Access Denied Error: Possible CSRF Attack¶
Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated. CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker’s choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application.
Impact¶
In the CS-Cart in most cases the issue with CSRF-attack appears because of the value max_input_vars
PHP directive on your server are. In this case server truncates the request and if the security_hash parameter gets truncated, the error message appears.
Solution¶
This is a very bad way, but you can disable the anti_csrf
tweak in the config.local.php
file. It will look like on this screenshot:
Accident risk¶
max_input_vars
directive help to web application truncate the request. If the attacker, for example, will try to send significant requests to your web-application (CS-Cart) it can crash/error or take down your webserver (DoS attack).
By default, this directive is set to 10000 in PHP, which means that you cannot send more than ten thousand form fields in one request.
By design, a lot of CMS trim big queries to the smaller ones and make several synchronous requests for transferring the data. CS-Cart instead of this trying to make one big request. And this is the root cause of this error message.
Conclusion¶
Increasing the max_input_vars
directive is a dangerous change. And if you make changes to this directive to 20000 or more, we recommend that you roll them back in the future.
Extra links¶
- Cross-Site Request Forgery(CSRF)
- PHP Denial of Service Attack REvisited
- Efficient Denial of Service Attacks on Web Application Platforms
Hint
If you have a problem, need assistance with tweaks or a free consultation, if you just want to discuss your project with experts and estimate the outcome, if you're looking for a solution that reinforces your online business, we will help. Let us know through Scalesta account or email