Post by straightlight » Sat Jan 30, 2021 12:35 pm

Tried it as a controller. The tokens are duplicating which means it needs to remain under the library. Since your report is presently about theory, I need more information on this so for me to investigate in the future if needed. I have tested the library file without comparing the time period and the csrf check failed does come to screen. It's simply possible that the token you're using is either interfering with my extension or the token from my extension has not yet expired before re-creating a new one.

In the mean time, it is to know under which route did you tested the token?

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by nightwing » Sat Jan 30, 2021 1:27 pm

Possibly, I tested on information/contact and account/forgotten. I am not really sure how it works 100% but let me explain what I did, I could be wrong. I inspected the page and altered the token by adding some extra numbers or texts to it, this means the token, in theory would be incorrect for the client. I then fill out the form and submit and it worked. What I needed to know is if this is the way this extension supposed to work or if the csrf token mismatch its supposed to reject the form. - It is possible that this chat platform is conflicting, but its good to note that the files are not stored in the same location ie helper.
straightlight wrote:
Sat Jan 30, 2021 12:35 pm
Tried it as a controller. The tokens are duplicating which means it needs to remain under the library. Since your report is presently about theory, I need more information on this so for me to investigate in the future if needed. I have tested the library file without comparing the time period and the csrf check failed does come to screen. It's simply possible that the token you're using is either interfering with my extension or the token from my extension has not yet expired before re-creating a new one.

In the mean time, it is to know under which route did you tested the token?

Regards,
Nightwing
Access to my Free Extensions: https://www.opencart.com/index.php?rout ... =nightwing


Active Member

Posts

Joined
Tue Nov 05, 2019 11:08 pm


Post by straightlight » Sun Jan 31, 2021 3:34 am

nightwing wrote:
Sat Jan 30, 2021 1:27 pm
Possibly, I tested on information/contact and account/forgotten. I am not really sure how it works 100% but let me explain what I did, I could be wrong. I inspected the page and altered the token by adding some extra numbers or texts to it, this means the token, in theory would be incorrect for the client. I then fill out the form and submit and it worked. What I needed to know is if this is the way this extension supposed to work or if the csrf token mismatch its supposed to reject the form. - It is possible that this chat platform is conflicting, but its good to note that the files are not stored in the same location ie helper.
straightlight wrote:
Sat Jan 30, 2021 12:35 pm
Tried it as a controller. The tokens are duplicating which means it needs to remain under the library. Since your report is presently about theory, I need more information on this so for me to investigate in the future if needed. I have tested the library file without comparing the time period and the csrf check failed does come to screen. It's simply possible that the token you're using is either interfering with my extension or the token from my extension has not yet expired before re-creating a new one.

In the mean time, it is to know under which route did you tested the token?
When you posted the new token manually, did the CRSF token refreshed to another number once the action sent?

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by nightwing » Sun Jan 31, 2021 5:47 am

Hey straightlight, yes a new token was generated automatically after I submitted the form.
straightlight wrote:
Sun Jan 31, 2021 3:34 am
nightwing wrote:
Sat Jan 30, 2021 1:27 pm
Possibly, I tested on information/contact and account/forgotten. I am not really sure how it works 100% but let me explain what I did, I could be wrong. I inspected the page and altered the token by adding some extra numbers or texts to it, this means the token, in theory would be incorrect for the client. I then fill out the form and submit and it worked. What I needed to know is if this is the way this extension supposed to work or if the csrf token mismatch its supposed to reject the form. - It is possible that this chat platform is conflicting, but its good to note that the files are not stored in the same location ie helper.
straightlight wrote:
Sat Jan 30, 2021 12:35 pm
Tried it as a controller. The tokens are duplicating which means it needs to remain under the library. Since your report is presently about theory, I need more information on this so for me to investigate in the future if needed. I have tested the library file without comparing the time period and the csrf check failed does come to screen. It's simply possible that the token you're using is either interfering with my extension or the token from my extension has not yet expired before re-creating a new one.

In the mean time, it is to know under which route did you tested the token?
When you posted the new token manually, did the CRSF token refreshed to another number once the action sent?

Regards,
Nightwing
Access to my Free Extensions: https://www.opencart.com/index.php?rout ... =nightwing


Active Member

Posts

Joined
Tue Nov 05, 2019 11:08 pm


Post by nightwing » Sun Jan 31, 2021 6:32 am

The thing is, after testing multiple sites that employs CSRF tokens, each one I modify the Token or Remove the Hidden Field entirely throws a Incorrect Token/CSRF Error. But with this extension, so far it has successfully generated the token, but based on my testing, its not checking to see if the Token matches on post.
I don't know what your schedule is like but if you want, we can always jump on a skype call and I can demonstrate.
nightwing wrote:
Sun Jan 31, 2021 5:47 am
Hey straightlight, yes a new token was generated automatically after I submitted the form.
straightlight wrote:
Sun Jan 31, 2021 3:34 am
nightwing wrote:
Sat Jan 30, 2021 1:27 pm
Possibly, I tested on information/contact and account/forgotten. I am not really sure how it works 100% but let me explain what I did, I could be wrong. I inspected the page and altered the token by adding some extra numbers or texts to it, this means the token, in theory would be incorrect for the client. I then fill out the form and submit and it worked. What I needed to know is if this is the way this extension supposed to work or if the csrf token mismatch its supposed to reject the form. - It is possible that this chat platform is conflicting, but its good to note that the files are not stored in the same location ie helper.

