http://www.opencart.com/index.php?route ... order=DESC
This topic will also be useful for support when required. Whatever you do when you ask support, do NOT post the generated token ID with it for your own safety and your customers.
// How to test ?
Once installed for the first time, clear all cache and cookies from browser. Close your browser, re-open your browser and go to the admin section. Then, go to your view source of your browser and search for: <form . Below that line, you should see a new hidden input line. If you try to remove it from XML and retry the page again once the login form posted, you should see an error message that the CSRF protection has failed which means the token was not recognized. In other words, DON"T remove it for your own safety and customers. You may try the same step on the front-end. From the header, you should already notice the same result.
Note: If you use a custom template or use an admin contribution that requires a form usage, just assure to check for each:
Code: Select all
<form
Code: Select all
<?php echo $this->csrf->csrf_form_input(); ?>
Followed are information about what CSRF attackers may collect from websites or via an API: https://www.owasp.org/index.php/Cross-S ... heat_Sheet