Security Concerns

  • Posts: 8
  • Thank you received: 2
  • Hikashop Business
2 years 11 months ago #337545

-- HikaShop version -- : 4.4.4
-- Joomla version -- : 3.10.3
-- PHP version -- : 7.4

We run a security report about our website and there are some issues that i dont know if i should be concerned about or not.

there are a lot of notification about
Cookie No HttpOnly Flag for hikashop_cart_session_id and hikashop_cart_id.

Both of theme are shown with the following notification
A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible

Also there is a notification for Absence of Anti-CSRF Tokens on addressed such us
<form action="/menuitem/product/updatecart" method="post" name="hikashop_product_form" onsubmit="return hikashop_product_form_check();"
enctype="multipart/form-data">


Should i be concerned?

Please Log in or Create an account to join the conversation.

  • Posts: 82863
  • Thank you received: 13372
  • MODERATOR
2 years 11 months ago #337549

Hi,

No worries.
Even if javascript can access or even modify these cookies, they won't be able to do anything with them.
Their role is to store the cart id of the current user with his old session id in case his session changes (because it times out) so that the user can still see his cart on your website.
First, you can't overtake the cart if it's linked to a user account.
And second, for guests, even if the attacker would be able to overtake the cart of someone else it would just be able to see what products were in the cart. So it's not a security concern as he won't be able to overtake the would session with that, which could be problematic.
Finally, the HttpOnly flag is almost useless as it can be circumvented and attackers usually use other; more effective, methods: portswigger.net/research/web-storage-the...sion-tokens#httponly

Similarly, not having a CSRF token for the add to cart process is not a problem. It would only allow an attacker to force a product of your website to the cart of your users. Adding such a token would even be a problem as it would prevent some easy customization with just the add to cart link of the products that many merchants rely on in their shop.

The following user(s) said Thank You: epafos

Please Log in or Create an account to join the conversation.

Time to create page: 0.055 seconds
Powered by Kunena Forum