Payment vulnerability Summary/Online payment process security Analysis __ Online Payment

Preface

The understanding of the payment loophole is usually to tamper with the price, the existing summary of the payment loophole is also the empirical classification of some cases, not up to a level of in-depth analysis of the online payment process. This article attempts to analyze the online payment process, the online payment vendor's access mode, and in-depth business analysis of the entire online transaction process of security problems. Payment PO/Online payment process

Alipay instant to account interface development process

Online payment is functionally through Alipay's payment channel, where the payer transfers directly to another payee who has a Alipay account. The whole process is described as follows: Reference from Alipay documents.

(1) Construct the request data
merchant according to the interface rules provided by Alipay, generate the signature result by program and the data collection to be transmitted to Alipay.
(2) Send the request data to the
construction completed data collection, through the page link jump or form submission to the payment PO.
(3) Alipay to request data processing
Alipay Get these sets, the first security verification, and so on, a series of verification will be processed after this sent over the data request.
(4) Return processing results data
for processing completed transactions, Alipay will be in two ways to feed the data to the merchant website.
automatically reconstruct the URL address link on the user's current page by automatically jump back to the merchant in the request to set a good page path address (parameter Return_url, if the merchant did not set, will not do the operation) Alipay
Server initiative to launch a notice, Invoke the page path that the merchant has set on request (parameter Notify_url, which is not done if the merchant is not set up).
(5) processing The returned result data obtained by the
merchant on the Synchronization Notification processing page (parameter Return_url specified paging file) or the Server Asynchronous notification page (parameter Notify_url specify paging file) Gets the result data returned by Alipay, Can be combined with their own web site business logic for data processing (such as: Order updates, automatic recharge to the member account medium).

Business Thinking

Through this process can know. The application of two important steps to do, one is the mosaic payment request, return to the user browser, the user browser request Alipay interface, into the payment process, the whole payment of the link is and pay treasure end interaction, payment completed, Alipay through the notification interface to the application to send payment success notice. The use of Alipay information to determine whether the payment was successful. Risk Analysis

First, the second step is to send the request data. This step is done on the user's browser side. However, the payment interface has a mandatory signature to ensure integrity, so the data here can not be tampered with, in the case of the signature key does not leak. So the payment vulnerabilities that are usually seen are the first step in applying the construction of the request data to the defects that occur.

For the business function of the transaction, the application only needs the user to supply the product ID and the quantity of goods to meet all the data needed for the payment. There are several main problems in this area:

1, the total amount of the order is obtained from the client and placed in the constructed request transaction data.
2, although only passing the product ID and quantity, but the number does not make whitelist restrictions, resulting in negative or large number of input can result in a calculation overflow, resulting in the final calculated order amount error.
3, in addition to the number of goods and product ID, there are other participation in the order amount of the calculation of the parameters from the client to obtain, such as freight

The third and fourth steps are Alipay's processing, so there is no problem. The fifth step, Alipay notification application user payment success, here Alipay designed the notify_id supply to verify that the notification information is valid. But they are rarely used, as this data is also signed. As long as the application of the Alipay notification information for signature verification can be. But this validation is to use their own control, not like the second step is the Alipay control of the signature verification, so once the application does not have to pay treasure notification information for signature verification will lead to fake Alipay notification information, fraud application to pay the success of the loophole. This type of problem sees fewer cases. Like how I bought Tesla for 1 dollars. This type of problem should also be more common, perhaps the test of this logic is not enough attention.

So through the analysis of the whole process of online payment, we can see that there are two points for the payment vulnerability, one is the stage of constructing payment request, the other is the stage of processing the returned result data. There is no verification of the signature and there is a request for forgery and replay attacks. The analysis here is a typical payment process, in addition to a number of more complex trading design, such as the design can modify the order function, as well as the increase in functionality will introduce some security issues. Safe Design:

Only get the Product ID and quantity from the client, limit the quantity range. Sign the notification information to the interface receiving the Alipay notification, compare the payment amount to the order amount, and verify the payment order number to avoid replay attacks. As long as you consider these issues, you can design a more secure payment process. the method of verification provided by Alipay

Notifyid
Total_fee
Sign
Order_no anti-replay reference

Dark clouds drops

Original address: http://xdxd.love/2015/12/02/%E6%94%AF%E4%BB%98%E6%BC%8F%E6%B4%9E%E6%80%BB%E7%BB%93/