Announcement

Collapse
No announcement yet.

security question: how can I make sure OnSuccessUrl is called by FaaS service?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • security question: how can I make sure OnSuccessUrl is called by FaaS service?

    I am thinking about this scenario:

    a hacker opened the donation/purchase form page in our website, from the page source, he grabbed all the necessary data like accountid, accountguid, wid; then instead of hit click, he crafted another form with all the data he wanted and post it to OnSuccessfulUrl.

    I can't check the source ip ( the SERVER["REMOTE_ADDR"] is from the user, not from FaaS server, I haven't figure out how this is down.).


    I think FaaS should provide some verification method ( Maybe you already have one, but I didn't find it in the document; If you do, please point me to the right document, thanks). A simple solution could be using a private key known only by FaaS and account holder, when FaaS post back to service response url, also postback something like:


    a unique ID string ( shouldn't be order number, caused declined/error transaction doesn't have order number. )
    a current timestamp.
    a verification string = md5 ( unique id + timestamp + private key )

  • #2
    Good day!

    I like your idea and one that can definitely be done. We have another solution that is easier for our clients to follow.

    Please follow the steps below:
    1. Login to the administrative portal (https://portal.clickandpledge.com)
    2. Click on Account Info (Top right hand side - list of links)
    3. Click on API Information - sub-menu of Your Profile
    4. Enter the list of all URL's that the form is authorized to post from.


    Any form posted from an unauthorized URL will be declined with ERROR.

    Please test it and let us know if the solution works for you.
    Regards,
    Click & Pledge Support Department

    On Salesforce? Help us by rating our app: Click & Pledge Donor Management on AppExchange

    Join us @ the educational webinars: https://clickandpledge.com/webinars/
    Live Support available Join between 3:00 - 3:30 p.m. ET Monday - Thursday: https://clickandpledge.com/webinars/
    Are you on Salesforce? Join us at the Power of Us Hub: https://powerofus.force.com/0F980000000CjpC

    Comment


    • #3
      Originally posted by Support.Department View Post
      Good day!

      I like your idea and one that can definitely be done. We have another solution that is easier for our clients to follow.

      Please follow the steps below:
      1. Login to the administrative portal (https://portal.clickandpledge.com)
      2. Click on Account Info (Top right hand side - list of links)
      3. Click on API Information - sub-menu of Your Profile
      4. Enter the list of all URL's that the form is authorized to post from.


      Any form posted from an unauthorized URL will be declined with ERROR.

      Please test it and let us know if the solution works for you.

      No, this is different. the "Allowed Urls" is used to let FaaS service to make sure the transaction request is sent from the account holder's form; What I want to do is let the account holder's OnSuccessfulUrl page make sure the Postback data is indeed generated by FaaS service.

      Comment


      • #4
        What if the following scenario:

        1: Allow only a set URL to post the form to us
        2: In your code only accept the post from https://faas.cloud.clickandpledge.com

        The combination of the two is quite easily managed. There is no way for the FaaS platform to authorize any form if it is not coming from your site and by verifying the server posting back to you, there is no way to accept a response from a non-FaaS server to send you a post back.

        In the scenario suggested by you what stops a hacker from first posting to faas and getting the code then posting it back to you?
        Regards,
        Click & Pledge Support Department

        On Salesforce? Help us by rating our app: Click & Pledge Donor Management on AppExchange

        Join us @ the educational webinars: https://clickandpledge.com/webinars/
        Live Support available Join between 3:00 - 3:30 p.m. ET Monday - Thursday: https://clickandpledge.com/webinars/
        Are you on Salesforce? Join us at the Power of Us Hub: https://powerofus.force.com/0F980000000CjpC

        Comment


        • #5
          Originally posted by jackchen View Post
          a unique ID string ( shouldn't be order number, caused declined/error transaction doesn't have order number. )
          a current timestamp.
          a verification string = md5 ( unique id + timestamp + private key )

          On a second thought, just md5 for the unique id is not good enough to make sure hacker didn't temper the data.


          a better solution is :
          a current timestamp.
          a verification string = md5 ( all other post back varible + timestamp + private key )


          think about this situation:
          normal transaction:
          1. visitor's browser access account holder 's form page https://company1/buy.php
          browser got all the varible accountid, account_guid, wid, refid;
          2. visitor click "submit" and data are sent to FaaS url.
          3. FaaS Autherized the transaction, send back data to visitor's browser :
          <form action=https://company1/successurl.php>
          <input name=on type=hidden value=order_number>
          <input name=quantity type=hidden value=1>
          <input name=unitname type=hidden value=giftcard>
          ...
          form.submit
          4. visitor's browser post those data account holder's https://company1/successurl.php page.
          5. successurl see the visitor bought 1 gift, so it send out visitor one giftcard number by email.


          A hacker can fake a transaction like:
          1. hacker use a script to access account holder 's form page https://company1/buy.php
          2. script post data to FaaS url.
          3. FaaS Autherized the transaction, send back data to hacker's script :
          <form action=https://company1/successurl.php>
          <input name=on type=hidden value=order_number>
          <input name=quantity type=hidden value=1>
          <input name=unitname type=hidden value=giftcard>
          ...
          form.submit
          4. the script then parse those postback data, modify quantity to 1000, then post data to account holder's https://company1/successurl.php page.
          5. successurl see the hacker bought 1000 gift, so it send out 1000 giftcard number to hacker by email.

          Comment


          • #6
            I am not sure this can happen. My comments in RED

            Let's go over your steps - as you had them listed.

