LogoLogo
Homepage
  • Documentations for PrestaShop 1.4
  • English documentation 1.4
    • Getting Started
    • Updating PrestaShop
    • User Guide
      • Training
      • Customizing your shop
      • Browsing the front-office
      • Connecting to the PrestaShop back-office
      • Adding Products and Product Categories
      • A Look inside the Catalog
      • Managing Customers
      • Managing Orders
      • Managing Payment Methods
      • Managing Shipping
      • Understanding Statistics
      • Managing Modules
      • Managing Employees
      • Understanding the Preferences
      • Exploring PrestaShop's Tools
      • PrestaShop Support
    • System Administrator Guide
    • Developer Guide
      • Developer tutorials
        • Using the REST webservice
          • Chapter 1 - Creating Access to Back Office
          • Chapter 2 - Discovery - Testing access to the web service with the browser
          • Chapter 3 - First steps - Access the Web service and list client
            • 3.1 - Access the web service
            • 3.2 - Handling errors
            • 3.3 - List clients
          • Chapter 4 - Retrieve Data - Retrieving a Client
          • Chapter 5 - Modification - Update client
          • Chapter 6 - Creation - Remote Online Form
          • Chapter 7 - Removal - Remove customer accounts from the database
          • Chapter 8 - Advanced Use
          • Cheat-sheet - Concepts outlined in this tutorial
        • Understanding and using hooks
        • Synchronization via Hooks
        • Modules, Classes and Controller Override
        • Modules, Override, Web Service
        • Db class good practices for Prestashop 1.4
        • Carrier modules - functions, creation and configuration
        • Creating your own payment module
        • Accelerated Security Course - Episode 1 - Never Trust Foreign Data
        • Accelerated Security Course - Episode 2 - SQL Injections
        • Accelerated Security Course - Episode 3 - XSS
        • Accelerated Security Course - Episode 4 - CSRF
      • Fundamentals
      • Creating a PrestaShop module
      • Development standard
      • Public and overloadable methods
      • Web-service reference
      • How to use the forge to contribute to PrestaShop
      • Rocky's guides
        • PrestaShop 1.4.3 Development Guide
          • Architecture
          • Overriding Files
          • Creating Modules
          • Cookie Structure
          • Database Structure
        • PrestaShop 1.4.3 Performance Guide
    • Designer Guide
      • Coding a theme
      • Design tips
      • Implementing layered navigation in a theme
    • Troubleshooting
    • FAQ
    • User contributions
    • Documentation PDFs
  • Documentation française 1.4
    • Guide de dĂ©marrage
    • Mettre Ă  jour PrestaShop
    • Guide de l'utilisateur
      • Formation
      • Personnaliser votre boutique
      • Se connecter au back-office de Prestashop
      • Ajouter des produits et des catĂ©gories de produits
      • Un aperçu du catalogue
      • GĂ©rer les clients
      • GĂ©rer les commandes
      • GĂ©rer les mĂ©thodes de paiement
      • GĂ©rer le transport
      • Comprendre les statistiques
      • GĂ©rer les modules
      • GĂ©rer les employĂ©s
      • Comprendre les prĂ©fĂ©rences
      • Explorer les outils de PrestaShop
      • Obtenir de l'aide
    • Guide de l'administrateur système
    • Guide du dĂ©veloppeur
      • Fondamentaux
      • CrĂ©er un module PrestaShop
      • Tutoriels pour dĂ©veloppeurs
        • Tutoriel Webservice REST
          • Chapitre 1 - Mise en place - CrĂ©ation des accès dans le Back Office
          • Chapitre 2 - DĂ©couverte - Tester l'accès au service web avec le navigateur
          • Chapitre 3 - Premiers pas - AccĂ©der au service web et lister les clients
            • 3.1 AccĂ©der au service web
            • 3.2 Gestion des erreurs
            • 3.3 Lister les clients
          • Chapitre 4 - RĂ©cuperer des donnĂ©es : RĂ©cupĂ©rer un client
          • Chapitre 5 - Modification : Mettre Ă  jour un client
          • Chapitre 6 - CrĂ©ation : Formulaire d'ajout Ă  distance
          • Chapitre 7 - Suppression : Retirer des comptes client de la base
          • Chapitre 8 – Utilisation avancĂ©e
          • Chapitre 9 - Gestion des images
          • Chapitre 10 - Gestion des prix
          • MĂ©mento : Notions Ă©noncĂ©es dans ce tutoriel
        • Mieux comprendre et utiliser les hooks
        • La synchronisation via les Hooks
        • Surcharge et override
        • Modules, surcharge, web service
        • Les bonnes pratiques de la classe Db sur Prestashop 1.4
        • Les modules transporteurs - fonctionnement, crĂ©ation, configuration
        • Cours de sĂ©curitĂ© accĂ©lĂ©rĂ© no. 1 - Never trust foreign data
        • Cours de sĂ©curitĂ© accĂ©lĂ©rĂ© no. 2 - Injections SQL
        • Cours de sĂ©curitĂ© accĂ©lĂ©rĂ© no. 3 - XSS
        • Cours de SĂ©curitĂ© accĂ©lĂ©rĂ© no. 4 - CSRF
    • Guide du designer
      • Conseils en design
      • CrĂ©er un thème
    • Guide du Vendeur
    • Import Wiki FR
      • DĂ©pannage
        • Changer la taille maximum de tĂ©lĂ©chargement de fichiers
        • Comment ajouter une page Ă  PrestaShop
        • GĂ©nĂ©rer le fichier .htaccess par Prestashop pour avoir des URLs simplifiĂ©es
        • GĂ©nĂ©rer un nouveau mot de passe manuellement
        • Import CSV
        • Personnalisation des mails clients
        • Problème d'allocation mĂ©moire chez 1&1
        • Problème pour se connecter après avoir effacĂ© une langue
        • Votre site ne rĂ©pond plus, une page blanche s’affiche
      • FidĂ©liser les Clients
      • Gestion des Taxes
      • Installer Un Module
      • Sauvegarder votre Base de DonnĂ©es
    • PDF de la documentation
    • Contributions des utilisateurs
    • Questions frĂ©quentes
  • DocumentaciĂłn española 1.4
    • IntroducciĂłn
    • ActualizaciĂłn de PrestaShop
    • GuĂ­a de Usuario
      • Entrenamiento
      • PersonalizaciĂłn de su tienda
      • ExploraciĂłn del front-office
      • ConexiĂłn al back-office PrestaShop
      • Añadir Productos y CategorĂ­as de Productos
      • Una Mirada Dentro del Catálogo
      • GestiĂłn de Clientes
      • GestiĂłn de Pedidos
      • GestiĂłn de MĂ©todos de Pago
      • GestiĂłn de EnvĂ­o
      • ComprensiĂłn de las EstadĂ­sticas
      • GestiĂłn de MĂłdulos
      • GestiĂłn de Empleados
      • ComprensiĂłn de Preferencias
      • ExploraciĂłn de las herramientas de PrestaShop
      • Soporte PrestaShop
    • GuĂ­a del Administrador del Sistema
    • GuĂ­a del Desarrollador
      • Aspectos Fundamentales
      • CreaciĂłn de un mĂłdulo de PrestaShop
      • Estándares de desarrollo
      • Manuales de desarrollador
        • UtilizaciĂłn del servicio web REST
          • CapĂ­tulo 1 - CreaciĂłn de Acceso al Back Office
          • CapĂ­tulo 2 - Descubrimiento - Pruebas de acceso al servicio web con el navegador
          • CapĂ­tulo 3 - Primeros pasos - Acceso al servicio Web y lista de clientes
            • 3.1 - Acceso al servicio web
            • 3.2 - Manejo de errores
            • 3.3 - EnumeraciĂłn de clientes
          • CapĂ­tulo 4 - RecuperaciĂłn de datos - RecuperaciĂłn de un cliente
          • CapĂ­tulo 5 - ModificaciĂłn - ActualizaciĂłn de cliente
          • CapĂ­tulo 6 - CreaciĂłn - Formulario En LĂ­nea Remoto
          • CapĂ­tulo 7 - EliminaciĂłn - Eliminar cuentas de clientes de la base de datos
          • CapĂ­tulo 8 - Uso avanzado
        • ComprensiĂłn y uso de hooks
        • SincronizaciĂłn a travĂ©s de Hooks
        • MĂłdulos, Reemplazo, Servicio Web
        • MĂłdulos, Clases y Reemplazo del Controlador
        • Buenas prácticas de Clase DB para Prestashop 1.4
        • MĂłdulos de transportistas - funciones, creaciĂłn y configuraciĂłn
        • Curso Acelerado de Seguridad - Episodio 1 - Nunca ConfĂ­e en Datos Exteriores
        • Curso Acelerado de Seguridad - Episodio 2 - Inyecciones SQL
        • Curso Acelerado de Seguridad - Episodio 3 - XSS
        • Curso Acelerado de Seguridad - Episodio 4 - CSRF
      • Referencia del servicio web
    • GuĂ­a de Diseñador
      • CodificaciĂłn de un tema
      • Consejos de Diseño
    • SoluciĂłn de problemas
    • Preguntas Frecuentes
Powered by GitBook
On this page

