Opencart Security

How to Prevent Cross-site Scripting (XSS) in Opencart 1.5.x, 2.x & 3.x

Updated on: March 29, 2020

How to Prevent Cross-site Scripting (XSS) in Opencart 1.5.x, 2.x & 3.x

Common signs of your OpenCart store being vulnerable to Cross-site Scripting is malicious popups, credit card information theft and compromise of username/passwords of your users. While OpenCart takes security very seriously, new security issues may be discovered over time. Poorly coded extensions tend to be the #1 cause of security breaches.

In this guide, we’ll talk about what XSS is, the consequences & practical steps on how you can secure your OpenCart store against XSS attacks.

What is Cross-site Scripting (XSS)?

Cross-site Scripting (XSS) is a popular code injection vulnerability that allows a hacker to execute malicious JavaScript code into another user’s web browser. It’s risky because malicious JavaScript code can have drastic consequences like credit card hijacking, user information theft etc.

XSS in websites is widely prevalent, and is hence a part of the OWASP Top Ten Project. There are mainly three types of XSS:

  1. Reflected XSS (Non-Persistent)  When the malicious JavaScript code gets executed when the user opens a link to a vulnerable website.
  2. Stored XSS (Persistent) – When the malicious JavaScript code gets stored on the server side (Python, PHP, Java, NodeJS etc) and is executed in the victim’s browser every-time the page is requested.
  3. DOM-based XSS (Caused by client-side code) – When the malicious JavaScript payload is executed as a result of modifying the DOM “environment” in the victim’s browser

Consequences of XSS in OpenCart & Extensions

OpenCart and it’s extensions have had their history with XSS. There have been many publicly disclosed (and fixed) vulnerabilities. Recently, XSS was reported in the zone_id parameter (CVE-2015-4671), & product_id parameter.

XSS in OpenCart zone_id parameter

Being an e-commerce portal, malicious JavaScript payloads can have critical consequences like:

  • Creditcard Hijacking – CreditCard/payment information of the user can be captured on the checkout page and sent to servers owned by the hacker via AJAX
  • Compromise of customer user account – Sensitive account information can be recorded and used for criminal purposes
  • Keylogging of victim’s browser – A keylogger can be used to record keystrokes to spy on the user, grab passwords, intercept their conversations etc.
  • Drive by download – Infect the web browsers of store visitors with malware and forced downloads of compromised softwares

Steps to secure your OpenCart store from XSS

#1 – Use HTML Purifier Library to filter user input

HTML Purifier is a HTML filter library that removes all malicious code from the user input and encodes output data. It’s relatively simple to use and works well out of the box. You merely needs to invoke the HTMLPurifier object and then use the purify method to sanitize the input like this:


$config = HTMLPurifier_Config::createDefault();
$purifier = new HTMLPurifier($config);

// Clean user input in GET array
$_GET = $purifier->purify($_GET);

// Clean user input in POST array
$_POST = $purifier->purify($_POST);

// Clean user input in REQUEST array
$_REQUEST = $purifier->purify($_REQUEST);


#2 – Use a Website Firewall

Given the ever evolving threat landscape, it is always a good idea to use a website firewall. Take Astra’s OpenCart Website Firewall for example, it protects against issues like XSS, LFI, RFI, Code Injection, Bad Bots etc. right out of the box without having to modify any code. Hackers and Malicious requests are blocked before they even reach your OpenCart store.

#3 – Regularly update your OpenCart version

The CMS is periodically updated with bug fixes, security patches and of course new features. It’s a good idea to update as soon as a new version is released.

#4 – Content Security Policy (CSP)

XSS can be mitigated by a recent web standard known as a Content Security Policy (CSP). It instructs the web browser to only load resources downloaded from known & trusted sources. So what it means it that even if an attacker successfully injects a malicious payload into your store, a CSP can prevent it from being run.

A CSP header looks something like this:

directive source‑expression, source‑expression, ...;
directive ...;

You can read more about Content Security Policies here.

#5 – Use the X-XSS-Protection Response Header

Modern Browsers like Google Chrome, Firefox have a XSS filter built into them. But in some cases it may have been disabled by the user. So it’s a good idea to set the X-XSS-Protection response header to re-enable the browser XSS filter. The browser will stop rendering if it detects a potential XSS attack.

PS: Do not rely solely on the XSS filer to prevent an attack. You should take all possible measures like installing extensions from trusted sources, regularly updating OpenCart etc to ensure maximum security.

Summing up

Security issues can make or break e-commerce stores. They are routinely targeted by bots and hackers to hijack credit cards, steal user information or redirect your users to other malicious websites. There are technologies like the Astra Website Firewall designed to simplify security for you and mitigate such attacks.

Tags: , , , , , , ,

Ananda Krishna

Ananda Krishna is the co-founder & CTO of Astra Security, a SaaS suite that secures businesses from cyber threats. He has been acknowledged by the Indian Navy, Microsoft, United Airlines, etc. for finding critical security vulnerabilities in their systems. Winner of the Best Security Product at Global Conference on Cyberspace 2017 (awarded by Narendra Modi, Prime Minister of India) & French Tech Ticket, Paris (awarded by François Hollande, former President of France). At Astra he's building an intelligent security ecosystem - web application firewall (WAF), malware detection & analysis, large scale SaaS applications, APIs & more. He's actively involved in the cybersecurity community and shared his knowledge at various forums & invited talks.
Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Newest Most Voted
Inline Feedbacks
View all comments

[…] and Cross Site Scripting are one of the most exploited on web apps. Be it WordPress, Magento or OpenCart all have had cases where lack of input sanitization left thousands of websites vulnerable. Be it […]

Aditya Dev
Aditya Dev
5 years ago

Your blog is verynice… Thanks for sharing your information…

Psst! Hi there. We’re Astra.

We make security simple and hassle-free for thousands
of websites and businesses worldwide.

Our suite of security products include a vulnerability scanner, firewall, malware scanner and pentests to protect your site from the evil forces on the internet, even when you sleep.

earth spiders cards bugs spiders

Made with ❤️ in USA France India Germany