            A hacker can fake a transaction like:
            1. hacker use a script to access account holder 's form page https://company1/buy.php - [Yes a hacker can do this]
            2. script post data to FaaS url. [Yes - it can do this]
            3. FaaS Autherized the transaction, send back data to hacker's script : [NO- it can't do this if you block the allowed URL- FaaS will NOT post back the data if coming from an unauthorized URL]
            <form action=https://company1/successurl.php>
            <input name=on type=hidden value=order_number>
            <input name=quantity type=hidden value=1>
            <input name=unitname type=hidden value=giftcard>
            ...
            form.submit
            4. the script then parse those postback data, modify quantity to 1000, then post data to account holder's https://company1/successurl.php page. [Yes a hacker can do this]
            5. successurl see the hacker bought 1000 gift, so it send out 1000 giftcard number to hacker by email. [NO - you should only accept postbacks from https://faas.cloud.clickandpledge.com] - by reading the posting URL you can easily block this]

            The combination of the 2 methods will block this attempt easily.

            If you think I am missing your point or misunderstanding the attack signature let me know and I can gladly review the steps. We are always looking for ways to make the system better and will gladly add any feature requested but I just want to make sure I understand the issue and we don't create complexity when it does not add more than what is already available.
            Regards,
            Click & Pledge Support Department

            On Salesforce? Help us by rating our app: Click & Pledge Donor Management on AppExchange

            Join us @ the educational webinars: https://clickandpledge.com/webinars/
            Live Support available Join between 3:00 - 3:30 p.m. ET Monday - Thursday: https://clickandpledge.com/webinars/
            Are you on Salesforce? Join us at the Power of Us Hub: https://powerofus.force.com/0F980000000CjpC

            Comment


            • #7
              We like the idea you are presenting and have added it to the list of features to be added in an upcoming release.

              Here is the idea requested:

              Addition of 2 fields to the API tab in the Portal:
              • Pass phrase
              • Hash Key (option to auto-generate)


              Since the time stamp won't work in the absence of a synchronization device we will do the following:
              • Use the following format: Secure phrase: {Pass phrase}{Order number}{amount}
              • Use the hash key and encrypt the secure phrase
              • Post back the secure phrase


              Since you know your "Pass phrase" and the order number and amount are also posted back to you, the hash key generated by you and our post back may be compared.

              Of course we don't expect many people to use this feature since most won't know how to encrypt or use hash keys. This will be an extra layer of security and a redundant double check.

              The feature I explained to you will work easily and combining it with this will add an extra layer as stated earlier.

              What do you think about this implementation?
              Regards,
              Click & Pledge Support Department

              On Salesforce? Help us by rating our app: Click & Pledge Donor Management on AppExchange

              Join us @ the educational webinars: https://clickandpledge.com/webinars/
              Live Support available Join between 3:00 - 3:30 p.m. ET Monday - Thursday: https://clickandpledge.com/webinars/
              Are you on Salesforce? Join us at the Power of Us Hub: https://powerofus.force.com/0F980000000CjpC

              Comment


              • #8
                Originally posted by Support.Department View Post
                We like the idea you are presenting and have added it to the list of features to be added in an upcoming release.

                Here is the idea requested:

                Addition of 2 fields to the API tab in the Portal:
                • Pass phrase
                • Hash Key (option to auto-generate)


                Since the time stamp won't work in the absence of a synchronization device we will do the following:
                • Use the following format: Secure phrase: {Pass phrase}{Order number}{amount}
                • Use the hash key and encrypt the secure phrase
                • Post back the secure phrase


                Since you know your "Pass phrase" and the order number and amount are also posted back to you, the hash key generated by you and our post back may be compared.

                Of course we don't expect many people to use this feature since most won't know how to encrypt or use hash keys. This will be an extra layer of security and a redundant double check.

                The feature I explained to you will work easily and combining it with this will add an extra layer as stated earlier.

                What do you think about this implementation?
                Yes, this implementation should work for us, thanks!

                Comment


                • #9
                  Jack,

                  We just had a release (actually last week) that added this feature to the system.

                  See the FaaS Security in the manual:


                  Using this method you may now set up a secret key and match the hash code.

                  Here is a sample php code:

                  PHP Code:
                  <?php
                  function hashcode($post)
                  {    
                  $string=$post['string'];    
                  $encodeutf8_encode($string);    
                  $sha1_hash=sha1($encode);    
                  return 
                  $sha1_hash;
                  }
                  ?>
                  & in .NET

                  Code:
                  public static string ComputeHash(string Text4Hash)
                      {
                          byte[] Text4HashBytes = Encoding.UTF8.GetBytes(Text4Hash);
                  
                          // Initialize appropriate hashing algorithm class.
                          HashAlgorithm hash = new SHA1Managed();
                  
                          byte[] hashData = hash.ComputeHash(Text4HashBytes);
                  
                          //create new instance of StringBuilder to save hashed data
                          StringBuilder returnValue = new StringBuilder();
                  
                          //loop for each byte and add it to StringBuilder
                          for (int i = 0; i < hashData.Length; i++)
                              returnValue.Append(hashData[i].ToString("x"));
                  
                          return Convert.ToBase64String(Encoding.UTF8.GetBytes(returnValue.ToString()));
                      }
                  Please review it and let us know if it works for you. We would like to know how it works for you so we can publish the scenario as examples.

                  Looking forward to hearing back from you.
                  Regards,
                  Click & Pledge Support Department

                  On Salesforce? Help us by rating our app: Click & Pledge Donor Management on AppExchange

                  Join us @ the educational webinars: https://clickandpledge.com/webinars/
                  Live Support available Join between 3:00 - 3:30 p.m. ET Monday - Thursday: https://clickandpledge.com/webinars/
                  Are you on Salesforce? Join us at the Power of Us Hub: https://powerofus.force.com/0F980000000CjpC

                  Comment

                  Working...
                  X