OP 18 October, 2024 - 06:49 PM
(This post was last modified: 18 October, 2024 - 06:51 PM by oak. Edited 1 time in total.)
Secure Payment Systems: Protecting Online Transactions
A well-designed website implements robust security measures to prevent unauthorized access to private or paid content. Weak security can potentially allow bypassing payment by guessing content URLs. This vulnerability often stems from developers failing to properly validate access to all content.
Even some websites using popular CMS platforms like Joomla and WordPress may have security flaws if set up by inexperienced developers, potentially allowing payment pages to be bypassed.
Payment gateways are specifically designed to secure sensitive user information during transactions. They encrypt critical data like credit card numbers and bank account details. The typical payment flow works as follows:
Customer places order and proceeds to checkout
E-commerce site directs to payment gateway
Customer enters payment information
Gateway sends to issuing bank for authorization
Bank verifies sufficient funds
Merchant notified of approval/denial
If approved, merchant requests transaction from bank
Bank processes payment and notifies customer
How Payment Gateways Secure Information
Transactions occur over HTTPS (secure) connections
Hash functions and signed requests validate transactions
Server IP verification detects malicious activity
Virtual Payer Authentication adds an extra security layer
3-D Secure protocol facilitates buyer/seller authentication
1. Modify HTML hidden elementThis method is simpler and used on poorly-secured websites—you just have to manipulate the product amount to buy on the credit card payment page. For this method, check if the item cost is available in the hidden element of the HTML form page of the website. When you select the item to buy, the price is added to the total item amount, taken from the hidden field, and filled into the form. Finally, the total is presented to the buyer. You should have something like:
To bypass credit card payment on this payment page setup, you just change the product price in the hidden form field containing the price.
When you modify the price, the actual price never reflects in the cart, so you buy whatever you want without paying with your credit card.
2. Payment interception with Burp Suite
With Burp Suite software, you can manipulate the item amount you want to buy online with your credit card by changing the price to 0 or whatever you can afford. For this method, the price of the item is usually not in the hidden field in the form, so you can't just modify the HTML and add the item to the cart. To bypass a credit card payment on a website with Burp Suite, you manually turn on the intercept and manipulate the cost in the intercepted packet once you're on the payment gateway. After you edit the item price via the interceptor, forward the packet to bypass the credit card payment on that page.
3. Modify hash to bypass credit card
Many websites have strong security in place to check the vulnerabilities mentioned in the previous section, which you can easily get around with a credit card. More secure websites use a system like hash to protect the payment page. Hashes are a method that checks the messages' integrity sent from the payment page of the e-commerce website to the payment gateway, including the product price for payment. The transaction will only be approved if the hashes being sent before and after match.
a. Figure out the hash parameters and technique
A lot of security vendors consider hash as being secure. However, with deeper digging on a specific e-commerce website, you may be able to figure out the system and break in. Just dig about the formulation of hash. You can start by looking up the publications made by the website developer regarding how their hash formulation, as well as other important details, to help you bypass the credit card page. It may take a bit of time to find the documentation containing the parameters used, as well as the hashing technique employed in the system.
b. Find the password
When you figure out the parameters, typically present in the packet you intercept, you're some steps in. One of the parameters is the password used, known only to the admin. To find the password, you can use brute force or use a dictionary attack after putting together the parameters.
c. Break in
With the password, you can then create your hash with a modified item price to buy from the cart without paying. You'd have to be quick about it before the admin changes the password. Getting the password can be tough. In some cases, the developer may merely copy the same password as in the documentation, making the Payment Gateway security vulnerable for you to bypass the credit card payment on the website.
Tips to beat a website payment page security
Some of the tips to help you beat a website's credit card payment:
1. Look up the Payment Gateway documentation
You want to read the payment gateway documentation provided by the developers of the merchant website. In the documentation, you may find the critical information you can work with to bypass the credit card payment on the merchant site such as:
transaction success message
transaction success code
hash parameters and technique
response messages
promo code data
Response code, etc.
If you come across important information such as "transaction success code" and "transaction success message", try replacing them with the fail response via the intercept tab if you use the Burp Suite tool.
NOTE: That this will only work if the merchant website is not validating the "CheckSum Hash"
2. Consider changing product quantity
Apart from just changing the product price on the credit card page of the merchant website or at the Payment Gateway, you could change the quantity, which reduces the amount you’re charged for the item. Simply locate the quantity fields or similar in the captured packets in the Burp Suite software and make changes.
For instance:
Now,
If the price is secured on the server-side, you can try manipulating the quantity to pay significantly less.
3. Fuzz other parameters
Other parameters you could try fuzzing include:
wallet amount
promo codes
delivery charges
Just look for any parameter involving money and try to tamper with it—this way, you may bypass the credit card payment on that website and shop for free.
leaving a like is much appreciated and help me to keep publishing threads.
