How To Bypass Payment Gateway

What is Payment Gateway

  • An internet payment gateway allows you to process credit card orders from your website in real-time.

Process:

  • Authorization
    • Any purchase made with a credit or debit card via a payment gateway must first be authorized by the credit card issuer.
  • Settling:
    • At the end of the day, the internet payment gateway groups all of your transactions together and sends them to your bank in a single batch. This process, known as settling, passes the transaction to your bank so that you receive payment.
  • Reporting:
    • All of your transactions are recorded, and you can view, print or download them using payment gateway reporting features. TSYS offers advanced search capabilities, including customizable reporting with up to five user-defined fields.

Types of Payment Gateways:

  • Redirects
    • When the gateway takes a customer to a payment page to handle the complete transaction (i.e. processing and paying) it becomes a “Redirect.”
  • Checkout on site, payment off-site
    • Consider paypal payment gateway: the front-end checkout will occur on your site, but the payment processing happens through PayPal’s back end.
  • On-site payments
    • Large-scale businesses tend to use on-site payments completely handled on their own servers. The checkout and payment processing on behalf of the customer all work through your

How To Test:

  • [Client Side] modify the product amount present in the hidden element at the client-side and try to process the payment.
  • [Using Proxy]If the application is using the third-party payment gateway, try to understand the flow of the payment and then use a proxy tool such as burp suite to intercept the traffic and modify the payment amount when the amount is being sent to the payment gateway.
    • Validations:
      • Always validate the price from the server.
      • Pull price from the database or product id to validate the amount.
      • Avoid sending the price in the request and use some product ID or encrypted price with productID.

Remediations:

There are some examples of the validation can be as follows, which should be implemented in the application.

Note: The attack scenario will vary based on the application functionalities.

  • The application should not allow to modify the amount of the product.
  • The application should not allow to purchase the product without making the payment.
  • The application should validate the card information for invalid card (already expired) while making the payment.
  • The total amount of the purchase should be validated.
  • The application should not allow to purchase a product with negative amount.

 References:

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top
Scroll to Top