Answered already above; by viewing the view-source code once the page has been refreshed with the help of the zlib output . As for Journal2, no words so far about its compatibility.How I recognize that is really working or no?
The most generated errors being found on Opencart forum originates from contributed programming. The increased post counters are caused by redundancies of the same solutions that were already provided prior.
Regards,
Straightlight
Opencart.com Administrator / Quality Assurance Analyst / Programmer
Just wanted to note:
couple of minutes ago I downloaded the extension and started testing on Opencart 3020 with vqmod 2.6.2 Admin test was correct... frontend test was not correct (= no csrf tokens...)
So I started debuging the xml file and found out that in the current downloadable version (csrf.xml) there was code missing for the catalog/controller/common/header.php
So I added following code to the xml and everything seems to be working:
<file name="catalog/controller/common/header.php" error="skip">
<operation error="skip">
<search position="before"><![CDATA[$data['scripts']]]></search>
<add><![CDATA[
$this->load->helper('csrf_helper');
csrf_start();
]]></add>
</operation>
</file>
Thanks again and good luck!
Best Regards,
Danny
It has to return boolean if session token == __csrf post form value, but function returns a random string being always true, please check it.
Code: Select all
function secure_compare($a, $b) {
global $csrf_protection_expires;
if (strlen($a) !== strlen($b)) {
return false;
}
$randLength = 64;
if (function_exists("random_bytes")) {
$result = bin2hex(random_bytes($randLength));
} elseif (function_exists("openssl_random_pseudo_bytes")) {
$result = bin2hex(openssl_random_pseudo_bytes($randLength));
} else {
$result = '';
for ($i = 0; $i < strlen($a); $i++) {
$result |= ord($a[$i]) ^ ord($b[$i]);
}
}
return substr($result, 0, $csrf_protection_expires);
}
The most generated errors being found on Opencart forum originates from contributed programming. The increased post counters are caused by redundancies of the same solutions that were already provided prior.
Regards,
Straightlight
Opencart.com Administrator / Quality Assurance Analyst / Programmer
I've been unable to get this module working correctly. The hidden input field is correctly added to the form however, when simulating a CSRF attack, the request still goes through.
Code: Select all
$this->load->helper('csrf_helper');
csrf_start();
If I submit the password change form, entering a valid password, password gets changed (as expected)
If I submit the password change form, without entering any details, I get blocked, with the message "CSRF check failed." - This should not happen, it should simply prompt the user to enter correct details.
If I edit the source of the page, removing the __csrf input, then submit the form with a valid password, the form submits ok and the password is changed. This should not happen!
If I simulate a CSRF attack using this html, the password gets changed to CSRF - This should be blocked!
Code: Select all
<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://domain.com/change-password" method="POST" enctype="multipart/form-data">
<input type="hidden" name="password" value="CSRF" />
<input type="hidden" name="confirm" value="CSRF" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
Code: Select all
var_dump($_SERVER['REQUEST_METHOD']);die();
string(3) "GET"
This to me says that the csrf_check function is not running on the POST request, but on the redirect after the password has been changed?
You are showing the HTML form example but the hidden __csrf input is not showing below the form tag which means either the zlib compression output in your php.ini file is disabled or it is enabled but you did not configured your paths correctly in your XML file.Dave_MMP wrote: ↑Wed Mar 20, 2019 6:39 pmMy OpenCart Version: 2.3.0.2
I've been unable to get this module working correctly. The hidden input field is correctly added to the form however, when simulating a CSRF attack, the request still goes through.
Has been added to "catalog/controller/common/home.php"Code: Select all
$this->load->helper('csrf_helper'); csrf_start();
If I submit the password change form, entering a valid password, password gets changed (as expected)
If I submit the password change form, without entering any details, I get blocked, with the message "CSRF check failed." - This should not happen, it should simply prompt the user to enter correct details.
If I edit the source of the page, removing the __csrf input, then submit the form with a valid password, the form submits ok and the password is changed. This should not happen!
If I simulate a CSRF attack using this html, the password gets changed to CSRF - This should be blocked!
If I edit the csrf_check function in the helper, and added:Code: Select all
<html> <!-- CSRF PoC - generated by Burp Suite Professional --> <body> <script>history.pushState('', '', '/')</script> <form action="https://domain.com/change-password" method="POST" enctype="multipart/form-data"> <input type="hidden" name="password" value="CSRF" /> <input type="hidden" name="confirm" value="CSRF" /> <input type="submit" value="Submit request" /> </form> </body> </html>
Just after the global deceleration "global $csrf_protection_expires;", then when I submit the form I see this:Code: Select all
var_dump($_SERVER['REQUEST_METHOD']);die();
string(3) "GET"
This to me says that the csrf_check function is not running on the POST request, but on the redirect after the password has been changed?
