In the mean time, it is to know under which route did you tested the token?
Dedication and passion goes to those who are able to push and merge a project.
Regards,
Straightlight
Programmer / Opencart Tester
straightlight wrote: ↑Sat Jan 30, 2021 12:35 pmTried it as a controller. The tokens are duplicating which means it needs to remain under the library. Since your report is presently about theory, I need more information on this so for me to investigate in the future if needed. I have tested the library file without comparing the time period and the csrf check failed does come to screen. It's simply possible that the token you're using is either interfering with my extension or the token from my extension has not yet expired before re-creating a new one.
In the mean time, it is to know under which route did you tested the token?
Regards,
Nightwing
Access to my Free Extensions: https://www.opencart.com/index.php?rout ... =nightwing
When you posted the new token manually, did the CRSF token refreshed to another number once the action sent?nightwing wrote: ↑Sat Jan 30, 2021 1:27 pmPossibly, I tested on information/contact and account/forgotten. I am not really sure how it works 100% but let me explain what I did, I could be wrong. I inspected the page and altered the token by adding some extra numbers or texts to it, this means the token, in theory would be incorrect for the client. I then fill out the form and submit and it worked. What I needed to know is if this is the way this extension supposed to work or if the csrf token mismatch its supposed to reject the form. - It is possible that this chat platform is conflicting, but its good to note that the files are not stored in the same location ie helper.
straightlight wrote: ↑Sat Jan 30, 2021 12:35 pmTried it as a controller. The tokens are duplicating which means it needs to remain under the library. Since your report is presently about theory, I need more information on this so for me to investigate in the future if needed. I have tested the library file without comparing the time period and the csrf check failed does come to screen. It's simply possible that the token you're using is either interfering with my extension or the token from my extension has not yet expired before re-creating a new one.
In the mean time, it is to know under which route did you tested the token?
Dedication and passion goes to those who are able to push and merge a project.
Regards,
Straightlight
Programmer / Opencart Tester
straightlight wrote: ↑Sun Jan 31, 2021 3:34 amWhen you posted the new token manually, did the CRSF token refreshed to another number once the action sent?nightwing wrote: ↑Sat Jan 30, 2021 1:27 pmPossibly, I tested on information/contact and account/forgotten. I am not really sure how it works 100% but let me explain what I did, I could be wrong. I inspected the page and altered the token by adding some extra numbers or texts to it, this means the token, in theory would be incorrect for the client. I then fill out the form and submit and it worked. What I needed to know is if this is the way this extension supposed to work or if the csrf token mismatch its supposed to reject the form. - It is possible that this chat platform is conflicting, but its good to note that the files are not stored in the same location ie helper.
straightlight wrote: ↑Sat Jan 30, 2021 12:35 pmTried it as a controller. The tokens are duplicating which means it needs to remain under the library. Since your report is presently about theory, I need more information on this so for me to investigate in the future if needed. I have tested the library file without comparing the time period and the csrf check failed does come to screen. It's simply possible that the token you're using is either interfering with my extension or the token from my extension has not yet expired before re-creating a new one.
In the mean time, it is to know under which route did you tested the token?
Regards,
Nightwing
Access to my Free Extensions: https://www.opencart.com/index.php?rout ... =nightwing
I don't know what your schedule is like but if you want, we can always jump on a skype call and I can demonstrate.
nightwing wrote: ↑Sun Jan 31, 2021 5:47 amHey straightlight, yes a new token was generated automatically after I submitted the form.
straightlight wrote: ↑Sun Jan 31, 2021 3:34 amWhen you posted the new token manually, did the CRSF token refreshed to another number once the action sent?nightwing wrote: ↑Sat Jan 30, 2021 1:27 pmPossibly, I tested on information/contact and account/forgotten. I am not really sure how it works 100% but let me explain what I did, I could be wrong. I inspected the page and altered the token by adding some extra numbers or texts to it, this means the token, in theory would be incorrect for the client. I then fill out the form and submit and it worked. What I needed to know is if this is the way this extension supposed to work or if the csrf token mismatch its supposed to reject the form. - It is possible that this chat platform is conflicting, but its good to note that the files are not stored in the same location ie helper.
Regards,
Nightwing
Access to my Free Extensions: https://www.opencart.com/index.php?rout ... =nightwing
Share the mentioned example site url.The thing is, after testing multiple sites that employs CSRF tokens
Urgent Questions shoot here: khnaz35@gmail.com
Enjoy nature
Regards,
Nightwing
Access to my Free Extensions: https://www.opencart.com/index.php?rout ... =nightwing
How is this site relative with my extension? ...nightwing wrote: ↑Sun Jan 31, 2021 9:38 amHere is a good example: https://portswigger.net/users/forgottenpassword...
Dedication and passion goes to those who are able to push and merge a project.
Regards,
Straightlight
Programmer / Opencart Tester
How is this site relative with my extension? ...
