Access Denied Error: Possible CSRF Attack¶
Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated. CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker’s choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application.
Impact¶
In the CS-Cart im nost cases the issue with CSRF-attack appears because of the value max_input_vars
PHP directive on your server are. In this case server truncates the request and if the security_hash parameter gets truncated, the error message appears.
Solution¶
This is very bad way, but you can disable tweak anti_csrf
at the config.local.php
file. It will look like on this screenshot
Accident risk¶
max_input_vars
directive help to web application truncate the request. If the attacker, for example, will try to send significant requests to your web-application (CS-Cart) it can crash/error or take down your webserver (DoS attack).
By default, this directive is set to 10000 in PHP, which means that you cannot send more than ten thousand form fields in one request.
By design, a lot of CMS trim big queries to the smaller ones and make several synchronous requests for transferring the data. CS-Cart instead of this trying to make one big request. And this is the root cause of this error message.
Conclusion¶
As a conclusion, I want to say that increasing the max_input_vars
directive is a dangerous modification. And if you do changes for this directive to 20000 or more, we recommend roll back them in the future.
Extra links¶
- Cross-Site Request Forgery(CSRF)
- PHP Denial of Service Attack REvisited
- Efficient Denial of Service Attacks on Web Application Platforms