Was this helpful?

  1. English documentation 1.4
  2. Developer Guide
  3. Developer tutorials

Accelerated Security Course - Episode 4 - CSRF

PreviousAccelerated Security Course - Episode 3 - XSSNextFundamentals

Last updated 4 years ago

Was this helpful?

This article was written by Damien Metzger, and first published .

A CSRF breach consists of exploiting a trusted user's identity by forcing the browser to send commands unbeknownst to the user. Basically, if a page is protected by a login/password system (e.g. stored in a cookie) then you cannot access it without signing in, unlike the retailer who is already signed in.

Therefore a hacker simply needs to send the retailer to the page of his choice by sending an instant message or email such as "Hi! Take a look at my new photos… Do you think I'm hot?" with a link to redirect the victim to .

In theory, this link deletes customer number 1 from the maboutique.com shop. This won't work with PrestaShop, as the software has been made secure to avoid this type of usage, but you get the idea: the hacker just needs to get the retailer to click on a link which carries out the required action. You can't do it yourself but the retailer could do it in your place without knowing it.

This is a very malicious attack, as the shop does not have to have been directly breached. A more active protection system to that used for XSS or injections is required.

The solution lies in using security tokens, as you can see in PrestaShop or phpMyAdmin for example. The developer must generate a unique hash code based on data specific to the retailer for each page and even each activity: combine the username, shop URL, a salt generated upon installation, page URLand activity as a parameter of the sha1() function for a truly complete hash code. Next, every time a page loads and before processing, recalculate the token and compare it to what you passed as a parameter of each link. This way the hacker will have the impossible task of calculating the correct sha1 to exploit the breach.

But we can't end here. For example, a hacker can try to combine XSS and CSRF. By exploiting an XSS breach the hacker can make you use a JavaScript code. The hacker can then use this JavaScript code to get the token in the URL or a token on other links on the page. This is why security is essential. A single breach is enough to get in and once they're over the first hurdle, it's much easier for a hacker to weave his web.

on the PrestaShop blog, on November 30th, 2011
http://www.maboutique.com/admin/index.php?tab=AdminCustomers&deletecustomer&id_customer=1