TUCoPS :: Web :: Specific Sites :: web4971.htm

Verisign web cart based systems may be fooled on payment
7th Jan 2002 [SBWID-4971]
COMMAND

	Verisign web cart based systems may be fooled on payement

SYSTEMS AFFECTED

	Verisign PayFlow Link

PROBLEM

	keith royster posted :
	

	The final checkout page of various  online  shopping  cart  applications
	presents the shopper with a form  asking  for  credit  card  acct#,  exp
	date, etc. When the shopper submits the form, the data is sent  directly
	to the vendor\'s PayFlow Link account at  Verisign  for  validation.  If
	the credit card information is validated,  Verisign  authorizes  payment
	and submits the data back to  the  vendors  shopping  cart  application.
	When the vendor\'s shopping app receives this data, it  assumes  payment
	was authorized and finalizes the order for the vendor to fill  and  ship
	it.
	

	 EXPLOIT #1:  

	On the final checkout page, save the HTML to disk (keeping browser  open
	to maintain session) and edit the ACTION= portion of the form to  direct
	the data back at the shopping cart instead of  to  verisign.  The  exact
	URL should match that which verisign would submit a validated order  to.
	Save the edited HTML, reload in your browser, and  submit  bogus  credit
	card info with your order. Since  there  is  no  authentication  between
	Verisign and the shopping application, the shopping app will think  that
	the card was authorized, and so it will finalize the order.
	

	 EXPLOIT #1:  

	Sign up for a free demo PayFlow Link account at Verisign. While in  demo
	mode, this  account  will  \"validate\"  almost  any  credit  card  info
	submitted to it as long as the  card#  meets  basic  format,  expiration
	date hasn\'t expired, and amount <= $100. This  demo  account  should
	be configured to send the confirmation information to  the  exploitee\'s
	shopping system. Then perform a similar HTML edit of the final  checkout
	page as above, only this time change the hidden form tag to  direct  the
	payment to the demo PayFlow Link account. Save the HTML, reload in  your
	browser, and submit bogus credit card info.

SOLUTION

	Verisign suggests to upgrade to Payflow Pro, you should also be able  to
	use html *and* e-mail receipt.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH