Re: [RELEASED] CSRF Protection Form
Posted: Thu Mar 29, 2018 6:10 pm
The first post has now been updated for users to get more information about what CSRF attackers do.
OpenCart Community Forum - Discuss shopping cart and e-commerce solutions.
https://forum.opencart.com/
Can you describe how to "remove it from XML" to test that the error message appears?straightlight wrote: ↑Sat Jan 28, 2012 1:22 am// How to test ?
...
Below that line, you should see a new hidden input line. If you try to remove it from XML and retry the page again once the login form posted, you should see an error message that the CSRF protection has failed which means the token was not recognized.
Code: Select all
<!--<file ...
Code: Select all
</file>-->
sfbh wrote: ↑Fri Mar 30, 2018 1:37 amI found another explanation of CSRF and finally I understand it (previous explanations weren't in plain language that I could understand). Based on this explanation it seems very unlikely that CSRF is being used to create the fake customer and affiliate accounts that I have been experiencing each day. And therefore a CSFR token is not the fix that I need to address this problem. It seems that recaptcha is the appropriate solution to my issue. I hope this helps provide clarity for others.
https://stackoverflow.com/questions/520 ... es-it-work
No worries. It is likely on the forum that 99% of the users who reports issues aren't about OC's actual issues in anyhow.I found another explanation of CSRF and finally I understand it (previous explanations weren't in plain language that I could understand).
Here's the version of the clarity that I have. The CSRF does indeed not prevent SPAMs but prevents floods to occur on HTML post forms when spammers attempts to over flood these web forms. That being said, it has also not being said in any case that the CSRF Protection form prevents SPAMs attacks on the Marketplace. While the re-captcha is the additional solution, I have mentioned in multiple places on the forum that also installing the re-captcha along with the CSRF protection to protect against floods & spams were improving protection to the stores.And therefore a CSFR token is not the fix that I need to address this problem. It seems that recaptcha is the appropriate solution to my issue. I hope this helps provide clarity for others.
Social logins? You mean like facebook, etc? The answer is no. Login is purely via email.straightlight wrote: ↑Fri Mar 23, 2018 6:33 pmAs questioned on the above to other users, are you using any social logins extensions or remote logins to your site?ameliaa wrote: ↑Fri Mar 23, 2018 10:44 amIs this mod really working? I installed on both my sites. Sill receiving registration spam (lots of it), even affiliate spam.
OC Version: 2.0.1.1 and 2.0.3.1
URLs:
https://bit.ly/2pxDAtx
https://bit.ly/2pxgpP6
Code: Select all
<form action="https://..../index.php?route=account/login" method="post" enctype="multipart/form-data">
Code: Select all
<form action="https://..../index.php?route=account/login" method="post" enctype="multipart/form-data"><?php echo $this->csrf->csrf_form_input(); ?>
Code: Select all
<form action="https://..../admin/index.php?route=common/login" method="post" enctype="multipart/form-data"><input type="hidden" name="__csrf" value="....">
Code: Select all
<?php echo $this->csrf->csrf_form_input(); ?>
Code: Select all
<file name="admin/controller/common/header.php" error="skip">
<operation error="skip">
<search position="before"><![CDATA[$data['scripts']]]></search>
<add><![CDATA[
$this->load->helper('csrf_helper');
csrf_start();
]]></add>
</operation>
</file>
Code: Select all
<form action="https://..../index.php?route=account/login" method="post" enctype="multipart/form-data">
<div class="form-group">
<label class="control-label" for="input-email">E-Mail Address</label>
<input type="text" name="email" value="" placeholder="E-Mail Address" id="input-email" class="form-control" />
</div>
<div class="form-group">
<label class="control-label" for="input-password">Password</label>
<input type="password" name="password" value="" placeholder="Password" id="input-password" class="form-control" />
<a href="https://..../index.php?route=account/forgotten">Forgotten Password</a></div>
<input type="submit" value="Login" class="btn btn-primary" />
</form>
Code: Select all
<file name="catalog/controller/common/header.php" error="skip">
<operation error="skip">
<search position="before"><![CDATA[$this->data['scripts']]]></search>
<add><![CDATA[
$this->load->helper('csrf_helper');
csrf_start();
]]></add>
</operation>
</file>
Code: Select all
<file name="catalog/view/theme/*/template/information/*.twig" error="skip">
<operation error="skip">
<search position="replace" regex="true"><![CDATA[~(<form[^>]*method\s*=\s*["\']post["\'][^>]*>)~]]></search>
<add><![CDATA[$1]]></add>
</operation>
</file>
Disabling the affiliate system won't solved the issue, since customer registrations can still be spammed. This support forum is for the CSRF protection form troubleshooting / inquiries. Not for general support. Is the CSRF token showing on your view source after adding the extension?ameliaa wrote: ↑Mon Apr 16, 2018 1:38 pmI have disabled affiliate registrations so no longer receiving affiliate spam.
For customer registrations, I have stopped receiving fake registrations on one website (opencart 2.0.1.1). However, I am still receiving a ton of fake registrations on another site (opencart 2.0.3.1). Any idea why the mod is working on one site, but not the other?
The instructions above was simply about adding the information block to see if you were able to see the CSRF input on the view source. Your XML file shows all TWIG folders which hardens the troubleshooting. Instructions unfollowed. In the mean time, you seem to have spaces between [ ~ and ~i ] and also between [ $1 ] . All these instances must not contain any spaces.