A good child website has payment vulnerabilities and Detailed repair solutions

1. The existence of payment vulnerability is the following site: good children group online flagship store http://www.haohaizi.com/2. Buy a small shorts for the children in the disaster area, I am also a very caring person! 3. Capture packets and view submitted information: 4. It is not difficult to see in the POST data that although the amount of the product is obtained using the goodsIds parameter on the server side, can the Count parameter counts be changed here? Try to change to-1 and click forward to submit: act = addCartGoods & goodsIds = 1448279 & counts = 1 & bigorsmils = 25. Check the returned results. The amount is actually negative. What should I do! 6. Buy two more clothes. You only need 9 yuan in total. 7. Click "Settlement" and view the order information as follows. Well, you only need to pay 27 yuan for the 18 yuan express delivery fee! 8. Select online bank payment. The payment amount is still 27 RMB! The test is over. Do you have a gift?

Solution:

1. information such as the amount should not be placed on the page, and there is indeed a risk of tampering at any time. Such information is originally stored in the database and can be defined as a transfer of the amount by a fixed field, or you can directly query the database to obtain the amount by the unique product identifier. 2. signature Verification is the most important. A verification string is generated for the purchased item, quantity, amount (or alternative field), and order ID. During each data transmission, the verification content can be generated multiple times. the payment interface of a bank or a third-party payment platform checks the signature of the merchant's order data. Here, no signature verification is performed when the payment page jumps to the block price, resulting in the amount data being tampered, confirm the interface problem. 4. signature verification is required before payment, and re-verification is also required after payment. It is reasonable to say that all banks should return some information (such as the payment amount) to the merchant after the payment is complete, in this way, you can use the returned information to determine whether to pay in full. 5. what is more reliable than SSL!