Announcement

**CnP.Support** · 04-25-2012, 06:21 AM

Good day!

I like your idea and one that can definitely be done. We have another solution that is easier for our clients to follow.

Please follow the steps below:

Login to the administrative portal (https://portal.clickandpledge.com)
Click on Account Info (Top right hand side - list of links)
Click on API Information - sub-menu of Your Profile
Enter the list of all URL's that the form is authorized to post from.

Any form posted from an unauthorized URL will be declined with ERROR.

Please test it and let us know if the solution works for you.

**jackchen** · 04-25-2012, 06:53 AM

Originally posted by Support.Department View Post

Good day!

I like your idea and one that can definitely be done. We have another solution that is easier for our clients to follow.

Please follow the steps below:

Login to the administrative portal (https://portal.clickandpledge.com)
Click on Account Info (Top right hand side - list of links)
Click on API Information - sub-menu of Your Profile
Enter the list of all URL's that the form is authorized to post from.

Any form posted from an unauthorized URL will be declined with ERROR.

Please test it and let us know if the solution works for you.

No, this is different. the "Allowed Urls" is used to let FaaS service to make sure the transaction request is sent from the account holder's form; What I want to do is let the account holder's OnSuccessfulUrl page make sure the Postback data is indeed generated by FaaS service.

**CnP.Support** · 04-25-2012, 07:20 AM

What if the following scenario:

1: Allow only a set URL to post the form to us
2: In your code only accept the post from https://faas.cloud.clickandpledge.com

The combination of the two is quite easily managed. There is no way for the FaaS platform to authorize any form if it is not coming from your site and by verifying the server posting back to you, there is no way to accept a response from a non-FaaS server to send you a post back.

In the scenario suggested by you what stops a hacker from first posting to faas and getting the code then posting it back to you?

**jackchen** · 04-25-2012, 07:28 AM

Originally posted by jackchen View Post

a unique ID string ( shouldn't be order number, caused declined/error transaction doesn't have order number. )
a current timestamp.
a verification string = md5 ( unique id + timestamp + private key )

On a second thought, just md5 for the unique id is not good enough to make sure hacker didn't temper the data.

a better solution is :
a current timestamp.
a verification string = md5 ( all other post back varible + timestamp + private key )

think about this situation:
normal transaction:
1. visitor's browser access account holder 's form page https://company1/buy.php
browser got all the varible accountid, account_guid, wid, refid;
2. visitor click "submit" and data are sent to FaaS url.
3. FaaS Autherized the transaction, send back data to visitor's browser :
<form action=https://company1/successurl.php>
<input name=on type=hidden value=order_number>
<input name=quantity type=hidden value=1>
<input name=unitname type=hidden value=giftcard>
...
form.submit
4. visitor's browser post those data account holder's https://company1/successurl.php page.
5. successurl see the visitor bought 1 gift, so it send out visitor one giftcard number by email.

A hacker can fake a transaction like:
1. hacker use a script to access account holder 's form page https://company1/buy.php
2. script post data to FaaS url.
3. FaaS Autherized the transaction, send back data to hacker's script :
<form action=https://company1/successurl.php>
<input name=on type=hidden value=order_number>
<input name=quantity type=hidden value=1>
<input name=unitname type=hidden value=giftcard>
...
form.submit
4. the script then parse those postback data, modify quantity to 1000, then post data to account holder's https://company1/successurl.php page.
5. successurl see the hacker bought 1000 gift, so it send out 1000 giftcard number to hacker by email.

**CnP.Support** · 04-25-2012, 07:47 AM

I am not sure this can happen. My comments in RED

Let's go over your steps - as you had them listed.