The most generated errors being found on Opencart forum originates from contributed programming. The increased post counters are caused by redundancies of the same solutions that were already provided prior.
Regards,
Straightlight
Opencart.com Administrator / Quality Assurance Analyst / Programmer
Same response as provided above.Pyrocrafter wrote: ↑Mon Apr 01, 2019 10:31 pmI uploaded system and vqmod folders. Nothing has appeared in my extensions>modules though.
The most generated errors being found on Opencart forum originates from contributed programming. The increased post counters are caused by redundancies of the same solutions that were already provided prior.
Regards,
Straightlight
Opencart.com Administrator / Quality Assurance Analyst / Programmer
Dealing with your code from a long time.
I made it work last time at srelectronics.co.uk, but still got 48-52 fake registrations per day.
I re-read all posts last night, checking for alternative login methods and put API protection script, but today got 48 registrations again.
OC is 3.0.3.1
website: srelectronics.co.uk
My XML file as follows
Code: Select all
<?xml version="1.0" encoding="UTF-8"?>
<modification>
<id>CSRF Form Protection</id>
<version>v2.x and v3.x</version>
<vqmver required="true">2.6.0</vqmver>
<author>Straightlight</author>
<file name="admin/controller/common/header.php" error="skip">
<operation error="skip">
<search position="before"><![CDATA[$data['scripts']]]></search>
<add><![CDATA[
$this->load->helper('csrf_helper');
csrf_start();
]]></add>
</operation>
</file>
<file name="catalog/controller/common/header.php" error="skip">
<operation error="skip">
<search position="before"><![CDATA[$data['scripts']]]></search>
<add><![CDATA[
$this->load->helper('csrf_helper');
csrf_start();
]]></add>
</operation>
</file>
<file name="catalog/view/theme/*/template/account/*.twig" error="skip">
<operation error="skip">
<search position="replace" regex="true"><![CDATA[~(<form[^>]*method\s*=\s*["\']post["\'][^>]*>)~i]]></search>
<add><![CDATA[$1]]></add>
</operation>
</file>
<file name="catalog/view/theme/*/template/affiliate/*.twig" error="skip">
<operation error="skip">
<search position="replace" regex="true"><![CDATA[~(<form[^>]*method\s*=\s*["\']post["\'][^>]*>)~i]]></search>
<add><![CDATA[$1]]></add>
</operation>
</file>
<file name="catalog/view/theme/*/template/checkout/*.twig" error="skip">
<operation error="skip">
<search position="replace" regex="true"><![CDATA[~(<form[^>]*method\s*=\s*["\']post["\'][^>]*>)~i]]></search>
<add><![CDATA[$1]]></add>
</operation>
</file>
<file name="catalog/view/theme/*/template/common/*.twig" error="skip">
<operation error="skip">
<search position="replace" regex="true"><![CDATA[~(<form[^>]*method\s*=\s*["\']post["\'][^>]*>)~i]]></search>
<add><![CDATA[$1]]></add>
</operation>
</file>
<file name="catalog/view/theme/*/template/error/*.twig" error="skip">
<operation error="skip">
<search position="replace" regex="true"><![CDATA[~(<form[^>]*method\s*=\s*["\']post["\'][^>]*>)~i]]></search>
<add><![CDATA[$1]]></add>
</operation>
</file>
<file name="catalog/view/theme/*/template/extension/captcha/*.twig" error="skip">
<operation error="skip">
<search position="replace" regex="true"><![CDATA[~(<form[^>]*method\s*=\s*["\']post["\'][^>]*>)~i]]></search>
<add><![CDATA[$1]]></add>
</operation>
</file>
<file name="catalog/view/theme/*/template/extension/credit_card/*.twig" error="skip">
<operation error="skip">
<search position="replace" regex="true"><![CDATA[~(<form[^>]*method\s*=\s*["\']post["\'][^>]*>)~i]]></search>
<add><![CDATA[$1]]></add>
</operation>
</file>
<file name="catalog/view/theme/*/template/extension/module/*.twig" error="skip">
<operation error="skip">
<search position="replace" regex="true"><![CDATA[~(<form[^>]*method\s*=\s*["\']post["\'][^>]*>)~i]]></search>
<add><![CDATA[$1]]></add>
</operation>
</file>
<file name="catalog/view/theme/*/template/extension/payment/*.twig" error="skip">
<operation error="skip">
<search position="replace" regex="true"><![CDATA[~(<form[^>]*method\s*=\s*["\']post["\'][^>]*>)~i]]></search>
<add><![CDATA[$1]]></add>
</operation>
</file>
<file name="catalog/view/theme/*/template/extension/recurring/*.twig" error="skip">
<operation error="skip">
<search position="replace" regex="true"><![CDATA[~(<form[^>]*method\s*=\s*["\']post["\'][^>]*>)~i]]></search>
<add><![CDATA[$1]]></add>
</operation>
</file>