[/quote]
Because OP has mentioned that this site also use CSRF and when manually edit the token.....
Kindly read the OP original post above.
Urgent Questions shoot here: khnaz35@gmail.com
Enjoy nature
Because OP has mentioned that this site also use CSRF and when manually edit the token.....
Kindly read the OP original post above.
[/quote]
Regards,
Nightwing
Access to my Free Extensions: https://www.opencart.com/index.php?rout ... =nightwing
Because OP has mentioned that this site also use CSRF and when manually edit the token.....
Kindly read the OP original post above.
[/quote]
That still doesn't show my extension on it.
Dedication and passion goes to those who are able to push and merge a project.
Regards,
Straightlight
Programmer / Opencart Tester
That still doesn't show my extension on it.straightlight wrote: ↑Sun Jan 31, 2021 9:20 pmBecause OP has mentioned that this site also use CSRF and when manually edit the token.....
Kindly read the OP original post above.
[/quote]
Regards,
Nightwing
Access to my Free Extensions: https://www.opencart.com/index.php?rout ... =nightwing
[/quote]nightwing wrote: ↑Mon Feb 01, 2021 2:18 amJust for the record of who's watching, I have contacted straightlight privately. Because my website is not available in other countries, I have temporarily allowed his. Once he gets a chance to test, I assume he'll let me know what he finds.
That still doesn't show my extension on it.straightlight wrote: ↑Sun Jan 31, 2021 9:20 pmBecause OP has mentioned that this site also use CSRF and when manually edit the token.....
Kindly read the OP original post above.
I don't.
Dedication and passion goes to those who are able to push and merge a project.
Regards,
Straightlight
Programmer / Opencart Tester
Get a chance to test or find anything?
I don't.straightlight wrote: ↑Mon Feb 01, 2021 3:54 amnightwing wrote: ↑Mon Feb 01, 2021 2:18 amJust for the record of who's watching, I have contacted straightlight privately. Because my website is not available in other countries, I have temporarily allowed his. Once he gets a chance to test, I assume he'll let me know what he finds.
That still doesn't show my extension on it.straightlight wrote: ↑Sun Jan 31, 2021 9:20 pm
Because OP has mentioned that this site also use CSRF and when manually edit the token.....
Kindly read the OP original post above.
[/quote]
Regards,
Nightwing
Access to my Free Extensions: https://www.opencart.com/index.php?rout ... =nightwing
@straightlight, let us know if this will be looked into, as its a possibility that this extension is not protecting forms from CSRF Attacks.
[/quote]nightwing wrote: ↑Mon Feb 01, 2021 5:24 amYou don't what?
Get a chance to test or find anything?
I don't.straightlight wrote: ↑Mon Feb 01, 2021 3:54 amnightwing wrote: ↑Mon Feb 01, 2021 2:18 amJust for the record of who's watching, I have contacted straightlight privately. Because my website is not available in other countries, I have temporarily allowed his. Once he gets a chance to test, I assume he'll let me know what he finds.
That still doesn't show my extension on it.
Regards,
Nightwing
Access to my Free Extensions: https://www.opencart.com/index.php?rout ... =nightwing
Without enough evidence being delivered, there's nothing to look into.@straightlight, let us know if this will be looked into, as its a possibility that this extension is not protecting forms from CSRF Attacks.
Dedication and passion goes to those who are able to push and merge a project.
Regards,
Straightlight
Programmer / Opencart Tester
1) Install your extension
2) Inspect a protected form and below the <form> tag you will see the <input type="hidden" name="__csrf" value="Ab01DefG2345HiJKLmnOP">
3) Edit the value of the hidden input, you can remove the entire tag or just change the letters and numbers
4) Fillout the form and submit
What I have noticed on my end when your extension is installed was that the form submits successfully (All changes/requests made sucessfully) with an incorrect CSRF value from the client on POST.
With the OCMOD I created and with other sites I have observed, once the Value of the hidden field is tampered with, the form is rejected with the below check:
Code: Select all
if ($this->request->post['csrf_token'] != $this->session->data['csrf_token']) {
$this->error['csrf_token'] = $this->language->get('error_csrf_token');
}
straightlight wrote: ↑Tue Feb 02, 2021 9:32 amWithout enough evidence being delivered, there's nothing to look into.@straightlight, let us know if this will be looked into, as its a possibility that this extension is not protecting forms from CSRF Attacks.
Regards,
Nightwing
Access to my Free Extensions: https://www.opencart.com/index.php?rout ... =nightwing
Urgent Questions shoot here: khnaz35@gmail.com
Enjoy nature
Attachments
anti-csrf.ocmod.xml
Regards,
Nightwing
Access to my Free Extensions: https://www.opencart.com/index.php?rout ... =nightwing
Dedication and passion goes to those who are able to push and merge a project.
Regards,
Straightlight
Programmer / Opencart Tester
Users browsing this forum: No registered users and 6 guests