A hacker can fake a transaction like:
1. hacker use a script to access account holder 's form page https://company1/buy.php - [Yes a hacker can do this]
2. script post data to FaaS url. [Yes - it can do this]
3. FaaS Autherized the transaction, send back data to hacker's script : [NO- it can't do this if you block the allowed URL- FaaS will NOT post back the data if coming from an unauthorized URL]
<form action=https://company1/successurl.php>
<input name=on type=hidden value=order_number>
<input name=quantity type=hidden value=1>
<input name=unitname type=hidden value=giftcard>
...
form.submit
4. the script then parse those postback data, modify quantity to 1000, then post data to account holder's https://company1/successurl.php page. [Yes a hacker can do this]
5. successurl see the hacker bought 1000 gift, so it send out 1000 giftcard number to hacker by email. [NO - you should only accept postbacks from https://faas.cloud.clickandpledge.com] - by reading the posting URL you can easily block this]

The combination of the 2 methods will block this attempt easily.

If you think I am missing your point or misunderstanding the attack signature let me know and I can gladly review the steps. We are always looking for ways to make the system better and will gladly add any feature requested but I just want to make sure I understand the issue and we don't create complexity when it does not add more than what is already available.

**CnP.Support** · 04-25-2012, 08:45 AM

We like the idea you are presenting and have added it to the list of features to be added in an upcoming release.

Here is the idea requested:

Addition of 2 fields to the API tab in the Portal:

Pass phrase
Hash Key (option to auto-generate)

Since the time stamp won't work in the absence of a synchronization device we will do the following:

Use the following format: Secure phrase: {Pass phrase}{Order number}{amount}
Use the hash key and encrypt the secure phrase
Post back the secure phrase

Since you know your "Pass phrase" and the order number and amount are also posted back to you, the hash key generated by you and our post back may be compared.

Of course we don't expect many people to use this feature since most won't know how to encrypt or use hash keys. This will be an extra layer of security and a redundant double check.

The feature I explained to you will work easily and combining it with this will add an extra layer as stated earlier.

What do you think about this implementation?

**jackchen** · 04-25-2012, 06:01 PM

Originally posted by Support.Department View Post

We like the idea you are presenting and have added it to the list of features to be added in an upcoming release.

Here is the idea requested:

Addition of 2 fields to the API tab in the Portal:

Pass phrase
Hash Key (option to auto-generate)

Since the time stamp won't work in the absence of a synchronization device we will do the following:

Use the following format: Secure phrase: {Pass phrase}{Order number}{amount}
Use the hash key and encrypt the secure phrase
Post back the secure phrase

Since you know your "Pass phrase" and the order number and amount are also posted back to you, the hash key generated by you and our post back may be compared.

Of course we don't expect many people to use this feature since most won't know how to encrypt or use hash keys. This will be an extra layer of security and a redundant double check.

The feature I explained to you will work easily and combining it with this will add an extra layer as stated earlier.

What do you think about this implementation?

Yes, this implementation should work for us, thanks!

**CnP.Support** · 05-21-2012, 11:01 AM

Jack,

We just had a release (actually last week) that added this feature to the system.

See the FaaS Security in the manual:

https://manual.clickandpledge.com/Portal-Profile.html

Using this method you may now set up a secret key and match the hash code.

Here is a sample php code:

PHP Code:


<?php
function hashcode($post)
{    
$string=$post['string'];    
$encode= utf8_encode($string);    
$sha1_hash=sha1($encode);    
return $sha1_hash;
}
?>

& in .NET

Code:

public static string ComputeHash(string Text4Hash)
    {
        byte[] Text4HashBytes = Encoding.UTF8.GetBytes(Text4Hash);

        // Initialize appropriate hashing algorithm class.
        HashAlgorithm hash = new SHA1Managed();

        byte[] hashData = hash.ComputeHash(Text4HashBytes);

        //create new instance of StringBuilder to save hashed data
        StringBuilder returnValue = new StringBuilder();

        //loop for each byte and add it to StringBuilder
        for (int i = 0; i < hashData.Length; i++)
            returnValue.Append(hashData[i].ToString("x"));

        return Convert.ToBase64String(Encoding.UTF8.GetBytes(returnValue.ToString()));
    }

Please review it and let us know if it works for you. We would like to know how it works for you so we can publish the scenario as examples.

Looking forward to hearing back from you.

Announcement

security question: how can I make sure OnSuccessUrl is called by FaaS service?

security question: how can I make sure OnSuccessUrl is called by FaaS service?

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment