Is it possible to secure a credit card payment form?

Hello All,
We are going to take over this site with our wifi software, BUT the final payment form can be altered for a payment of a penny.

They use javascript to post the form after submission.

<script language='javascript'>var vPostForm = document.PostForm;vPostForm.submit();</script>

(link has been removed)
To test, click on one of the plans, then disable javaScript when you see “Payment Options” and refresh that page.
With javaScript disabled click the “Pay” button at the bottom.

Now view source and you have (verbatim, all on one line),

<form id="PostForm" name="PostForm" style="display:hidden" action="payment_gateway.jsp" method="POST" ><input type="hidden" name="merchant" value="xxxx7883" /><input type="hidden" name="store" value="1234" /><input type="hidden" name="term" value="001" /><input type="hidden" name="total" value="5000" /><input type="hidden" name="currency" value="484" /><input type="hidden" name="order_id" value="5a4c5fcd-5f7e-4a46-b64e-dfe8827" /><input type="hidden" name="address" value="mystore" /><input type="hidden" name="digest" value="728fbdfd8c3e7a241c117b3c1fcbd3f86935e3f0" /><input type="hidden" name="return_target" value="" /><input type="hidden" name="urlBack" value="https://www.me.com/Validate" /><input type="hidden" name="type" value="H" /><input type="hidden" name="period" value="1" /><input type="hidden" name="planPrice" value="50.00" /><input type="hidden" name="planMoney" value="MXN" /><input type="hidden" name="lookProsa" value="https://me.com/cancun" /></form><script language='javascript'>var vPostForm = document.PostForm;vPostForm.submit();</script>

Now I have a nice little form and I will get my internet access for a penny.

This may seem trivial but over the years we have seen this method used and shared with other people with our own wifi access forms.

Problem is that they pay and get wifi, by the time we view the payment reports, they are long gone.

Surely there must be a way to insure “planPrice” cannot be altered.

I suppose I could use cURL and display the form from the gateway on the target site but not sure of the security implications, this would not work with our other payment gateways.

It would be nice if “header location” could be combined with cURL and have PHP send the browser along with posted data to the gateway.

I’m open to ideas.
Thank you

@lorenw - are you sure you want this post to remain, with details of the vulnerabilities on your site and how to exploit them? Remember, this is a public forum, and these posts will be crawled and indexed by search engines.

If you’re quite sure, I’ll relist the topic. Otherwise, you might want to edit it first.

You are right, names have been changed, links removed. To explain further without the links.

This is a big problem, yesterday I was showing a friend a dozen sites that use paypals shopping cart, just how easy it was to change $20.00 to $0.01, I had 7 expensive items in my cart for a total of $0.07.

The site in question has good intent, the initial form only has a hidden input called plan_1 or plan_2
after that is submitted, then server side is when the real form with the prices appears and gets submitted with javaScript, IF javaScript is enabled.

We have wifi hotspots all over the planet and we also use the same technique, javaScript submits the form to prevent tampering.

At some of our locations (neighborhoods), users have found out that they can disable javaScript and pay a penny.
They also tell their friends about it.

So wouldn’t it make sense to change to PayPal’s IPN processing? It has been years since I’ve used that process or had to implement it, but if I recall it sends a call via cUrl to start the process, a link gets returns, you navigate to it, payment is completed at PayPal, and they send you a callback validating the request so you can ensure the payment was made for the price you wanted to accept.

You can see sample code at https://github.com/paypal/ipn-code-samples

Paypal can be set to only process payments when they are the correct amounts - or rather the smaller payment still goes through but access to what they are paying for is not provided and you can reverse out the payment.

If you want to do it for credit card processing then the same is possible with even simpler code using Stripe.

@cpradio, I generate paypal encrypted forms on the fly, so for me paypal is not an issue on our new platform.
If I remember correctly, even if IPN fails, payment will still be accepted by paypal.

