Security of a web store is a very serious matter on which customers' trust depends as well as the whole site operation and your online business itself. Let us discuss what CSRF attacks are and how you can protect your Magento web store.
What is CSRF
According to Wikipedia, CSRF (Cross-site request forgery) is a type of malicious exploit of a website through HTTP vulnerabilities. Theoretically, any site on the Internet can be attacked if there are skilled hackers willing to do that. The main purpose of such attacks is usually redirection of user's query from the original site to the one specified by the hacker. This attack is quite similar to a more popular XSS in which the hacker forces a user move to a page or click on a link that will redirect them to a certain page with malicious code.
Practical usage of CSRF
It is easy to say that a web browser simply creates an additional query to a different page – this is how the sites earn money and most of web store users are accustomed to such actions. How can this be a threat to a web store owner? The simplest example is an attack on the admin panel. Let's say you are a Magento store owner and your site has an option to create an admin user. This is a very important moment, as it is the registration or a new user creation form with an option to create a new administrator which is most vulnerable for hacker's attack. You just enter your email address, your name and password, then click on 'Create' or 'Sign in'.
Let's suggest that a user is opening the page http://your_domain/admin/?do=add_admin&new_login=NewAdmin&new_pass=NewPass&new_mail=NewAdmin@Mail.Com
At the same time, the attacker has already penetrated into the protocol and created a page http://fake/fakepage.html
<html> <head> <title>usual page</title> </head> <body>
Looks like the text is quite common but the matter is in the content:
<img src="http://site/admin/?do=add_admin&new_login=Haker&new_pass=Pass&new_mail=Haker@ fake.Com" alt="" width="1" height="1" /> </body> </html>
Therefore, by opening a legitimate site with the help of special software, e.g. FireBug, one can see the links to which the site usually sends queries and forge them to the ones the attacker needs. Of course, performing that task would take a lot of experience, but for a skilled hacker it is quite real.
As a result of that, a store owner has just unintentionally created a new administrator because their action was redirected to a different query. In order to correct that they will need to use specific Magento extensions or ask for programmer's help. You are welcome to consult with GoMage specialists in case you encounter such issues.
This is only one of hundreds of reasons to protect your site from this harm. Let us review how to do that.
How to protect your site from CSRF attack
Locate the file named local.xml in /app/etc/ directory. Open it in the editor.
Find the part of code which is responsible for the query when a new administrator is created. Try to make it as much complicated and confusing as possible then any intruders will have a hard time hacking your site. For example, http://magento-forum.ru offers the following way:
<admin> <routers> <adminhtml> <args> <!---in my case I changed it from to backend---> <frontName><![CDATA[backend]]></frontName> </args> </adminhtml> </routers> </admin>
After that go to the admin panel, move to System - Configuration - Admin – Security. Set the following values in the lines:
Add Secret Key to URLs – set to Yes;
Login is Case Sensitive – set to Yes;
Session Lifetime (seconds) – set the time interval to 360.
Then save all changes.
We would highly appreciate if you share your ways of protecting your Magento site from CSRF attacks in the comments to this article. If you have any questions you may ask them at http://www.gomage.com/blog/ or address GoMage team directly via email. We will do our best to help you.