Security of a web store is a very serious matter on which customers' trust depends as well as the whole site operation and your online business itself.
Let us discuss what CSRF attacks are and how you can protect your Magento ® web store.
What are CSRF Attacks
According to Wikipedia, CSRF (Cross-site request forgery) is a type of malicious exploit of a website through HTTP vulnerabilities. Theoretically, any site on the Internet can be attacked if there are skilled hackers willing to do that. The main purpose of such attacks is usually redirection of user’s query from the original site to the one specified by the hacker. This attack is quite similar to a more popular XSS in which the hacker forces a user to move to a page or click on a link that will redirect them to a certain page with malicious code.
Practical usage of CSRF
It is easy to say that a web browser simply creates an additional query to a different page – this is how the sites earn money and most web store users are accustomed to such actions. How can this be a threat to a web store owner? The simplest example is an attack on the admin panel. Let’s say you are a Magento ® store owner and your site has an option to create an admin user. This is a very important moment, as it is the registration of a new user creation form with an option to create a new administrator which is most vulnerable to hacker attacks. You just enter your email address, your name and password, then click on ‘Create’ or ‘Sign in’.
Let’s say that a user is opening the page
http://your_domain/admin/?do=add_admin&new_login=NewAdmin&new_pass=NewPass&[email protected]
At the same time, the attacker has already penetrated into the protocol and created a page
http://fake/fakepage.html
<html>
<head>
<title>usual page</title>
</head>
<body>
Looks like the text is quite common but the matter is in the content:
<img src="http://site/admin/?do=add_admin&new_login=Haker&new_pass=Pass&new_mail=Haker@
fake.Com" alt="" width="1" height="1" />
</body>
</html>
Therefore, by opening a legitimate site with the help of special software, e.g. FireBug, one can see the links to which the site usually sends queries and forge them to the ones the attacker wants the traffic to flow. Of course, performing that task would take a lot of experience, but for a skilled hacker, it is quite real.
As a result of that, a store owner has just unintentionally created a new administrator because their action was redirected to a different query. In order to correct that they will need to use specific extensions for Magento ® or ask for a programmer’s help. You are welcome to consult with GoMage specialists in case you encounter such issues.
This is only one of the hundreds of reasons to protect your site from this harm. Let us review how to do that.
How to protect your site from CSRF attack
Locate the file named
local.xml in /app/etc/ directory.
Open it in editor mode.
Find the part of the code which is responsible for a query when a new administrator is created. Try to make it as complicated and confusing as possible then any intruders will have a hard time hacking your site.
For example, http://magento-forum.ru offers the following way:
<admin>
<routers>
<adminhtml>
<args>
<!---in my case I changed it from to backend--->
<frontName><![CDATA[backend]]></frontName>
</args>
</adminhtml>
</routers>
</admin>
After that go to the admin panel, move to System – Configuration – Admin – Security. Set the following values in the lines:
Add Secret Key to URLs – set to Yes;
Login is Case Sensitive – set to Yes;
Session Lifetime (seconds) – set the time interval to 360.
Then save all changes.
We would highly appreciate if you share your ways of protecting your Magento ® site from CSRF attacks in the comments below. If you have any questions you may ask them in our blog or address them to the GoMage team directly via email. We will do our best to help you.
