Search found 321 matches

Search found 321 matches

Re: [RELEASED] CSRF Protection Form

I get you... Hmm that cannot be used then as I see tags with <form method and <form action... If this is what you mean Ok straightlight - Question though, what would cause the regex to replace the form tag instead of adding after? Because of JS tokens where 3rd party scripts can already use. As expl...

Jump to post
  • Wed Feb 03, 2021 8:22 am
  • Replies 366
  • Views 71639
Re: [RELEASED] CSRF Protection Form

Ok straightlight - Question though, what would cause the regex to replace the form tag instead of adding after? Why not use something similar on the front end? In case of future request about moving the token, that won't do it either: https://github.com/opencart/opencart/issues/9196#issuecomment-768...

Jump to post
  • Wed Feb 03, 2021 5:22 am
  • Replies 366
  • Views 71639
Re: [RELEASED] CSRF Protection Form

Why not use something similar on the front end?

straightlight wrote:
Tue Feb 02, 2021 10:24 pm
In case of future request about moving the token, that won't do it either: https://github.com/opencart/opencart/is ... -768230545 .

Jump to post
  • Tue Feb 02, 2021 10:37 pm
  • Replies 366
  • Views 71639
Re: [RELEASED] CSRF Protection Form

Gotcha, well again, they can actually switch to Fruadslab Pro or other third-party providers that could filter these transactions, sending less to the Merchant Gateway as well. I understand. Well, I will keep thinking of various ideas to help, for now we can keep what we have and improve it as we go...

Jump to post
  • Tue Feb 02, 2021 10:19 pm
  • Replies 366
  • Views 71639
Re: [RELEASED] CSRF Protection Form

I understand. Well, I will keep thinking of various ideas to help, for now we can keep what we have and improve it as we go along. Thanks Noted, I updated the post I made, take a look at point 9. 1) As mentioned on the above, not even Events could be helpful against CSRF since only half ways (if not...

Jump to post
  • Tue Feb 02, 2021 9:36 pm
  • Replies 366
  • Views 71639
Re: [RELEASED] CSRF Protection Form

Noted, I updated the post I made, take a look at point 9. Hi Straightlight - Well said 1) Yes I agree that ocmod is not the way to go and we should use events to deploy this mod. 2) Cloudflare? It could but slows down websites as hell - I have to object here, I use Cloudflare and my website loads in...

Jump to post
  • Tue Feb 02, 2021 9:17 pm
  • Replies 366
  • Views 71639
Re: [RELEASED] CSRF Protection Form

Hi Straightlight - Well said 1) Yes I agree that ocmod is not the way to go and we should use events to deploy this mod. 2) Cloudflare? It could but slows down websites as hell - I have to object here, I use Cloudflare and my website loads in ~ 1 second. You have to configure your cloudflare account...

Jump to post
  • Tue Feb 02, 2021 8:45 pm
  • Replies 366
  • Views 71639
Re: [RELEASED] CSRF Protection Form

Hey straightlight - Yes I know this is a problem, thats why I prefer your version, it makes things way more easier. I did test using the regex you used in the previous vqmod version, however, it replaced the <form> tag instead of adding the line below so I dropped it. - Its not only difficult with t...

Jump to post
  • Tue Feb 02, 2021 1:40 pm
  • Replies 366
  • Views 71639
Re: [RELEASED] CSRF Protection Form

straightlight, thanks for checking, we will await the next release. Did you check the post prior to me posting the xml? That XML file above is not my part of my extension. I missed your previous post before the XML attachment. It would seem that this CSRF library does not protect against JS attacks ...

Jump to post
  • Tue Feb 02, 2021 11:15 am
  • Replies 366
  • Views 71639
Re: [RELEASED] CSRF Protection Form

Did you check the post prior to me posting the xml?

straightlight wrote:
Tue Feb 02, 2021 10:31 am
That XML file above is not my part of my extension.

Jump to post
  • Tue Feb 02, 2021 10:40 am
  • Replies 366
  • Views 71639
Re: [RELEASED] CSRF Protection Form

Sure thing, please see the attached.

khnaz35 wrote:
Tue Feb 02, 2021 9:57 am
Why not you submit your mod here so he can take a look at the approach too.

Jump to post
  • Tue Feb 02, 2021 10:22 am
  • Replies 366
  • Views 71639
Re: [RELEASED] CSRF Protection Form

Ok, please do the following on your website: 1) Install your extension 2) Inspect a protected form and below the <form> tag you will see the <input type="hidden" name="__csrf" value="Ab01DefG2345HiJKLmnOP"> 3) Edit the value of the hidden input, you can remove the entire tag or just change the lette...

Jump to post
  • Tue Feb 02, 2021 9:43 am
  • Replies 366
  • Views 71639
Re: [RELEASED] CSRF Protection Form

I disabled this extension until this issue is addressed. Using https://github.com/opencart/opencart/pull/5172/commits/805106943651a52943b24caef1992cd6d3cfd07f I was able to create an .ocmod and deploy to each of my forms which takes significantly more effort, however my tests came out successful. As...

Jump to post
  • Tue Feb 02, 2021 9:14 am
  • Replies 366
  • Views 71639
Re: [RELEASED] CSRF Protection Form

You don't what? Get a chance to test or find anything? Just for the record of who's watching, I have contacted straightlight privately. Because my website is not available in other countries, I have temporarily allowed his. Once he gets a chance to test, I assume he'll let me know what he finds. Bec...

Jump to post
  • Mon Feb 01, 2021 5:24 am
  • Replies 366
  • Views 71639
Re: [RELEASED] CSRF Protection Form

Just for the record of who's watching, I have contacted straightlight privately. Because my website is not available in other countries, I have temporarily allowed his. Once he gets a chance to test, I assume he'll let me know what he finds. [quote=straightlight post_id=812529 How is this site relat...

Jump to post
  • Mon Feb 01, 2021 2:18 am
  • Replies 366
  • Views 71639
Re: [RELEASED] CSRF Protection Form

Thanks khnaz35. @straightlight, as khnaz35 said, when you visit that site or any other site that uses CSRF, and manually alter the token, the CSRF Check fails, but with your extension, the form is submitted and the Token refreshes with no errors posted. Is this the way your extension supposed to wor...

Jump to post
  • Sun Jan 31, 2021 4:30 pm
  • Replies 366
  • Views 71639
Re: [RELEASED] CSRF Protection Form

Here is a good example: https://portswigger.net/users/forgottenpassword...

khnaz35 wrote:
Sun Jan 31, 2021 9:04 am
The thing is, after testing multiple sites that employs CSRF tokens
Share the mentioned example site url.

Jump to post
  • Sun Jan 31, 2021 9:38 am
  • Replies 366
  • Views 71639
Re: [RELEASED] CSRF Protection Form

The thing is, after testing multiple sites that employs CSRF tokens, each one I modify the Token or Remove the Hidden Field entirely throws a Incorrect Token/CSRF Error. But with this extension, so far it has successfully generated the token, but based on my testing, its not checking to see if the T...

Jump to post
  • Sun Jan 31, 2021 6:32 am
  • Replies 366
  • Views 71639
Re: [RELEASED] CSRF Protection Form

Hey straightlight, yes a new token was generated automatically after I submitted the form. Possibly, I tested on information/contact and account/forgotten. I am not really sure how it works 100% but let me explain what I did, I could be wrong. I inspected the page and altered the token by adding som...

Jump to post
  • Sun Jan 31, 2021 5:47 am
  • Replies 366
  • Views 71639
Re: Confirm Order Button not working

Well now I cant remove anything from the cart. Did by any chance you modified the common.js file? Also on dashboard home > top right corner > clear cache clear sass Something is also upsetting your page layout the width is wrong - There are MANY errors on this site at the moment. Whether they are al...

Jump to post
  • Sun Jan 31, 2021 1:08 am
  • Replies 62
  • Views 1978

Search found 321 matches