Cross-Site Request Forgery (CSRF) Prevention

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.
10 years ago
V3.0 seems to be open to such threats?

https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet
1
10 years ago
No, all important pages are secured. Search solution for "Html.AntiForgeryToken()". More info: http://blog.stevensanderson.com/2008/09/01/prevent-cross-site-request-forgery-csrf-using-aspnet-mvcs-antiforgerytoken-helper/
Interested in the dedicated Premium support services provided by core developers? Please visit https://www.nopcommerce.com/nopcommerce-premium-support-services

Regards,
Andrei Mazulnitsyn
nopCommerce team
0
10 years ago
OK thanks but what defines whether or not its necessary, surely all forms should be protected? "product-details-form" in ProductTemplate.SingleVariant.cshtml for example isnt?
0
9 years ago
I disagree with the stance that NOP is being secured sufficiently.  CSRF protection should be used everywhere where a POST is made including the admin pages.  Having received many security audits over the years from different pentest companies for commercial software (used by sensitive clients including gov and banking) I work on I am about to tackle my version of NOP.

It is simple to do and will need to be applied to all of the actions and jquery code.  This would be picked up in seconds from an audit.

I'll post some examples when I get around to it.
0
9 years ago
if you like, you can add Anti-Forgery Tokens To All Post Requests automatically.


http://onallthingsweb.wordpress.com/2014/02/04/adding-asp-net-mvc-anti-forgery-tokens-to-all-post-requests-easily/
0
This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.