straightlight wrote: ↑Wed Feb 03, 2021 7:46 amAs explained on the above, it would be the ordering priority entered by the user when using the element names on the <form line.nightwing wrote: ↑Wed Feb 03, 2021 5:22 amOk straightlight - Question though, what would cause the regex to replace the form tag instead of adding after?
straightlight wrote: ↑Wed Feb 03, 2021 12:28 am
Because of JS tokens where 3rd party scripts can already use.
I get you... Hmm that cannot be used then as I see tags with <form method and <form action... If this is what you mean
Regards,
Nightwing
Access to my Free Extensions: https://www.opencart.com/index.php?rout ... =nightwing
They both can and must be used to import the CSRF token but the only difference is the way they're being entered by the user as priority for each element names which is why the use of regex is eminent in this case.nightwing wrote: ↑Wed Feb 03, 2021 8:22 amI get you... Hmm that cannot be used then as I see tags with <form method and <form action... If this is what you mean
straightlight wrote: ↑Wed Feb 03, 2021 7:46 amAs explained on the above, it would be the ordering priority entered by the user when using the element names on the <form line.
Dedication and passion goes to those who are able to push and merge a project.
Regards,
Straightlight
Programmer / Opencart Tester
Yes, I was explaining that when I tested with regex, it replaced the entire line.
I used this from your original vqmod:
I used this from your original vqmod:
Code: Select all
~(<form[^>]*method\s*=\s*["\']post["\'][^>]*>)~i
straightlight wrote: ↑Wed Feb 03, 2021 8:32 amThey both can and must be used to import the CSRF token but the only difference is the way they're being entered by the user as priority for each element names which is why the use of regex is eminent in this case.nightwing wrote: ↑Wed Feb 03, 2021 8:22 amI get you... Hmm that cannot be used then as I see tags with <form method and <form action... If this is what you mean
straightlight wrote: ↑Wed Feb 03, 2021 7:46 am
As explained on the above, it would be the ordering priority entered by the user when using the element names on the <form line.
Regards,
Nightwing
Access to my Free Extensions: https://www.opencart.com/index.php?rout ... =nightwing
However, the e.g you were showing are still able tracking lines individually with OCMod where OCMod is on its way of deprecation from the core in the future.nightwing wrote: ↑Thu Feb 04, 2021 10:02 pmYes, I was explaining that when I tested with regex, it replaced the entire line.
I used this from your original vqmod:Code: Select all
~(<form[^>]*method\s*=\s*["\']post["\'][^>]*>)~istraightlight wrote: ↑Wed Feb 03, 2021 8:32 amThey both can and must be used to import the CSRF token but the only difference is the way they're being entered by the user as priority for each element names which is why the use of regex is eminent in this case.
Dedication and passion goes to those who are able to push and merge a project.
Regards,
Straightlight
Programmer / Opencart Tester
Well its tracking the lines, and replacing them even when I used add position after. I am aware that its on its way to deprecation, but for now its needed.
straightlight wrote: ↑Thu Feb 04, 2021 10:28 pmHowever, the e.g you were showing are still able tracking lines individually with OCMod where OCMod is on its way of deprecation from the core in the future.nightwing wrote: ↑Thu Feb 04, 2021 10:02 pmYes, I was explaining that when I tested with regex, it replaced the entire line.
I used this from your original vqmod:Code: Select all
~(<form[^>]*method\s*=\s*["\']post["\'][^>]*>)~istraightlight wrote: ↑Wed Feb 03, 2021 8:32 am
They both can and must be used to import the CSRF token but the only difference is the way they're being entered by the user as priority for each element names which is why the use of regex is eminent in this case.
