Re: Vuln in Verisign PayFlow Link payment service

From: Keith Royster (keithat_private)
Date: Sat Jan 05 2002 - 08:40:03 PST

Next message: jesperhtat_private: "The good , the bad, the IIS. (%3F Weirdness)"

Previous message: Megan McRee: "Re: Vuln in Verisign PayFlow Link payment service"
In reply to: Megan McRee: "Re: Vuln in Verisign PayFlow Link payment service"
Next in thread: Megan McRee: "Re: Vuln in Verisign PayFlow Link payment service"
Next in thread: Keith Royster: "Re: Vuln in Verisign PayFlow Link payment service"
Reply: Megan McRee: "Re: Vuln in Verisign PayFlow Link payment service"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Most, if not all, of the info you are checking against (http_referer, IP,
etc) can be spoofed.  I know I could use a local proxy like Proxomitron
(www.proxomitron.org) to do a search-n-replace on my http_referrer.  The IP
address would be more difficult, but still doable.

----- Original Message -----
From: "Megan McRee" <meganmcat_private>
To: <vuln-devat_private>
Cc: <pdoruat_private>
Sent: Saturday, January 05, 2002 3:51 AM
Subject: Re: Vuln in Verisign PayFlow Link payment service


> How about not submitting the credit card from the site...let PayFlow Link
> order form gather that information. Set the Pay Flow Link to "Return Post"
> and in the scripts from which the order is placed do some http_referer
> checking (along with logging the IP and domain and sending the admin
> notification)
>
>
> ----- Original Message -----
> From: Doru Petrescu <pdoruat_private>
> To: <vuln-devat_private>
> Sent: Friday, January 04, 2002 12:38 PM
> Subject: Re: Vuln in Verisign PayFlow Link payment service
>
>
> >
> >
> > > Perhaps a fix for VeriSign would be to passback a secret code
> (configurable
> > > through the PayFlow Link admin panel) that does not originate from a
> cart
> > > input value, but is stored and sent from PayFlow. Then a simple 'if'
> > > statement in the cart software could weed out the bad along with an
> e-mail
> > > sent to the admin. That would surely slow someone down if they have to
> guess
> > > the secret code's input value.
> >
> >
> > THIS IS WRONG!!!
> >
> > the "secret code" can be hijacked as well if you can afford to make a
> > valid payment FIRST. That will require a valid creditcard something that
I
> > don't have so will reduce a little the nr of people that can attempt to
> > crackin.
> >
> > The SAFE WAY is to have a SECRET PASSPHRASE shared between you and
> > VeriSign and use it to ENCODE THE DATA or at least to SIGN THEM.
> >
> > You can use a simetric encoding scheme or a generate a MD5 signature
that
> > can be used to verify that the response came from verisign and not
someone
> > else. also some random data need to be inserted (like the current
> > timestamp cancat with a random 10 digits number) to shield from "reply"
> > attacks that reuse the same signature.
> >
> > YES this will require some basic crypto functions to be included in the
> > libs they supply, but since this is pure math it is system independent,
so
> > it should not introduce any problemes.
> >
> >
> > just my 2c ...
> >
> > A HAPPY NEW YEAR TO ALL OF YOU,
> > ------
> > Doru Petrescu
> > KappaNet - Senior Software Engineer
> > E-mail: pdoruat_private LINUX - the choice of the GNU generation
> >
> >
> >
>

Next message: jesperhtat_private: "The good , the bad, the IIS. (%3F Weirdness)"
Previous message: Megan McRee: "Re: Vuln in Verisign PayFlow Link payment service"
In reply to: Megan McRee: "Re: Vuln in Verisign PayFlow Link payment service"
Next in thread: Megan McRee: "Re: Vuln in Verisign PayFlow Link payment service"
Next in thread: Keith Royster: "Re: Vuln in Verisign PayFlow Link payment service"
Reply: Megan McRee: "Re: Vuln in Verisign PayFlow Link payment service"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sat Jan 05 2002 - 09:01:37 PST