The announcement last week by researchers from Newcastle University about a problem with Visa's contactless cards reminded me to mention again commons issues with checkout and payment functions in web and mobile applications.
The Visa fault relates to not enforcing the same limits on transactions when using foreign currencies. The paper is being presented this week at the 21st ACM Conference on Computer and Communications Security in Scottsdale, Arizona. While we hope we would not make similar mistakes ourselves, almost every web/mobile checkout/payment system I come across has some sort of problems.
I do not believe I have mentioned it previously, but if you are developing an online payment API, mobile or web payment application, you should read a paper from Microsoft Research issued in 2011. How to Shop for Free Online - Security Analysis of Cashier-as-a-Service Based Web Stores (presented at IEEE Symposium on Security & Privacy 2011 in Oakland, California) describes findings from research into the security of several web payment applications.
Many of these problems are data validation or authorisation issues, but can be labelled as "business logic flaws". My own checklist for reviewing payment application functionality is below:
- Buy at arbitrary price
- Buy at nil price
- Buy without paying
- Buy one at item at another item's price
- Pay for one basket at another basket's price
- Update the basket while paying for the original one
- Voucher, gift card and discount enumeration or manipulation
- Repeat order/payment
- Missing "mandatory" steps
- Refund after payment
- Chargeback after payment
- Pay customer instead of seller
- Missing checks/enforcement of data validation/signing
- Enumeration of accounts, customers, payment cards, baskets, orders, email addresses, phone numbers
- Manipulation of out-of-band messages (e.g. emails, SMS, direct messaging)
- Payment confirmation manipulation
- Tax and currency conversion manipulation
- Rate of use and floor limits
- Staff/internal backdoors
- Fraud opportunities
- Test data/cards works/present
- Third-party hosted content
- Privacy contraventions
- PCI DSS contraventions.
This does not describe every method, but I hope the list is of use to others anyway. Generic attacks (e.g. injection, path traversal, cross-site request forgery, man-in-the-middle, unpatched components) also crop up in ecommerce payment functions, like everywhere else.
Posted on: 04 November 2014 at 20:11 hrs