Let’s discuss another attack named cross site request forgery (csrf or xsrf) which is one of the most common web application attacks , listed at 5th and 8th position at owasp top 10 in 2010 & 2013 respectively.
According to magento security report csrf could be abused to add unwanted items to a shopper’s cart (CVE-2019-7857), Deletion of store design schedule (CVE-2019-7873) or Deletion of Blocks (CVE-2019-7851).
Let’s understand magento2 csrf attack:
Attacker inherits the identity and uses privileges of the victim to perform an undesired action on victims behalf by tricking them into submitting a malicious request.
when a legitimate user is logged into its account and visits malicious website/links or attacker owned applications then the attacker can tricks the user to perform unwanted actions if Magento CSRF protection (CSRF token) is not configured properly.
An attacker can:
Force victims to add unwanted items into cart or in some cases can change user details to takeover the victims account.
How to secure your magento2 store against CSRF
1. Token Based Mitigation:This technique is one of the most effective and recommended methods to mitigate CSRF.
This can be achieved by Synchronizer Token Pattern method by generating a token once per user session or for each request or by Encryption based Token Pattern.To prevent csrf Synchronizer Token can be enabled from magento2 framework. Store admin can set Add Secret Key to URLs to yes from Stores>Configuration>Advanced>Admin>Security.
2. SameSite Cookie Attribute: According to owasp samesite cookie attribute prevents the browser from sending the cookies along with cross site requests means the cookies can only be accessed/used by the website it was set by. we can set Samesite to “Strict” or “Lax”
Set-Cookie: SESSIONID=randomid; SameSite=Strict
As technology is evolving fast, every day attackers are also coming up with new bypasses so it is highly recommended to audit your store regularly to avoid such attack scenarios. It is possible that Magento store owners are not experienced enough to mitigate such attacks.
To safeguard your Magento 2 store from other attacks like malicious file upload or brute force visit our store and check out our Security Extension Suite for Magento 2 module for more details, which is effective in blocking malicious users and in notifying admins for suspected login attempts.
In upcoming blogs in this series of magento2 security we will continue discussing other most prominent attacks and ways to secure our Magento 2 store.