Post by dmitryp » Sat Jun 24, 2017 4:39 am

Got a question here. We sell instant downloadable designs. How can someone pay with PayPal, return to our site and download designs without even posting a payment to PayPal. I called PayPal and that transaction doesn't even exist. Also I'e implemented a measure where single order over $100 would be blocked (we sell $3.99 files and orders like that are very unusual) and Hacker was able to bypass that too.

Does anyone have any ideas?

Newbie

Posts

Joined
Thu Dec 22, 2011 3:06 am

Post by artcore » Sat Jun 24, 2017 3:02 pm

PayPal standard?
Interesting! They might use the callback with fake data to fool oc the order was successful. You can check the apache logs for such activity.
You could set the complete status to pending to prevent immediate access to downloadables or restrict the callback to paypal's IP.
This is just conjecture, it would need some checking to see what's really going on.

User avatar
Active Member

Posts

Joined
Tue Jul 09, 2013 4:13 am
Location - The Netherlands

Post by pipoy » Mon Jun 26, 2017 3:23 pm

A few months ago, my friend developed an integration for a certain payment gateway here in asia.

We done a test order by completing a checkout and the order status is set to pending.

To be able to automatically set the order to complete, there are certain steps the payment gateway requires.

But before we did that, my friend replicated the postback using a Rest Client in chrome by getting the hash key from the URL link when the return from the payment gateway was done.

Successfully doing so, somewhere either Opencart or the payment gateway has vulnerability which we never concluded where it was.
The exploitation was done by getting the hashkey from the URL link. And we use the haskey to do postback via rest client


This could be the same vulnerability.

Active Member

Posts

Joined
Fri Mar 04, 2016 12:18 pm

Post by ADD Creative » Mon Jun 26, 2017 8:37 pm

dmitryp wrote:
Sat Jun 24, 2017 4:39 am
Got a question here. We sell instant downloadable designs. How can someone pay with PayPal, return to our site and download designs without even posting a payment to PayPal. I called PayPal and that transaction doesn't even exist. Also I'e implemented a measure where single order over $100 would be blocked (we sell $3.99 files and orders like that are very unusual) and Hacker was able to bypass that too.

Does anyone have any ideas?
What version of OpenCart and which PayPal payment extension are you using? Have you switch on debug messages for that module?

artcore wrote:
Sat Jun 24, 2017 3:02 pm
PayPal standard?
Interesting! They might use the callback with fake data to fool oc the order was successful. You can check the apache logs for such activity.
You could set the complete status to pending to prevent immediate access to downloadables or restrict the callback to paypal's IP.
This is just conjecture, it would need some checking to see what's really going on.
The PayPal standard module does send the callback to PayPal for validating. Which I think is to protect against that sort of thing. https://github.com/opencart/opencart/bl ... #L115-L134

ADD Creative - Web development and e-commerce development, Milton Keynes or Christchurch, UK
ADD Filtration - HVAC Panel Filters, Bag Filters and HEPA Filters


Active Member

Posts

Joined
Sat Jan 14, 2012 1:02 am

Post by artcore » Mon Jun 26, 2017 8:53 pm

@ADDCreative
You're right, seems far fetched.

User avatar
Active Member

Posts

Joined
Tue Jul 09, 2013 4:13 am
Location - The Netherlands
Who is online

Users browsing this forum: No registered users and 8 guests