Regards,
Nightwing
Access to my Free Extensions: https://www.opencart.com/index.php?rout ... =nightwing
It's good, at least, you figured out your own way to make it work but, as said, going back the way it was won't help the people on how it works since, over the years, it is more than obvious that they don't know since those changes you specified are still about server-specific tracking.nightwing wrote: ↑Thu Feb 04, 2021 10:32 pmWell its tracking the lines, and replacing them even when I used add position after. I am aware that its on its way to deprecation, but for now its needed.
straightlight wrote: ↑Thu Feb 04, 2021 10:28 pmHowever, the e.g you were showing are still able tracking lines individually with OCMod where OCMod is on its way of deprecation from the core in the future.nightwing wrote: ↑Thu Feb 04, 2021 10:02 pmYes, I was explaining that when I tested with regex, it replaced the entire line.
I used this from your original vqmod:Code: Select all
~(<form[^>]*method\s*=\s*["\']post["\'][^>]*>)~i
Dedication and passion goes to those who are able to push and merge a project.
Regards,
Straightlight
Programmer / Opencart Tester
Lol 
Sraightlight, I have nit figured it out!
Its removing the form tag and replacing it with the hidden input, in otherwords, its not doing the correct thing even when I add position after and not replace.
Sraightlight, I have nit figured it out!Its removing the form tag and replacing it with the hidden input, in otherwords, its not doing the correct thing even when I add position after and not replace.
straightlight wrote: ↑Fri Feb 05, 2021 1:48 amIt's good, at least, you figured out your own way to make it work but, as said, going back the way it was won't help the people on how it works since, over the years, it is more than obvious that they don't know since those changes you specified are still about server-specific tracking.nightwing wrote: ↑Thu Feb 04, 2021 10:32 pmWell its tracking the lines, and replacing them even when I used add position after. I am aware that its on its way to deprecation, but for now its needed.
straightlight wrote: ↑Thu Feb 04, 2021 10:28 pm
However, the e.g you were showing are still able tracking lines individually with OCMod where OCMod is on its way of deprecation from the core in the future.
Regards,
Nightwing
Access to my Free Extensions: https://www.opencart.com/index.php?rout ... =nightwing
The old version used too. You're simply trying to fallback but can't seem to reproduce the ways it used to be. That's fine, since there doesn't seem to be any way out on this one since the deprecation of OCMod.nightwing wrote: ↑Fri Feb 05, 2021 2:51 amLol
Its removing the form tag and replacing it with the hidden input, in otherwords, its not doing the correct thing even when I add position after and not replace.
straightlight wrote: ↑Fri Feb 05, 2021 1:48 amIt's good, at least, you figured out your own way to make it work but, as said, going back the way it was won't help the people on how it works since, over the years, it is more than obvious that they don't know since those changes you specified are still about server-specific tracking.
Dedication and passion goes to those who are able to push and merge a project.
Regards,
Straightlight
Programmer / Opencart Tester
Thanks for the info. If I figure anything out, I will share with you.
straightlight wrote: ↑Fri Feb 05, 2021 2:53 amThe old version used too. You're simply trying to fallback but can't seem to reproduce the ways it used to be. That's fine, since there doesn't seem to be any way out on this one since the deprecation of OCMod.nightwing wrote: ↑Fri Feb 05, 2021 2:51 amLol
Its removing the form tag and replacing it with the hidden input, in otherwords, its not doing the correct thing even when I add position after and not replace.
straightlight wrote: ↑Fri Feb 05, 2021 1:48 am
It's good, at least, you figured out your own way to make it work but, as said, going back the way it was won't help the people on how it works since, over the years, it is more than obvious that they don't know since those changes you specified are still about server-specific tracking.
Regards,
Nightwing
Access to my Free Extensions: https://www.opencart.com/index.php?rout ... =nightwing
Using OC 3.0.3.8 here and a WAF
My WAF provider was looking into this and asked:
any issues with the firewall requests?
My WAF provider was looking into this and asked:
any issues with the firewall requests?
Self Taught Opencart User & Developer Since 2010.
Not sure why this is addressed on the topic ...Rainforest wrote: ↑Sat Sep 11, 2021 2:00 pmUsing OC 3.0.3.8 here and a WAF
My WAF provider was looking into this and asked:
any issues with the firewall requests?
Dedication and passion goes to those who are able to push and merge a project.
