Payment Logic Vulnerability of E-Commerce 2023

Vulnerabilities caused by imprecise logic in the payment link are called payment loopholes.

Test ideas

As long as there are parameters, they can be modified, and there may be problems. Usually use two accounts to compare and test, so that suspicious parameters can be found faster.

Order Module

1. Change the price of an item after placing an order
2. After placing the order, change the quantity to a negative number, resulting in positive and negative logic
3. Is there a logical problem with concurrent purchases?
4. The product is 0, whether there is a possibility of purchase
5. Modify the order amount when generating the order.

Settlement Module

1. Coupon reuse
2. Modify billing status
3. Change payment API or payment mode
4. Forge a successful settlement request

Return Module 

1. Change the status of the goods
2. Change return price

Receipt Module

Bypassing the customer to confirm receipt directly.

Boundary value problem

The normal logic is that the user purchases the product, and then the price is added up to get a total price for the deduction. At this time, a logical problem will arise: if the product purchased by the user is a negative number, then the calculated total will be a negative number. in turn money to the user.

Sequential Execution Flaws

The normal logic is that abcd performs process operations step by step in a cyclical manner. At this time, a logical problem will arise: you can directly bypass a certain process and enter the next step. If one item is a payment operation, then a payment bypass will also occur. If one item is a verification mechanism, it will bypass the verification and go directly to the next step.

The direct transfer of amount leads to tampering

Directly modify the value of the order amount, here you can use fd or burp to capture packets.

You can also add to the shopping cart after confirming the payment 

Put the product into the shopping cart and click to place an order to pay, and it will jump to third-party payment platforms such as WeChat and Alipay. At this time, you can continue to add products to the shopping cart. After the payment is completed, the products issued by the merchant are the things in the current shopping cart.

Request replay

After the purchase is successful, continue to replay the request to increase the number of purchased items. After the purchase is successful, there will be a process of redirecting the bank to the merchant's website. If the operation is repeated, there is a chance that the product will be purchased repeatedly and increased, but there is no need to pay more money.

Request parameter interference

After the money has been signed and authenticated, it will not pass after modification, but there will still be a parameter in it that will affect the amount and cause problems.

Order Replacement

The order replacement occurs after the event processing after the payment. At the same time, a second payment request is initiated to the server, one is more and the other is less, and the payment amount is small, and then the replacement is performed after payment, and the server is notified that the order payment is completed, and the process can be played back repeatedly.

Fraud

Two payees are required, one is a normal merchant and the other is a counterfeit merchant.

Unit Replacement

Create an international payment scenario similar to PayPal.

User Substitution

User replacement occurs during the payment process. First, log in to your own account, and then obtain valid information such as another person’s account name. In the business process, replace your own user name with the other party’s user name. After the purchase is completed with the other party’s balance, Then replace your own account name, so that you can buy your own things with other people's money.

Force attack

Forced attacks occur in the case of brute force cracking. If a merchant uses its own online store to access a third-party payment interface, due to improper design, the key Key agreed between the merchant and the third-party payment can be encrypted by MD5 alone, resulting in MD5 collision technology can be used to crack the key, and the attacker can design simple key encryption information so that MD5 encryption can be brute force cracked by MD5 collision technology.

Key Leakage

For the convenience of design, the app with a built-in payment function may leak the private key of Md5 or RSA, causing the attacker to decompile the apk and obtain the key information so that the transaction information can be tampered with.
13. Function modification: The function modification after apk decompilation may cause the merchant to fail to verify the accuracy of the information when submitting the order to the payer in the last step, and still be tampered.