To define in simple terms, the Magento CSRF attack coerces you into performing unwanted actions. These actions could be anything from changing your account details to even deleting it.
These attacks are a byproduct of a poor Magento CSRF protection mechanism in your store. Some of these include not implementing proper CSRF token check, HTTP header check, etc.
Magento websites have had a long past of CSRF vulnerabilities in them. According to a CVE stat dating year 2015-2019, around 7% of all attacks on Magento websites were actually CSRF attacks.
In the year 2019, the Magento’s GiftCardAccount removal feature was found vulnerable to a CSRF attack. This vulnerability was dubbed as CVE-2019-7947. In that same year, another vulnerability CVE-2019-7874 led to the deletion of user roles in Magento.
Today, in this article, we are explaining what is a CSRF vulnerability in Magento and its causes. Also given are the steps for the implementation of Magento CSRF protection.
What is Magento CSRF?
While surfing the internet, your browser generally makes POST and GET requests. While interacting with a Magento store (since it uses REST API), POST requests are used to manipulate some data on the server (i.e. submitting a form). Whereas GET requests are used to access additional resources (i.e. image files, JavaScript files).
Authenticating every request may not be feasible so cookies are used to verify the request made by users. So, the server checks your cookie before executing the request in order to verify you. It seems simple and secure, what can go wrong?
Well, if you visit a malicious website while you haven’t logged out of your Magento store, an attacker can trick you into performing unwanted actions if the Magento CSRF protection is not present. For example, the attacker can embed a malicious form on the website like the one given below and make your browser execute it.
<form action="www.your-Magento-site.com/update-details"> <input name="email" type="hidden" value="attacker@myemail.com" /> </form>
By executing this form, your browser will make a request on your behalf to change your email to the attacker’s email. Now the attacker has access to your account!
Causes of CSRF Vulnerabilities
The first step towards Magento CSRF protection is using a random token to validate every action of the user. This CSRF token must be tied to the user’s session. However, even while using a CSRF token, its improper implementation can lead to a CSRF vulnerability.
Let’s take a look at some common misconfigurations of a CSRF token:
- If the CSRF token is implemented for only POST requests, the attackers can bypass it by executing the same malicious action using a GET request. So, implement CSRF token on both the requests.
- Sometimes, if the CSRF token field is not present, the web application may entirely ignore it and execute the request leading to a CSRF attack. So, always check for the CSRF token field for Magento CSRF protection.
- If the CSRF token is not tied to the user’s session, the attacker can obtain a CSRF token by other means and use it to make your browser execute the malicious request. So, always bind the CSRF token to the user session.
- Often, some web applications do not keep a record of the CSRF token on the server-side. Instead, they save one copy of the CSRF token in the cookie. In a scenario where the attacker can set the cookie in your browser, it can be used to conduct CSRF attacks. Firstly, the attacker sets a cookie with some random CSRF token value. Thereafter, the same value is embedded in the malicious form. Finally, the server will execute it on your behalf as both the values in the POST request and the cookie will match.
- In case, the Referer header is used to verify the origin of a request, the attackers can make the browser drop the Referer header value. Thereby executing the malicious request.
5 Magento CSRF Protection Tips
1. Synchronizer Token Pattern
This is a Magento CSRF protection measure in which a unique and secure random token is generated. This token is mapped against the user’s session. So whenever a user makes a request to the site, Synchronizer token pattern checks for the unique CSRF token attached with each user session, which is generally present in a hidden field. It is rather difficult for a hacker to guess and predict the correct CSRF token for a user to authenticate and manipulate his access.
To implement it in Magento 1,
- #1: Log in to your store as Admin and navigate to System > Configuration.
- #2: Click on the panel on the left and under Advanced, select Admin.
- #3: Now, click and expand the Security section.
- #4: Finally, set the option Add Secret Key to URLs to “Yes” and click on Save.
For Magento 2,
- #1: Log in to your Dashboard as Admin and navigate to Stores>Configuration.
- #2: In the left pane, navigate to Advanced>Admin. This will open a list, from there click on Security and expand it.
- #3: Make sure the Add Secret Key to URLs option is set to “Yes”. Finally, click on Save Config.
2. Cookie-to-header Token
In this Magento CSRF protection technique, the CSRF token value is set in the cookie which is then associated with the session of the user. Every time a user requests to the web app, this random token is sent using a custom HTTP header by JavaScript.
This measure relies on the fact that JavaScript from other origins will not be able to read the data from the cookie. So even though the request is made by a malicious page to the server, the value in a cookie and the HTTP header may vary.
3. Double Submit Cookie
This approach is the same as the mentioned above, however, instead of using JavaScript, the CSRF token value is hidden in an HTML field.
This can be implemented using the Laravel framework,
#1: Firstly, create a meta tag to store the CSRF token,
<meta name="csrf-token" content="{{ csrf_token() }}">#2: Thereafter, use jQuery to add the CSRF token to all request headers.
$.ajaxSetup({
headers: {
'X-CSRF-TOKEN': $('meta[name="csrf-token"]').attr('content')
}
});4. SameSite Cookie Attribute
This Magento CSRF protection mechanism ensures that the cookie can only be accessed by the website it was set by. Therefore, it renders the CSRF attacks ineffective as the CSRF token value in the cookie can be read by the same site only.
This can be implemented using JavaScript, just add the following code snippet to your page:
<script> document.cookie = 'same-site-cookie=foo; SameSite=Strict'; </script>
5. Client-side Magento CSRF Protection
Certain client-side extensions like NoScript can be used as a Magento CSRF protection mechanism. This extension blocks POST requests from untrusted sites to trusted ones. To get it for your browser, visit this page.
Get the ultimate Magento Security checklist with 300+ test parameters
Conclusion
A CSRF vulnerability can have some serious consequences which include a complete account takeover. To avoid such a scenario, a regular audit of your code is necessary. An average Magento user may be inexperienced in this field so it is advisable to contact experts. Astra can help solve this problem. With its flexible plans suited for all, it transforms how you secured your website.