Quick pay principle: merchant website access payment results in two ways 1. browser jump (unreliable) 2 server asynchronous notification (common).
Payment vulnerabilities: is a logical flaw, dig these vulnerabilities have divergent thinking, tend to have a multiplier effect.
Common vulnerabilities: 1, modify the price paid
2, modify the payment status (when the packet is to create an order and payment orders changed a bit, making the substitution of a commodity, and the server did not check payment orders paid for a commodity which is the trade name and the amount does not match)
3. Modify the order quantity (rare) Fix: plus the absolute value of the number.
4. Modify the associated value such as coupons, points, etc.
Unauthorized payments: the existence user = id (123), when this mass participation, try to change to change the id, to buy their goods with other people's money.
Unlimited trial: a trial of such parameters is 2, the normal parameters for the purchase of 1
Then we buy Parameter 2 (trial)
How to tap
Find the key packet: a payment operations may have three or four packets, packets we want to choose.
Analysis of the data packet
Pay packet will contain a lot of sensitive information (account number, amount, balance, coupons, etc.) try to packet each parameter analyzed.
Do not follow the routine the cards
More to think about where the developers did not expect
pc-tried, wap also look at, app try
Defensive approach
1, the rear end of each of the detection value, including payment status.
2. check the price, the number of parameters, such as the number of products can only be a positive integer. And limit the number of purchase
3. The third-party payment platform to check whether the amount actually paid is consistent with the order amount.
4. Pay parameters MD5 encryption, decryption, digital signature and verification, this can effectively prevent data modification, replay attacks (at the time of payment continues to successfully put the packet) various problems.
The amount exceeds the threshold, manual review.