A well-designed website implements robust security measures to prevent unauthorized access to private or paid content. Weak security can potentially allow bypassing payment by guessing content URLs. This vulnerability often stems from developers failing to properly validate access to all content.
Even some websites using popular CMS platforms like Joomla and WordPress may have security flaws if set up by inexperienced developers, potentially allowing payment pages to be bypassed.
Payment gateways are specifically designed to secure sensitive user information during transactions. They encrypt critical data like credit card numbers and bank account details. The typical payment flow works as follows:
Customer places order and proceeds to checkout
E-commerce site directs to payment gateway
Customer enters payment information
Gateway sends to issuing bank for authorization
Bank verifies sufficient funds
Merchant notified of approval/denial
If approved, merchant requests transaction from bank
Bank processes payment and notifies customer
How Payment Gateways Secure Information
Transactions occur over HTTPS (secure) connections
Hash functions and signed requests validate transactions
Server IP verification detects malicious activity
Virtual Payer Authentication adds an extra security layer
3-D Secure protocol facilitates buyer/seller authentication
1. Modify HTML hidden elementThis method is simpler and used on poorly-secured websites—you just have to manipulate the product amount to buy on the credit card payment page. For this method, check if the item cost is available in the hidden element of the HTML form page of the website. When you select the item to buy, the price is added to the total item amount, taken from the hidden field, and filled into the form. Finally, the total is presented to the buyer. You should have something like:
To bypass credit card payment on this payment page setup, you just change the product price in the hidden form field containing the price.
When you modify the price, the actual price never reflects in the cart, so you buy whatever you want without paying with your credit card.
2. Payment interception with Burp Suite
With Burp Suite software, you can manipulate the item amount you want to buy online with your credit card by changing the price to 0 or whatever you can afford. For this method, the price of the item is usually not in the hidden field in the form, so you can't just modify the HTML and add the item to the cart. To bypass a credit card payment on a website with Burp Suite, you manually turn on the intercept and manipulate the cost in the intercepted packet once you're on the payment gateway. After you edit the item price via the interceptor, forward the packet to bypass the credit card payment on that page.
3. Modify hash to bypass credit card
Many websites have strong security in place to check the vulnerabilities mentioned in the previous section, which you can easily get around with a credit card. More secure websites use a system like hash to protect the payment page. Hashes are a method that checks the messages' integrity sent from the payment page of the e-commerce website to the payment gateway, including the product price for payment. The transaction will only be approved if the hashes being sent before and after match.
a. Figure out the hash parameters and technique
A lot of security vendors consider hash as being secure. However, with deeper digging on a specific e-commerce website, you may be able to figure out the system and break in. Just dig about the formulation of hash. You can start by looking up the publications made by the website developer regarding how their hash formulation, as well as other important details, to help you bypass the credit card page. It may take a bit of time to find the documentation containing the parameters used, as well as the hashing technique employed in the system.
b. Find the password
When you figure out the parameters, typically present in the packet you intercept, you're some steps in. One of the parameters is the password used, known only to the admin. To find the password, you can use brute force or use a dictionary attack after putting together the parameters.
c. Break in
With the password, you can then create your hash with a modified item price to buy from the cart without paying. You'd have to be quick about it before the admin changes the password. Getting the password can be tough. In some cases, the developer may merely copy the same password as in the documentation, making the Payment Gateway security vulnerable for you to bypass the credit card payment on the website.
Tips to beat a website payment page security
Some of the tips to help you beat a website's credit card payment:
1. Look up the Payment Gateway documentation
You want to read the payment gateway documentation provided by the developers of the merchant website. In the documentation, you may find the critical information you can work with to bypass the credit card payment on the merchant site such as:
transaction success message
transaction success code
hash parameters and technique
response messages
promo code data
Response code, etc.
If you come across important information such as "transaction success code" and "transaction success message", try replacing them with the fail response via the intercept tab if you use the Burp Suite tool.
NOTE: That this will only work if the merchant website is not validating the "CheckSum Hash"
2. Consider changing product quantity
Apart from just changing the product price on the credit card page of the merchant website or at the Payment Gateway, you could change the quantity, which reduces the amount you’re charged for the item. Simply locate the quantity fields or similar in the captured packets in the Burp Suite software and make changes.
For instance:
Now,
If the price is secured on the server-side, you can try manipulating the quantity to pay significantly less.
3. Fuzz other parameters
Other parameters you could try fuzzing include:
wallet amount
promo codes
delivery charges
Just look for any parameter involving money and try to tamper with it—this way, you may bypass the credit card payment on that website and shop for free.
leaving a like is much appreciated and help me to keep publishing threads.