Injection attacksCross-site scripting (XSS)Cross-site request forgery (CSRF) There are several common security concerns to be aware of when working with Node.js. Some of the most important ones are: Injection attacks Injec... Read 3 Common Security Concerns When Working With Node.js?
Vulnerabilities caused by imprecise logic in the payment link are called payment loopholes.
As long as there are parameters, they can be modified, and there may be problems. Usually use two accounts to compare and test, so that suspicious parameters can be found faster.
Bypassing the customer to confirm receipt directly.
Boundary value problem
The normal logic is that the user purchases the product, and then the price is added up to get a total price for the deduction. At this time, a logical problem will arise: if the product purchased by the user is a negative number, then the calculated total will be a negative number. in turn money to the user.
Sequential Execution Flaws
The normal logic is that abcd performs process operations step by step in a cyclical manner. At this time, a logical problem will arise: you can directly bypass a certain process and enter the next step. If one item is a payment operation, then a payment bypass will also occur. If one item is a verification mechanism, it will bypass the verification and go directly to the next step.
The direct transfer of amount leads to tampering
Directly modify the value of the order amount, here you can use fd or burp to capture packets.
You can also add to the shopping cart after confirming the payment
Put the product into the shopping cart and click to place an order to pay, and it will jump to third-party payment platforms such as WeChat and Alipay. At this time, you can continue to add products to the shopping cart. After the payment is completed, the products issued by the merchant are the things in the current shopping cart.
After the purchase is successful, continue to replay the request to increase the number of purchased items. After the purchase is successful, there will be a process of redirecting the bank to the merchant's website. If the operation is repeated, there is a chance that the product will be purchased repeatedly and increased, but there is no need to pay more money.
Request parameter interference
After the money has been signed and authenticated, it will not pass after modification, but there will still be a parameter in it that will affect the amount and cause problems.
The order replacement occurs after the event processing after the payment. At the same time, a second payment request is initiated to the server, one is more and the other is less, and the payment amount is small, and then the replacement is performed after payment, and the server is notified that the order payment is completed, and the process can be played back repeatedly.
Two payees are required, one is a normal merchant and the other is a counterfeit merchant.
Create an international payment scenario similar to PayPal.
User replacement occurs during the payment process. First, log in to your own account, and then obtain valid information such as another person’s account name. In the business process, replace your own user name with the other party’s user name. After the purchase is completed with the other party’s balance, Then replace your own account name, so that you can buy your own things with other people's money.
Forced attacks occur in the case of brute force cracking. If a merchant uses its own online store to access a third-party payment interface, due to improper design, the key Key agreed between the merchant and the third-party payment can be encrypted by MD5 alone, resulting in MD5 collision technology can be used to crack the key, and the attacker can design simple key encryption information so that MD5 encryption can be brute force cracked by MD5 collision technology.
For the convenience of design, the app with a built-in payment function may leak the private key of Md5 or RSA, causing the attacker to decompile the apk and obtain the key information so that the transaction information can be tampered with.
13. Function modification: The function modification after apk decompilation may cause the merchant to fail to verify the accuracy of the information when submitting the order to the payer in the last step, and still be tampered.
Open PowerShell as administrator: Enable Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V–All Disable Disable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V-All Open Command Prompt ...
The url redirection vulnerability is also called exploit redirection vulnerability, which can redirect the user to the page constructed by the attacker himself. Simply put, it can jump to any specified url. Generally appea...