Can SagePay's callback be validated to prevent hacking?

StackOverflow https://stackoverflow.com/questions/20214785

SagePay's form callback can be hacked by re-using the success URL that the user is directed to upon a successful transaction. This can create all sorts of problems with duplicate transactions, fake transactions etc.

You can check for a duplicate VPSTxId, but these can be generated anew by hacking around the crypt parameter of the callback URL.

The crypt parameter can also be manipulated to generate a different "Amount" field.

I have not tested what other field values can be changed by hacking the callback URL crypt parameter.

Is there any way (as per PayPal's IPN validation) of doing a double-check callback to SagePay to ensure that the transaction is new and unique?

有帮助吗?

解决方案 2

You should always redirect a user from a success URL.
I personally use a fulfil page (success url), and a thank you page. On the fulfil page, you should obviously only ever process a transaction once (based on the transaction id), and you can store crypt sent with a transaction. The crypt will have to be valid and is only possible to encrypt if you have the encryption key.
So hacking would be extremely difficult unless you are being very security lax, and the hacker would have to know your encryption key to even begin trying to hack it.

Alternatively, you should use the server integration, so that the communications are server-server, not client-server. There is little difference between form and server.

10 immutable laws of security
http://technet.microsoft.com/library/cc722487.aspx

其他提示

Thanks for your post. In general we encourage clients to use Server integration where they can. We also constantly monitor transactions for suspicious behaviour and proactively contact our customers if we suspect any malicious activity.

We recommend customers make sure that they’re using the latest version of our integration protocol which is currently v3. Get the latest integration documents.

As Dan suggests you could use the Reporting and Admin API to validate that a transaction does indeed exist on the Sage Pay side but having an additional validation mechanism (like PayPal's IPN) is something we will actively explore.

If you'd like us to update you on this, then please get in contact with our customer services team at support@sagepay.com or 0845 111 44 55.

Sage Pay Support

许可以下: CC-BY-SA归因
不隶属于 StackOverflow
scroll top