About security

Hi,
may I have a few specific questions about security?

Firstly I admit 'm not a security expert, just a mediocre web developer.

XSS
'm looking at templates and Template and Controller codes and it seems none of the output is escaped.
Database escaping escapes in the context of database, not HTML/CSS/JS...

May I ask how does OC prevents XSS? A solution could be to apply htmlspecialchars($value, ENT_QUOTES) to the ->data[] entries, in the rare cases we want to store html maybe whitelist tags using strip_tags...

Session fixation
Based on wikipedia add session_regenerate_id()?

CSRF
I see the CSRF is prevented in admin section by token, but what about customer? In case e.g. one of his favorites sites gets compromised with XSS that inserts a code that would try to buy something or change user data or anything... is there anything in place to prevent this? Not sure if we can use the token solution
The impact can of course most likely be solved by the admin of the e-shop, but it could still damage the shop's reputation

Thanks for responses

NoxArt wrote:Hi,
XSS
'm looking at templates and Template and Controller codes and it seems none of the output is escaped.
Database escaping escapes in the context of database, not HTML/CSS/JS...

May I ask how does OC prevents XSS? A solution could be to apply htmlspecialchars($value, ENT_QUOTES) to the ->data[] entries, in the rare cases we want to store html maybe whitelist tags using strip_tags...

exactly what data are you worried about having an xss in it coming from the db and how would you have managed to get that data into the db?

Thanks for response

I see that reviews are covered by strip_tags, haven't been able to go through every functionality yet...maybe if one installs an addon that's not done well....hmm, I guess you're right

as far as the CSRF on the frontend I don't see that being a huge problem. How many people leave a browser open and logged into a store front. It's fairly common for admins to have a browser open, but not customers, but I suppose you could implement a token system on the frontend, but it would be no small task.

Me and many people I know are just used to having a lot of stuff open in the browser's tabs and it's not a rare thing to be looking into the shop and then stop it for a while and do something productive (or not... )

Plus I dunno what the stats say, but imho not enough of people use "logout" and sessions do not expire immediately*... decreasing the session lifetime might improve the resilience... good idea could be a sliding expiration so when someone actually uses the shop he'd be logged in, but if not he'd be logged out soon after

*) while we can say it's their problem, it would be better to provide a good experience without forcing them to follow some routines ... they just might not be "technical people"

The token system would of course be better... and (without deeper inspection, might re-evaluate) imho quite easy, we just wouldn't follow the OC's copy&paste nature and use OOP and either inheritance or decorator patten to add the token to secion's links

if you want to try to implement it be my guest, to me it seems like a whole lot of work to patch what might possibly be a very tiny hole. I mean like I said before clients are not going to be on your store that much, then add to that how would an attacker know who might be on your store (lets face it amazon's not going to run opencart) then you're talking about a virtually impossible attack.

you can have a look at here: http://forum.opencart.com/viewtopic.php ... 20#p239995 , What I have created is a secure cookie, you can easily set the secure cookie to expire after 10 min for example.