<file name="catalog/view/theme/*/template/extension/total/*.twig" error="skip">
<operation error="skip">
<search position="replace" regex="true"><![CDATA[~(<form[^>]*method\s*=\s*["\']post["\'][^>]*>)~i]]></search>
<add><![CDATA[$1]]></add>
</operation>
</file>
<file name="catalog/view/theme/*/template/information/*.twig" error="skip">
<operation error="skip">
<search position="replace" regex="true"><![CDATA[~(<form[^>]*method\s*=\s*["\']post["\'][^>]*>)~i]]></search>
<add><![CDATA[$1]]></add>
</operation>
</file>
<file name="catalog/view/theme/*/template/mail/*.twig" error="skip">
<operation error="skip">
<search position="replace" regex="true"><![CDATA[~(<form[^>]*method\s*=\s*["\']post["\'][^>]*>)~i]]></search>
<add><![CDATA[$1]]></add>
</operation>
</file>
<file name="catalog/view/theme/*/template/product/*.twig" error="skip">
<operation error="skip">
<search position="replace" regex="true"><![CDATA[~(<form[^>]*method\s*=\s*["\']post["\'][^>]*>)~i]]></search>
<add><![CDATA[$1]]></add>
</operation>
</file>
</modification>
The most generated errors being found on Opencart forum originates from contributed programming. The increased post counters are caused by redundancies of the same solutions that were already provided prior.
Regards,
Straightlight
Opencart.com Administrator / Quality Assurance Analyst / Programmer
I did not misunderstand it, right? Should be like this to work.
4 new registration from posting previous post, I can sort some of them with blocking 31.184.238.***, but some are with another IP
I want to solve it
The most generated errors being found on Opencart forum originates from contributed programming. The increased post counters are caused by redundancies of the same solutions that were already provided prior.
Regards,
Straightlight
Opencart.com Administrator / Quality Assurance Analyst / Programmer
Then, the issue is with the Captcha extension, not with the CSRF token since you are able to see it from the view source.
The most generated errors being found on Opencart forum originates from contributed programming. The increased post counters are caused by redundancies of the same solutions that were already provided prior.
Regards,
Straightlight
Opencart.com Administrator / Quality Assurance Analyst / Programmer
Google reCaptcha, without any versions means it is version 1, which no longer work?
And looks line I have to paste some code in my pages, to activate version 3?
I start thinking problem is version 3.0.3.1 and have to go back to 3.0.2.0
You have not stated extension works with 3.0.3.1 and I think my code is bit different from original version.
Sorted, was captcha problem
To not posting new comment, just edited this one.
Do not forget to assigned the captcha to the relevant pages, in System > Settings > Option.
Extensions > Captchas as well
The most generated errors being found on Opencart forum originates from contributed programming. The increased post counters are caused by redundancies of the same solutions that were already provided prior.
Regards,
Straightlight
Opencart.com Administrator / Quality Assurance Analyst / Programmer
The most generated errors being found on Opencart forum originates from contributed programming. The increased post counters are caused by redundancies of the same solutions that were already provided prior.
Regards,
Straightlight
Opencart.com Administrator / Quality Assurance Analyst / Programmer
I have uploaded the files but cannot install as the extension as it is not showing under extensions. I have tried everything I can think of but no success. Can you shed any light as to why this might be?
Big Decision
Website Production, Ecommerce & Digital Marketing in the UK
http://www.bigdecision.co.uk
The most generated errors being found on Opencart forum originates from contributed programming. The increased post counters are caused by redundancies of the same solutions that were already provided prior.
Regards,
Straightlight
Opencart.com Administrator / Quality Assurance Analyst / Programmer
I have CSRF Protection Extension installed in version 3.0.2.0 and am still getting at least one fake account every few days. I have noticed that the account set up never has an address? how can this happen when any proper customer has to enter an address to set up an account?
Any ideas please?
Always ask yourself WHY IS IT FREE???
Users browsing this forum: No registered users and 4 guests