The service is similar to paypal where payment is made on a third party site.
The documentation is in Spanish and am struggling to understand the Google translated version.
I’m not sure if they have an IPN but they have a hidden field called “digest” which is SHA1 hashed from certain values.

comercio_con.xxx This page shows information Prose back, inside information
returned or a digest this data, which must calculate trade data back and
compare to be equal to sent by PROSE.
Depending on the platform that has the trade, may be applicable to their extensions
respective pages (hence .xxx can be .php, .asp, .jsp), prose gives examples of these
php pages yet trade must adapt their programming.
Later it explains how the digest is calculated for PROSA and sent back to the
trade.
DIGEST
The digest is a fact that verifies the integrity of the information that travels between trade and Prose.
It is calculated using a SHA1 function applied to the group of variables required.

I have read that over and over and just now figured it out, I was given a file called comercio_con.php and now I understand it. So maybe I will be fine.

The company that is currently hosting the wifi app was very careful not to let anyone see the actual form that was being posted for some reason hence the use of JS to post the form.

I still think there should be a way to validate a forms integrity before sending it off.

That may be, but you have the ability to invalidate the payment, as what PayPal sent you in a request for validation showed a price that did not equal what you were expecting to receive. You can use this to then ensure the user doesn’t get a valid key/password/whatever to use the Wifi.

This would put the onus on the customer who tried to cheat the system. Much like how it was common practice to put a sql injection in the login form for most airport wifi connections because it would give you free access.

That is the whole point of IPN to have a validation step in between where you get instant notification of the payment being submitted to ensure it meets your expectations. I really wish I had my side project where I used this available still.

As cpradio mentions, when using a IPN system like the one Paypal and other payment systems offer, this is when you confirm if the order match your parameters. I.e. if the order products, amount received and currency is actually correct. If something is not correct, you treat it as an invalid order and void/refund the payment.

From the information you provided about the one you use, it seems to be using a very outdated system (similar to what we saw and would expect back in 2000-2004). With this in mind I would be very wary of using them, since this most probably means other parts of their system is lacking as well, i.e. do they even use transactions etc.

Please be aware that there is a lot of insecure merchants out there, especially smaller ones using their own system are prone to have open security holes. Over the years, we have reviewed quite a few merchant services for clients, and too many actually had serious security issues, which meant we could not recommend them.

This actually include larger merchants as well, though in those cases, as soon as we provided information about the security issue, the hole was always patched rapidly.

With this said, the security of merchant provides has become a lot better the last years, as we seldom locate severe security weaknesses like the one you describe these days.

If you make a payment with Intuit, your credit card # is stored in a cookie in plain text, look at the headers.
I immediately called Intuit and spoke with a person named Spenser.
We had a conference call, final decision, fine, no problem.

This is the largest gateway in Mexico, they are married to them.
PayPal is secure with encrypted form.

@TheRedDevil> it seems to be using a very outdated system (similar to what we saw and would expect back in 2000-2004). With this in mind I would be very wary of using them, since this most probably means other parts of their system is lacking as well,

Yes, once again, This is the largest gateway in Mexico, they are married to them.

Back to my original question, I want a function that can take my form post, sanitize it server side on my domain and then post it via PHP

@felgall “what they are paying for is not provided and you can reverse out the payment.”

I don’t want my clients burdened with this, this makes us look bad.

My original question stands Is it possible to secure a credit card payment form?

Not doing it is what will make you look bad - and there will be nothing to burden legitimate customers with - only the scammers who deliberately change the price. It is allowing others to effectively steal from you by paying one cent for a $100 product that WILL make you look bad with your legitimate customers

The Stripe processor I referred you to earlier can also be secured just the same way that Paypal can but using a different approach - the credit card info is sent directly to Stripe via a JavaScript Ajax call and replaced by a token before the form is submitted to your server. So the credit card info is encrypted before the script on Stripe sends it through to their server side processing and the card details never come anywhere near your server so you don’t have to worry about security of their card details as you never get them.

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.