When you posted the new token manually, did the CRSF token refreshed to another number once the action sent?

Regards,
Nightwing
Access to my Free Extensions: https://www.opencart.com/index.php?rout ... =nightwing


Active Member

Posts

Joined
Tue Nov 05, 2019 11:08 pm


Post by khnaz35 » Sun Jan 31, 2021 9:04 am

The thing is, after testing multiple sites that employs CSRF tokens
Share the mentioned example site url.

Urgent Questions shoot here: khnaz35@gmail.com
Enjoy nature ;) :) :-*


User avatar
Active Member

Posts

Joined
Mon Aug 27, 2018 11:30 pm
Location - Malaysia

Post by nightwing » Sun Jan 31, 2021 9:38 am

Here is a good example: https://portswigger.net/users/forgottenpassword...
khnaz35 wrote:
Sun Jan 31, 2021 9:04 am
The thing is, after testing multiple sites that employs CSRF tokens
Share the mentioned example site url.

Regards,
Nightwing
Access to my Free Extensions: https://www.opencart.com/index.php?rout ... =nightwing


Active Member

Posts

Joined
Tue Nov 05, 2019 11:08 pm


Post by straightlight » Sun Jan 31, 2021 1:00 pm

nightwing wrote:
Sun Jan 31, 2021 9:38 am
Here is a good example: https://portswigger.net/users/forgottenpassword...
khnaz35 wrote:
Sun Jan 31, 2021 9:04 am
The thing is, after testing multiple sites that employs CSRF tokens
Share the mentioned example site url.
How is this site relative with my extension? ...

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by khnaz35 » Sun Jan 31, 2021 2:34 pm

[quote=straightlight post_id=812529
How is this site relative with my extension? ...
[/quote]

Because OP has mentioned that this site also use CSRF and when manually edit the token.....


Kindly read the OP original post above.

Urgent Questions shoot here: khnaz35@gmail.com
Enjoy nature ;) :) :-*


User avatar
Active Member

Posts

Joined
Mon Aug 27, 2018 11:30 pm
Location - Malaysia

Post by nightwing » Sun Jan 31, 2021 4:30 pm

Thanks khnaz35. @straightlight, as khnaz35 said, when you visit that site or any other site that uses CSRF, and manually alter the token, the CSRF Check fails, but with your extension, the form is submitted and the Token refreshes with no errors posted. Is this the way your extension supposed to work? As it seems as if your extension is generating the tokens but not checking for them when the form is submitted. I also tested on my freshly installed 3.0.3.2 on my localhost - Same thing.
khnaz35 wrote:
Sun Jan 31, 2021 2:34 pm
[quote=straightlight post_id=812529
How is this site relative with my extension? ...
Because OP has mentioned that this site also use CSRF and when manually edit the token.....


Kindly read the OP original post above.
[/quote]

Regards,
Nightwing
Access to my Free Extensions: https://www.opencart.com/index.php?rout ... =nightwing


Active Member

Posts

Joined
Tue Nov 05, 2019 11:08 pm


Post by straightlight » Sun Jan 31, 2021 9:20 pm

khnaz35 wrote:
Sun Jan 31, 2021 2:34 pm
[quote=straightlight post_id=812529
How is this site relative with my extension? ...
Because OP has mentioned that this site also use CSRF and when manually edit the token.....


Kindly read the OP original post above.
[/quote]

That still doesn't show my extension on it.

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by nightwing » Mon Feb 01, 2021 2:18 am

Just for the record of who's watching, I have contacted straightlight privately. Because my website is not available in other countries, I have temporarily allowed his. Once he gets a chance to test, I assume he'll let me know what he finds.
straightlight wrote:
Sun Jan 31, 2021 9:20 pm
khnaz35 wrote:
Sun Jan 31, 2021 2:34 pm
[quote=straightlight post_id=812529
How is this site relative with my extension? ...
Because OP has mentioned that this site also use CSRF and when manually edit the token.....


Kindly read the OP original post above.
That still doesn't show my extension on it.
[/quote]

Regards,
Nightwing
Access to my Free Extensions: https://www.opencart.com/index.php?rout ... =nightwing


Active Member

Posts

Joined
Tue Nov 05, 2019 11:08 pm


Post by straightlight » Mon Feb 01, 2021 3:54 am

nightwing wrote:
Mon Feb 01, 2021 2:18 am
Just for the record of who's watching, I have contacted straightlight privately. Because my website is not available in other countries, I have temporarily allowed his. Once he gets a chance to test, I assume he'll let me know what he finds.
straightlight wrote:
Sun Jan 31, 2021 9:20 pm
khnaz35 wrote:
Sun Jan 31, 2021 2:34 pm
[quote=straightlight post_id=812529
How is this site relative with my extension? ...
Because OP has mentioned that this site also use CSRF and when manually edit the token.....


