Common signs of your OpenCart store being vulnerable to Cross-site Scripting is malicious popups, credit card information theft and compromise of username/passwords of your users. While OpenCart takes security very seriously, new security issues may be discovered over time. Poorly coded extensions tend to be the #1 cause of security breaches.
In this guide, we’ll talk about what XSS is, the consequences & practical steps on how you can secure your OpenCart store against XSS attacks.
What is Cross-site Scripting (XSS)?
Cross-site Scripting (XSS) is a popular code injection vulnerability that allows a hacker to execute malicious JavaScript code into another user’s web browser. It’s risky because malicious JavaScript code can have drastic consequences like credit card hijacking, user information theft etc.
XSS in websites is widely prevalent, and is hence a part of the OWASP Top Ten Project. There are mainly three types of XSS:
- Reflected XSS (Non-Persistent) – When the malicious JavaScript code gets executed when the user opens a link to a vulnerable website.
- Stored XSS (Persistent) – When the malicious JavaScript code gets stored on the server side (Python, PHP, Java, NodeJS etc) and is executed in the victim’s browser every-time the page is requested.
- DOM-based XSS (Caused by client-side code) – When the malicious JavaScript payload is executed as a result of modifying the DOM “environment” in the victim’s browser
Consequences of XSS in OpenCart & Extensions
OpenCart and it’s extensions have had their history with XSS. There have been many publicly disclosed (and fixed) vulnerabilities. Recently, XSS was reported in the zone_id parameter (CVE-2015-4671), & product_id parameter.
Being an e-commerce portal, malicious JavaScript payloads can have critical consequences like:
- Creditcard Hijacking – CreditCard/payment information of the user can be captured on the checkout page and sent to servers owned by the hacker via AJAX
- Compromise of customer user account – Sensitive account information can be recorded and used for criminal purposes
- Keylogging of victim’s browser – A keylogger can be used to record keystrokes to spy on the user, grab passwords, intercept their conversations etc.
- Drive by download – Infect the web browsers of store visitors with malware and forced downloads of compromised softwares
Steps to secure your OpenCart store from XSS
#1 – Use HTML Purifier Library to filter user input
HTML Purifier is a HTML filter library that removes all malicious code from the user input and encodes output data. It’s relatively simple to use and works well out of the box. You merely needs to invoke the HTMLPurifier object and then use the purify method to sanitize the input like this:
require_once('/path/to/htmlpurifier/library/HTMLPurifier.auto.php');
$config = HTMLPurifier_Config::createDefault();
$purifier = new HTMLPurifier($config);
// Clean user input in GET array
$_GET = $purifier->purify($_GET);
// Clean user input in POST array
$_POST = $purifier->purify($_POST);
// Clean user input in REQUEST array
$_REQUEST = $purifier->purify($_REQUEST);
#2 – Use a Website Firewall
Given the ever evolving threat landscape, it is always a good idea to use a website firewall. Take Astra’s OpenCart Website Firewall for example, it protects against issues like XSS, LFI, RFI, Code Injection, Bad Bots etc. right out of the box without having to modify any code. Hackers and Malicious requests are blocked before they even reach your OpenCart store.
#3 – Regularly update your OpenCart version
The CMS is periodically updated with bug fixes, security patches and of course new features. It’s a good idea to update as soon as a new version is released.
#4 – Content Security Policy (CSP)
XSS can be mitigated by a recent web standard known as a Content Security Policy (CSP). It instructs the web browser to only load resources downloaded from known & trusted sources. So what it means it that even if an attacker successfully injects a malicious payload into your store, a CSP can prevent it from being run.
A CSP header looks something like this:
Content‑Security‑Policy:
directive source‑expression, source‑expression, ...;
directive ...;
...You can read more about Content Security Policies here.
#5 – Use the X-XSS-Protection Response Header
Modern Browsers like Google Chrome, Firefox have a XSS filter built into them. But in some cases it may have been disabled by the user. So it’s a good idea to set the X-XSS-Protection response header to re-enable the browser XSS filter. The browser will stop rendering if it detects a potential XSS attack.
PS: Do not rely solely on the XSS filer to prevent an attack. You should take all possible measures like installing extensions from trusted sources, regularly updating OpenCart etc to ensure maximum security.
Summing up
Security issues can make or break e-commerce stores. They are routinely targeted by bots and hackers to hijack credit cards, steal user information or redirect your users to other malicious websites. There are technologies like the Astra Website Firewall designed to simplify security for you and mitigate such attacks.