What is Payment Gateway
- An internet payment gateway allows you to process secure online transactions between a customer and a business.
- It acts as a bridge between a merchant’s website (or mobile app) and the payment processor, allowing customers to make payments for goods or services. In simple terms, it’s a service that helps businesses accept electronic payments, such as credit cards, debit cards, and other online payment methods.
Process:
- Authorization
- Any purchase made with a credit or debit card via a payment gateway must first be authorized by the credit card issuer.
- Settling:
- At the end of the day, the internet payment gateway groups all of your transactions together and sends them to your bank in a single batch. This process, known as settling, passes the transaction to your bank so that you receive payment.
- Reporting:
- All of your transactions are recorded, and you can view, print or download them using payment gateway reporting features. TSYS offers advanced search capabilities, including customizable reporting with up to five user-defined fields.
Types of Payment Gateways:
- Redirects
- When the gateway takes a customer to a payment page to handle the complete transaction (i.e. processing and paying) it becomes a “Redirect.”
- Checkout on site, payment off-site
- Consider paypal payment gateway: the front-end checkout will occur on your site, but the payment processing happens through PayPal’s back end.
- On-site payments
- Large-scale businesses tend to use on-site payments completely handled on their own servers. The checkout and payment processing on behalf of the customer all work through your
How To Test:
- [Client Side] Modify the product amount present in the hidden element at the client side and try to process the payment.
- [Using Proxy]If the application is using a third-party payment gateway, try to understand the flow of the payment and then use a proxy tool such as Burp Suite to intercept the traffic and modify the payment amount when the amount is being sent to the payment gateway.
- Validations:
- Always validate the price from the server.
- Pull price from the database or product ID to validate the amount.
- Avoid sending the price in the request and use some product ID or encrypted price with productID.
- Validations:
Remediations:
There are some examples of the validation can be as follows, which should be implemented in the application.
Note: The attack scenario will vary based on the application functionalities.
- The application should not allow modifications tp the product amount.
- The application should not allow purchasing the product without making the payment.
- The application should validate the card information for the invalid card (already expired) while making the payment.
- The total amount of the purchase should be validated.
- The application should not allow purchasing the product with a negative amount.
References: