="skip">
<search position="before"><![CDATA[$data['scripts']]]></search>
<add><![CDATA[
$this->load->helper('csrf_helper');

csrf_start();
]]></add>
</operation>
</file>

Thanks again and good luck!

Best Regards,
Danny

Newbie

Posts

Joined
Fri Apr 04, 2014 3:38 am

Post by daeval » Wed Dec 12, 2018 4:18 am

Hello, I downloaded the module but i think that secure_compare function is wrong;
It has to return boolean if session token == __csrf post form value, but function returns a random string being always true, please check it.

Code: Select all

function secure_compare($a, $b) {
	global $csrf_protection_expires;
	
    if (strlen($a) !== strlen($b)) {
		return false;
	}
	
	$randLength = 64;
  
	if (function_exists("random_bytes")) {
		$result = bin2hex(random_bytes($randLength));
    } elseif (function_exists("openssl_random_pseudo_bytes")) {
        $result = bin2hex(openssl_random_pseudo_bytes($randLength));
    } else {
        $result = '';
				
		for ($i = 0; $i < strlen($a); $i++) {
			$result |= ord($a[$i]) ^ ord($b[$i]);
		}
	}
	
	return substr($result, 0, $csrf_protection_expires);
}

Newbie

Posts

Joined
Sat Sep 21, 2013 12:09 am

Post by straightlight » Wed Dec 12, 2018 7:05 pm

There is nothing wrong with the original function. Returning a random string is the goal to protect the HTML forms against CSRF attacks,

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by Dave_MMP » Wed Mar 20, 2019 6:39 pm

My OpenCart Version: 2.3.0.2

I've been unable to get this module working correctly. The hidden input field is correctly added to the form however, when simulating a CSRF attack, the request still goes through.

Code: Select all

$this->load->helper('csrf_helper');
csrf_start();
Has been added to "catalog/controller/common/home.php"

If I submit the password change form, entering a valid password, password gets changed (as expected)

If I submit the password change form, without entering any details, I get blocked, with the message "CSRF check failed." - This should not happen, it should simply prompt the user to enter correct details.

If I edit the source of the page, removing the __csrf input, then submit the form with a valid password, the form submits ok and the password is changed. This should not happen!

If I simulate a CSRF attack using this html, the password gets changed to CSRF - This should be blocked!

Code: Select all

<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://domain.com/change-password" method="POST" enctype="multipart/form-data">
      <input type="hidden" name="password" value="CSRF" />
      <input type="hidden" name="confirm" value="CSRF" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>
If I edit the csrf_check function in the helper, and added:

Code: Select all

var_dump($_SERVER['REQUEST_METHOD']);die();
Just after the global deceleration "global $csrf_protection_expires;", then when I submit the form I see this:

string(3) "GET"

This to me says that the csrf_check function is not running on the POST request, but on the redirect after the password has been changed?

Newbie

Posts

Joined
Wed Mar 20, 2019 6:16 pm

Post by Pyrocrafter » Mon Apr 01, 2019 10:31 pm

I uploaded system and vqmod folders. Nothing has appeared in my extensions>modules though.

New member

Posts

Joined
Tue May 14, 2013 4:49 am

Post by straightlight » Tue Apr 02, 2019 6:57 am

Dave_MMP wrote:
Wed Mar 20, 2019 6:39 pm
My OpenCart Version: 2.3.0.2

I've been unable to get this module working correctly. The hidden input field is correctly added to the form however, when simulating a CSRF attack, the request still goes through.

Code: Select all

$this->load->helper('csrf_helper');
csrf_start();
Has been added to "catalog/controller/common/home.php"

If I submit the password change form, entering a valid password, password gets changed (as expected)

If I submit the password change form, without entering any details, I get blocked, with the message "CSRF check failed." - This should not happen, it should simply prompt the user to enter correct details.

If I edit the source of the page, removing the __csrf input, then submit the form with a valid password, the form submits ok and the password is changed. This should not happen!

If I simulate a CSRF attack using this html, the password gets changed to CSRF - This should be blocked!

Code: Select all

<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://domain.com/change-password" method="POST" enctype="multipart/form-data">
      <input type="hidden" name="password" value="CSRF" />
      <input type="hidden" name="confirm" value="CSRF" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>
If I edit the csrf_check function in the helper, and added:

Code: Select all

var_dump($_SERVER['REQUEST_METHOD']);die();
Just after the global deceleration "global $csrf_protection_expires;", then when I submit the form I see this:

string(3) "GET"

This to me says that the csrf_check function is not running on the POST request, but on the redirect after the password has been changed?
You are showing the HTML form example but the hidden __csrf input is not showing below the form tag which means either the zlib compression output in your php.ini file is disabled or it is enabled but you did not configured your paths correctly in your XML file.

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by straightlight » Tue Apr 02, 2019 6:58 am

Pyrocrafter wrote:
Mon Apr 01, 2019 10:31 pm
I uploaded system and vqmod folders. Nothing has appeared in my extensions>modules though.
Same response as provided above.

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by subsa » Sat Apr 27, 2019 5:20 am

Hi,
Dealing with your code from a long time.
I made it work last time at srelectronics.co.uk, but still got 48-52 fake registrations per day.
I re-read all posts last night, checking for alternative login methods and put API protection script, but today got 48 registrations again.
OC is 3.0.3.1
website: srelectronics.co.uk
My XML file as follows

Code: Select all

<?xml version="1.0" encoding="UTF-8"?>
<modification>
    <id>CSRF Form Protection</id>
    <version>v2.x and v3.x</version>
    <vqmver required="true">2.6.0</vqmver>
    <author>Straightlight</author>
	
	<file name="admin/controller/common/header.php" error="skip">
        <operation error="skip">
            <search position="before"><![CDATA[$data['scripts']]]></search>
            <add><![CDATA[
			$this->load->helper('csrf_helper');
			
			csrf_start();
			]]></add>
        </operation>
	</file>
	
	<file name="catalog/controller/common/header.php" error="skip">
        <operation error="skip">
            <search position="before"><![CDATA[$data['scripts']]]></search>
            <add><![CDATA[
			$this->load->helper('csrf_helper');
			
			csrf_start();
			]]></add>
        </operation>
	</file>
	
	
	<file name="catalog/view/theme/*/template/account/*.twig" error="skip">
        <operation error="skip">
            <search position="replace" regex="true"><![CDATA[~(<form[^>]*method\s*=\s*["\']post["\'][^>]*>)~i]]></search>
            <add><![CDATA[$1]]></add>
        </operation>
	</file>
	
	<file name="catalog/view/theme/*/template/affiliate/*.twig" error="skip">
        <operation error="skip">
            <search position="replace" regex="true"><![CDATA[~(<form[^>]*method\s*=\s*["\']post["\'][^>]*>)~i]]></search>
            <add><![CDATA[$1]]></add>
        </operation>
	</file>
	
	<file name="catalog/view/theme/*/template/checkout/*.twig" error="skip">
        <operation error="skip">
            <search position="replace" regex="true"><![CDATA[~(<form[^>]*method\s*=\s*["\']post["\'][^>]*>)~i]]></search>
            <add><![CDATA[$1]]></add>
        </operation>
	</file>
	
	<file name="catalog/view/theme/*/template/common/*.twig" error="skip">
        <operation error="skip">
            <search position="replace" regex="true"><![CDATA[~(<form[^>]*method\s*=\s*["\']post["\'][^>]*>)~i]]></search>
            <add><![CDATA[$1]]></add>
        </operation>
	</file>
	
	<file name="catalog/view/theme/*/template/error/*.twig" error="skip">
        <operation error="skip">
            <search position="replace" regex="true"><![CDATA[~(<form[^>]*method\s*=\s*["\']post["\'][^>]*>)~i]]></search>
            <add><![CDATA[$1]]></add>
        </operation>
	</file>
	
	<file name="catalog/view/theme/*/template/extension/captcha/*.twig" error="skip">
        <operation error="skip">
            <search position="replace" regex="true"><![CDATA[~(<form[^>]*method\s*=\s*["\']post["\'][^>]*>)~i]]></search>
            <add><![CDATA[$1]]></add>
        </operation>
	</file>
	
	<file name="catalog/view/theme/*/template/extension/credit_card/*.twig" error="skip">
        <operation error="skip">
            <search position="replace" regex="true"><![CDATA[~(<form[^>]*method\s*=\s*["\']post["\'][^>]*>)~i]]></search>
            <add><![CDATA[$1]]></add>
        </operation>
	</file>
	
	<file name="catalog/view/theme/*/template/extension/module/*.twig" error="skip">
        <operation error="skip">
            <search position="replace" regex="true"><![CDATA[~(<form[^>]*method\s*=\s*["\']post["\'][^>]*>)~i]]></search>
            <add><![CDATA[$1]]></add>
        </operation>
	</file>
	
	<file name="catalog/view/theme/*/template/extension/payment/*.twig" error="skip">
        <operation error="skip">
            <search position="replace" regex="true"><![CDATA[~(<form[^>]*method\s*=\s*["\']post["\'][^>]*>)~i]]></search>
            <add><![CDATA[$1]]></add>
        </operation>
	</file>
	
	<file name="catalog/view/theme/*/template/extension/recurring/*.twig" error="skip">
        <operation error="skip">
            <search position="replace" regex="true"><![CDATA[~(<form[^>]*method\s*=\s*["\']post["\'][^>]*>)~i]]></search>
            <add><![CDATA[$1]]></add>
        </operation>
	</file>
	
	<file name="catalog/view/theme/*/template/extension/total/*.twig" error="skip">
        <operation error="skip">
            <search position="replace" regex="true"><![CDATA[~(<form[^>]*method\s*=\s*["\']post["\'][^>]*>)~i]]></search>
            <add><![CDATA[$1]]></add>
        </operation>
	</file>
	
	<file name="catalog/view/theme/*/template/information/*.twig" error="skip">
        <operation error="skip">
            <search position="replace" regex="true"><![CDATA[~(<form[^>]*method\s*=\s*["\']post["\'][^>]*>)~i]]></search>
            <add><![CDATA[$1]]></add>
        </operation>
	</file>
	
	<file name="catalog/view/theme/*/template/mail/*.twig" error="skip">
        <operation error="skip">
            <search position="replace" regex="true"><![CDATA[~(<form[^>]*method\s*=\s*["\']post["\'][^>]*>)~i]]></search>
            <add><![CDATA[$1]]></add>
        </operation>
	</file>
	
	<file name="catalog/view/theme/*/template/product/*.twig" error="skip">
        <operation error="skip">
            <search position="replace" regex="true"><![CDATA[~(<form[^>]*method\s*=\s*["\']post["\'][^>]*>)~i]]></search>
            <add><![CDATA[$1]]></add>
        </operation>
	</file>

</modification>

Newbie

Posts

Joined
Tue May 23, 2017 9:49 pm

Post by straightlight » Sat Apr 27, 2019 6:08 am

Do you see the __csrf key in the view source of your browser? (If so, don't post it here!) . Simply indicate if you do see it or not. If not, then ensure your zlib.output_compression is activated in your php.ini file.

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by subsa » Sat Apr 27, 2019 7:34 am

When I navigate to http://srelectronics.co.uk/index.php?ro ... t/register in my web and check the source code, I can read the value of __csrf hidden field.
I did not misunderstand it, right? Should be like this to work.
4 new registration from posting previous post, I can sort some of them with blocking 31.184.238.***, but some are with another IP
I want to solve it

Newbie

Posts

Joined
Tue May 23, 2017 9:49 pm

Post by straightlight » Sat Apr 27, 2019 7:45 pm

Which Captcha extension are you using?

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by subsa » Sun Apr 28, 2019 7:53 am

Basic Captcha and Google reCAPTCHA are enabled
I do not know how Google reCAPTCHA suppose to appear or work, I register and put the keys, but did not have ticks, when register.

Newbie

Posts

Joined
Tue May 23, 2017 9:49 pm

Post by straightlight » Sun Apr 28, 2019 10:18 pm

subsa wrote:
Sun Apr 28, 2019 7:53 am
Basic Captcha and Google reCAPTCHA are enabled
I do not know how Google reCAPTCHA suppose to appear or work, I register and put the keys, but did not have ticks, when register.
Then, the issue is with the Captcha extension, not with the CSRF token since you are able to see it from the view source.

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by subsa » Mon Apr 29, 2019 11:26 am

I feel you are right.
Google reCaptcha, without any versions means it is version 1, which no longer work?
And looks line I have to paste some code in my pages, to activate version 3?
I start thinking problem is version 3.0.3.1 and have to go back to 3.0.2.0
You have not stated extension works with 3.0.3.1 and I think my code is bit different from original version.

Sorted, was captcha problem
To not posting new comment, just edited this one.
Do not forget to assigned the captcha to the relevant pages, in System > Settings > Option.
Extensions > Captchas as well
Last edited by subsa on Tue Apr 30, 2019 7:09 am, edited 1 time in total.

Newbie

Posts

Joined
Tue May 23, 2017 9:49 pm

Post by straightlight » Mon Apr 29, 2019 7:29 pm

Until the next OC releases, this extension should work for all prior version as long as you adjust the XML folder paths and files accordingly with the right VQmod versions that you are using. However, since this is a captcha issue, please create a new topic about it since this topic is only about the CSRF extension troubleshooting.

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by straightlight » Wed May 01, 2019 8:44 pm

Update: According to this topic: viewtopic.php?f=99&t=211487 , version 3 of reCaptcha has been released which can also be a reason on why CSRF attackers could still manipulate web forms. Captcha may need to be updated for users using reCaptcha v2.

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by webs_bd » Tue May 14, 2019 4:20 pm

Opencart 3.0.2.0.
I have uploaded the files but cannot install as the extension as it is not showing under extensions. I have tried everything I can think of but no success. Can you shed any light as to why this might be?

Big Decision
Website Production, Ecommerce & Digital Marketing in the UK
http://www.bigdecision.co.uk


New member

Posts

Joined
Sat Nov 09, 2013 8:29 pm
Who is online

Users browsing this forum: No registered users and 17 guests