Regards,
Straightlight
Programmer / Opencart Tester
Because it has to do with this extension.straightlight wrote: ↑Sat Sep 11, 2021 6:05 pmNot sure why this is addressed on the topic ...Rainforest wrote: ↑Sat Sep 11, 2021 2:00 pmUsing OC 3.0.3.8 here and a WAF
My WAF provider was looking into this and asked:
any issues with the firewall requests?
1. Is the extension compatible with 3.0.3.8? (doesn't list so on the extension page)
2. My Firewall provider said to me when I showed him this extensions:
"In regards to the extension I would recommend looking into adding it and checking if there are any issues with the firewall requests. This would ensure that the "CSRF" token is added to confirm the requests are legit. "
Self Taught Opencart User & Developer Since 2010.
As long you have the ZLIB library installed, the OC version should not matter. Only editing the XML file for your purpose is needed and for the CSRF token to show on the view source with the ZLIB output. Once being shown on the view source, the output can be disabled on your domain for security purposes.Rainforest wrote: ↑Sun Sep 12, 2021 1:03 pmBecause it has to do with this extension.straightlight wrote: ↑Sat Sep 11, 2021 6:05 pmNot sure why this is addressed on the topic ...Rainforest wrote: ↑Sat Sep 11, 2021 2:00 pmUsing OC 3.0.3.8 here and a WAF
My WAF provider was looking into this and asked:
any issues with the firewall requests?
1. Is the extension compatible with 3.0.3.8? (doesn't list so on the extension page)
2. My Firewall provider said to me when I showed him this extensions:
"In regards to the extension I would recommend looking into adding it and checking if there are any issues with the firewall requests. This would ensure that the "CSRF" token is added to confirm the requests are legit. "
Dedication and passion goes to those who are able to push and merge a project.
Regards,
Straightlight
Programmer / Opencart Tester
This extension doesn't do anything to protect against CSRF!
In the csrf_check() function in the system/library/csrf_helper.php file, where the actual CSRF check happens is wrapped in this conditional:
You can bypass the CSRF check entirely by simply omitting the <input name="__csrf" .../> from the form. An attacker can construct a form without this field (i.e. the exact same way they would if this extension was not installed), isset($this->request->post['__csrf'])) evaluates to false, and the CSRF attack proceeds as normal. Completely defeats the purpose of such an extension.
In the csrf_check() function in the system/library/csrf_helper.php file, where the actual CSRF check happens is wrapped in this conditional:
Code: Select all
if (isset($this->request->post['__csrf'])) {
So, what are your suggestions?joeantropy wrote: ↑Wed Dec 15, 2021 12:24 amThis extension doesn't do anything to protect against CSRF!
In the csrf_check() function in the system/library/csrf_helper.php file, where the actual CSRF check happens is wrapped in this conditional:You can bypass the CSRF check entirely by simply omitting the <input name="__csrf" .../> from the form. An attacker can construct a form without this field (i.e. the exact same way they would if this extension was not installed), isset($this->request->post['__csrf'])) evaluates to false, and the CSRF attack proceeds as normal. Completely defeats the purpose of such an extension.Code: Select all
if (isset($this->request->post['__csrf'])) {
Got an urgent question that’s keeping you up at night? There might just be a magical inbox ready to help: khnaz35@gmail.com
Enjoy nature 
Maybe @straightlight can explain this.joeantropy wrote: ↑Wed Dec 15, 2021 12:24 amThis extension doesn't do anything to protect against CSRF!
In the csrf_check() function in the system/library/csrf_helper.php file, where the actual CSRF check happens is wrapped in this conditional:You can bypass the CSRF check entirely by simply omitting the <input name="__csrf" .../> from the form. An attacker can construct a form without this field (i.e. the exact same way they would if this extension was not installed), isset($this->request->post['__csrf'])) evaluates to false, and the CSRF attack proceeds as normal. Completely defeats the purpose of such an extension.Code: Select all
if (isset($this->request->post['__csrf'])) {
Who is online
Users browsing this forum: No registered users and 4 guests