Kindly read the OP original post above.
That still doesn't show my extension on it.
[/quote]

I don't.

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by nightwing » Mon Feb 01, 2021 5:24 am

You don't what?
Get a chance to test or find anything?
straightlight wrote:
Mon Feb 01, 2021 3:54 am
nightwing wrote:
Mon Feb 01, 2021 2:18 am
Just for the record of who's watching, I have contacted straightlight privately. Because my website is not available in other countries, I have temporarily allowed his. Once he gets a chance to test, I assume he'll let me know what he finds.
straightlight wrote:
Sun Jan 31, 2021 9:20 pm


Because OP has mentioned that this site also use CSRF and when manually edit the token.....


Kindly read the OP original post above.
That still doesn't show my extension on it.
I don't.
[/quote]

Regards,
Nightwing
Access to my Free Extensions: https://www.opencart.com/index.php?rout ... =nightwing


Active Member

Posts

Joined
Tue Nov 05, 2019 11:08 pm


Post by nightwing » Tue Feb 02, 2021 9:14 am

I disabled this extension until this issue is addressed. Using https://github.com/opencart/opencart/pu ... d6d3cfd07f I was able to create an .ocmod and deploy to each of my forms which takes significantly more effort, however my tests came out successful. As expected, when I alter or remove the token, the form throws the CSRF Error and prevents the form from being submitted, once the Token is correct (i.e Generated with the Page Request) the form submission works.
@straightlight, let us know if this will be looked into, as its a possibility that this extension is not protecting forms from CSRF Attacks.
nightwing wrote:
Mon Feb 01, 2021 5:24 am
You don't what?
Get a chance to test or find anything?
straightlight wrote:
Mon Feb 01, 2021 3:54 am
nightwing wrote:
Mon Feb 01, 2021 2:18 am
Just for the record of who's watching, I have contacted straightlight privately. Because my website is not available in other countries, I have temporarily allowed his. Once he gets a chance to test, I assume he'll let me know what he finds.



That still doesn't show my extension on it.
I don't.
[/quote]

Regards,
Nightwing
Access to my Free Extensions: https://www.opencart.com/index.php?rout ... =nightwing


Active Member

Posts

Joined
Tue Nov 05, 2019 11:08 pm


Post by straightlight » Tue Feb 02, 2021 9:32 am

@straightlight, let us know if this will be looked into, as its a possibility that this extension is not protecting forms from CSRF Attacks.
Without enough evidence being delivered, there's nothing to look into.

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by nightwing » Tue Feb 02, 2021 9:43 am

Ok, please do the following on your website:
1) Install your extension
2) Inspect a protected form and below the <form> tag you will see the <input type="hidden" name="__csrf" value="Ab01DefG2345HiJKLmnOP">
3) Edit the value of the hidden input, you can remove the entire tag or just change the letters and numbers
4) Fillout the form and submit
What I have noticed on my end when your extension is installed was that the form submits successfully (All changes/requests made sucessfully) with an incorrect CSRF value from the client on POST.
With the OCMOD I created and with other sites I have observed, once the Value of the hidden field is tampered with, the form is rejected with the below check:

Code: Select all

if ($this->request->post['csrf_token'] != $this->session->data['csrf_token']) {
$this->error['csrf_token'] = $this->language->get('error_csrf_token');
}
straightlight wrote:
Tue Feb 02, 2021 9:32 am
@straightlight, let us know if this will be looked into, as its a possibility that this extension is not protecting forms from CSRF Attacks.
Without enough evidence being delivered, there's nothing to look into.

Regards,
Nightwing
Access to my Free Extensions: https://www.opencart.com/index.php?rout ... =nightwing


Active Member

Posts

Joined
Tue Nov 05, 2019 11:08 pm


Post by khnaz35 » Tue Feb 02, 2021 9:57 am

Why not you submit your mod here so he can take a look at the approach too.

Urgent Questions shoot here: khnaz35@gmail.com
Enjoy nature ;) :) :-*


User avatar
Active Member

Posts

Joined
Mon Aug 27, 2018 11:30 pm
Location - Malaysia

Post by nightwing » Tue Feb 02, 2021 10:22 am

Sure thing, please see the attached.
khnaz35 wrote:
Tue Feb 02, 2021 9:57 am
Why not you submit your mod here so he can take a look at the approach too.

Attachments

anti-csrf.ocmod.xml


Regards,
Nightwing
Access to my Free Extensions: https://www.opencart.com/index.php?rout ... =nightwing


Active Member

Posts

Joined
Tue Nov 05, 2019 11:08 pm


Post by straightlight » Tue Feb 02, 2021 10:31 am

That XML file above is not my part of my extension.

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON
Who is online

Users browsing this forum: No registered users and 46 guests