Preface
Everyone's understanding of payment loopholes is usually to tamper with prices. The existing summary of payment loopholes is also an empirical classification of some existing cases, and it has not risen to a level of in-depth analysis of online payment processes. Here we try to analyze the online payment process and the access method of online payment vendors, and in-depth business analysis of the security issues that are likely to occur in the entire online transaction process.
Alipay/online payment process
Alipay instant payment interface development process
Online payment is functionally through Alipay’s payment channel, and the payer directly remits money to another payee who has an Alipay account. The whole process is explained as follows: quote from Alipay document.
(1)构造请求数据
商户根据支付宝提供的接口规则,通过程序生成得到签名结果及要传输给支付宝的数据集合。
(2)发送请求数据
把构造完成的数据集合,通过页面链接跳转或表单提交的方式传递给支付宝。
(3)支付宝对请求数据进行处理
支付宝得到这些集合后,会先进行安全校验等验证,一系列验证通过后便会处理这次发送过来的数据请求。
(4)返回处理的结果数据
对于处理完成的交易,支付宝会以两种方式把数据反馈给商户网站。
程序上自动进行重新构造URL地址链接,在用户当前页面上通过自动跳转的方式跳回商户在请求时设定好的页面路径地址(参数return_url,如果商户没有设定,则不会进行该操作)
支付宝服务器主动发起通知,调用商户在请求时设定好的页面路径(参数notify_url,如果商户没有设定,则不会进行该操作)。
(5)对获取的返回结果数据进行处理
商户在同步通知处理页面(参数return_url指定页面文件)或服务器异步通知页面(参数notify_url指定页面文件)获取支付宝返回的结果数据后,可以结合自身网站的业务逻辑进行数据处理(如:订单更新、自动充值到会员账号中等)。
Business thinking
You can know through this process. There are two important steps on the application side. One is to splice the payment request and return it to the user's browser. The user browser requests the Alipay interface to enter the payment process. The entire payment link is to interact with Alipay. After the payment is completed, Alipay sends a notification The interface sends a notification of successful payment to the application. The application uses Alipay's notification information to determine whether the payment is successful.
Risk Analysis
First, the second step is to send the request data. Although this step is done on the user's browser side. However, the payment interface has a mandatory signature to ensure integrity, so the data here cannot be tampered with, provided that the signature key is not leaked. Therefore, the payment vulnerabilities that are usually seen are the first step, the defects that appear when the application constructs the request data.
For the business function of transaction, the application only needs the user to provide the product id and product quantity to meet all the data required for payment. The main problems that are prone to occur in this place are as follows:
1. Get the total amount of the order directly from the client and place it in the constructed request transaction data.
2. Although only the product id and quantity are passed, the quantity is not limited by the whitelist, which can cause a negative or large number to be input and cause calculation overflow, resulting in an error in the final calculated order amount.
3. In addition to the product quantity and product id, there are other parameters involved in the calculation of the order amount obtained from the client, such as freight, etc.
The third and fourth steps are processed by Alipay, so there is no problem. The fifth step, Alipay informs the application user that the payment is successful, here Alipay has designed the notify_id supply to verify whether the notification information is valid. But generally it is rarely used by people, because the data in this step is also signed. As long as the application performs signature verification on Alipay's notification information. However, this verification is controlled by the application itself, unlike the second step, which is controlled by Alipay for signature verification. Therefore, once the application does not verify the signature of Alipay notification information, it will lead to the forgery of Alipay notification information and deceive the application of the vulnerability of successful payment. . There are relatively few cases of this type of problem. For example, how I bought Tesla for 1 yuan. This type of problem should also be relatively common. It may be that the test of this logic has not paid enough attention.
Therefore, by analyzing the entire online payment process, it can be seen that there are two points that are prone to payment loopholes, one is the stage of constructing the payment request, and the other is the stage of processing the returned result data. Without verifying the signature, there will be request forgery and replay attacks. The analysis here is a typical payment process. In addition, there are some more complex transaction designs, such as the design of functions that can modify orders, etc. As the functions increase, some security issues will be introduced.
Safe design scheme:
Only get the product id and quantity from the client, and limit the quantity range. The interface that accepts Alipay notifications performs signature verification on the notification information, compares the payment amount with the order amount, and verifies the payment order number to avoid replay attacks. As long as these issues are considered, a relatively safe payment process can be designed.
The verification method provided by Alipay
notifyid
total_fee
sign
order_no anti-replay