Prestashop Security

5 DIY Methods to Implement PrestaShop CSRF Protection

Published on: May 29, 2020

5 DIY Methods to Implement PrestaShop CSRF Protection

Being an e-commerce solution, PrestaShop constantly runs the risk of getting hacked. This is further validated by the fact that attacks on PrestaShop stores are on the rise as of late. Although there are all sorts of attacks an average PrestaShop store needs to look out for, PrestaShop CSRF Protection requires special attention.

What Are CSRF Attacks?

Cross-Site Request Forgery or CSRF is basically making the client/user to execute a malicious request that may lead to leaking their cookie, session key, or other unintended actions. This allows attackers to perform operations such as data leakage, session hijacking, or manipulation of end user’s account information.

The CSRF vulnerability can be introduced on your website by PrestaShop Plugin, a Code Snippet that you may have added and sometimes even by core PrestaShop codebase. Hence, it is extremely important to implement PrestaShop CSRF protection on your store.

In 2019, the PrestaShop Addon named Data privacy extended (data protection law) – GDPR Module was found vulnerable to CSRF attack. This vulnerability allowed the attacker to delete the account of the victim, without the user even suspecting it. This vulnerability was reported and patched in version 3.7.

Common Misconfigurations Leading to PrestaShop CSRF Attack

The CSRF vulnerabilities arise mainly due to minor logical mistakes made in the codebase. However, improper session management mistakes or no protection at all from a CSRF attack are also commonly found.

A few common misconfigurations leading to the attack are as follows:-

  • Improper Validation of CSRF token that allows attackers to bypass it.
  • The absence of the CSRF validation token.
  • User Session has CSRF token attached to it.
  • Validation token of CSRF token is tied to a non-session cookie, i.e., which can be removed without affecting the session.
  • The Validation Token is the same as the token in the cookie.
  • CSRF validation token of the Referer depends on the header present.
  • Validation of the Referrer header can be bypassed.

Fortunately, ensuring PrestaShop CSRF protection on your PrestaShop installation is easy. Find out in the next segment.

PrestaShop CSRF Protection Methods

The Cross-Site Request Forgery vulnerability can be easily eliminated when the correct Industry standards and safe practices are followed.

A few such methods to prevent the PrestaShop CSRF bugs are mentioned below:

1. Synchronizer Token Pattern (STP)

In this technique, a unique token or secret is placed by the web application in all HTML forms. This is then verified on the server-side to ensure the request is not originating from a malicious source.

This is one of the most common popular methods of protecting oneself from the CSRF attacks. PrestaShop itself has this implemented in its core codebase. But over time, a few shortcomings were observed in the PrestaShop’s implementation.

These shortcomings can be overcome by using OWASP CSRF Protector Project. This open-source PHP based project can help you protect your website against CSRF based attacks. This too uses the STP technique and has better implementation to follow the industry’s best practices.

To install the application, follow these steps:-

1. Download and place the file in your PrestaShop Installation Location.

2. Next, include the library at the beginning of the PHP file that you want CSRF protection on. You can do so by using the following code snippet:

<?php
include_once __DIR__ .'/libs/csrf/csrfprotector.php';

3. Now, all you need to do is call the init() function and you work here is done. This will enable the CSRF Guard in the mentioned PHP page and run the STP technique for the requests.

include_once __DIR__ .'/libs/csrf/csrfprotector.php';

//Initialise CSRFGuard library
csrfProtector::init()

2. Cookie-to-Header Token

Another method to enforce CSRF checks on the request coming to the server is by using javascript-based modules. PrestaShop applications that have javascript running can use ant-CSRF techniques that rely on the same-origin policy.

To implement this method, you can use the Laravel PHP framework to add the CSRF token as a POST parameter that is stored in the HTML meta tag:

<meta name="csrf-token" content="{{ csrf_token() }}">

Once created, this meta tag instructs the library such as ‘JQueryto,’ which automates the process of adding a token to all requests of the server. This provides a simple and efficient method of applying CSRF protection for your AJAX-based pages.

$.ajaxSetup({    headers: {        'X-CSRF-TOKEN': $('meta[name="csrf-token"]').attr('content')    }})

3. Double Submit Cookie

This technique comes in hand when your PrestaShop installation does not rely on JavaScript usage. This is similar to the cookie-to-header approach but does all that without the use of JavaScript.

The working here is simple. Just like the cookie-to-header approach, a CSRF token is placed in the hidden HTML field and it is set as a cookie. Now, when the form is submitted, the website checks the cookie token matching with the form token.

The same-origin policy prevents the attacker to craft the malicious token or cookie, thus protecting CSRF based attacks. The primary advantage here is that no token storage on the server is required.

Here is a handy guide that shall help you implement Double Submit Cookie in PHP.

4. SameSite Cookie Attribute

This technique is also based on a similar concept. This adds a “SameSite” attribute to the cookie set by the server. It instructs the web browser on whether to attach cross-site requests or not.

If the attribute is set to “strict”, then the web browser sets the cookie to cross-site requests and thus renders the CSRF attacks useless.

However, this requires the browser to recognize and correctly implement the attribute. It also requires the cookie to have the “Secure” flag.

5. Client-side Safeguards

The safeguards are implemented on the PrestaShop installation to assure CSRF attacks are futile. It is also important to make your clients aware of these types of attacks. This will allow them to implement some safeguards on their side too.

There are several browser plugins available for Chromium, Firefox, Brave, Edge and others that help in the mitigation of CSRF attacks.

NoScript, Privacy, and Badger are a few popular plugins available. These extensions work to distinguish trusted sites from untrusted sites. Thus, they help remove the authentication tokens and payload from HTTP requests sent by malicious sites to trusted ones.

Conclusion

CSRF vulnerabilities are easily exploited by hackers in e-commerce websites such as PrestaShop to cause havoc. Fortunately, eliminating these vulnerabilities by using the simple methods mentioned above becomes easy.

The blog discussed 5 DIY methods to remove this vulnerability from your PrestaShop Installation. But you may be prone to run into technical difficulty if you are unfamiliar with PHP frameworks and networking basics.

Thus, you should check out a ready-made CSRF protection with the Astra Security Suite. Our rock-solid firewall thwarts all CSRF attempts on your PrestaShop stores.

Besides CSRF, the Astra firewall also stops attacks like XSS, SQLi, LFI, RFI, Bad bots, Spam, OWASP top 10, and 100 others to reach your websites. It caters to all forms of cybersecurity needs and much more.

Don’t take our words for it. See it for yourself!

Peek inside Astra

Was this post helpful?

Jinson Varghese

Jinson Varghese Behanan is an Information Security Analyst at Astra. Passionate about Cybersecurity from a young age, Jinson completed his Bachelor's degree in Computer Security from Northumbria University. When he isn’t glued to a computer screen, he spends his time reading InfoSec materials, playing basketball, learning French and traveling. You can follow him on Medium or visit his Website for more stories about the various Security Audits he does and the crazy vulnerabilities he finds.
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

0 Comments
Inline Feedbacks
View all comments

Psst! Hi there. We’re Astra.

We make security simple and hassle-free for thousands
of websites and businesses worldwide.

Our suite of security products include firewall, malware scanner and security audits to protect your site from the
evil forces on the internet, even when you sleep.

earth spiders cards bugs spiders

Made with ❤️ in USA France India Germany