I am implementing a PayPal IPN page and would like to check to ensure that requests are truly coming from PayPal and not being spoofed.
I would assume that HTTP_REFERRER would not be a good way of checking?
I've tried this approach and the variable just comes up empty.
Is there a way to check where a post is coming from? Maybe in the HTTP request header?
And a related side note. From a security standpoint how reliable would this method be?
That would be completely unreliable, as someone could spoof the Referer field as easily as they could spoof the request.
What you need to do is use PayPal's documented IPN validation protocol, which involves posting the IPN notification back to PayPal with cmd=_notify-validate. See the PayPal IPN documentation for details.
This variable has a spelling error, actually it's spelled $_SERVER['HTTP_REFERER']. So, make sure you are checking it right.
From the security point of view, this is totally fakeable, so don't rely only it.
PayPal attaches a verify_sign to all IPN posts.
PayPal IPN Docs
Related
I have made a webapi which has few actions and one is AddManualDate which accepts a parameter of the object type. It is consumed by Android devices. It works. But the problem is that the link is now exposed to the public and anyone can use it in a bad way. How to control it ?
my link for example:
http://www.testing.com/api/AndroidOperations/AddManualAppointment
now, this can be accessed by anyone. So what to do?
A common way to do this is using a token based authentication. Your client has to call the token api first, to get a token and pass it to every request against your api.
This is normally done by OWIN and OAuth. The following link describes the matter:
https://blogs.perficient.com/2017/06/11/token-based-authentication-in-web-api-2-via-owin/
Since this is a very general question, I can't give you a simple example.
Feel free to ask again if you get stuck in a detail. Happy coding!
I am working on Asp.Net MVC 5. When i click a link (placed in another website) I navigate to UserDetails.cshtml page. Basically that 3rd party site is passing the UserName & Password to my site & using that I authorize & display further user info.
It's fine but the Url is looking like this
localhost:8080//Admin/UserDetails/UserName/PWD.
I don't want to show the UserName & Password in URL i.e URL should look something like :
localhost:8080//Admin/UserDetails/
One possible solution could be rewrite the URL in IIS (http://www.hanselman.com/blog/ASPNETMVCAndTheNewIIS7RewriteModule.aspx)
But I believe there is an easier way to handle this by using the routing mechanism of MVC.
Please help me to figure out the same.
EDIT :
As many of you are confused why I am not doing a Form Post here, let me re-frame my question. I have no control over the third party application, so I cant request them to do a form Post to my MVC application. Again the 3rd party application is a Oracle Reporting application (OBI), so doing a POST from that application might not be feasible too...
Let me reverse engineer your requirements from your question:
I want to have an URI that when invoked will give access to a secured section of my website. This URI must be clicked by visitors of a third-party site, whom I give that URI to. I want to hide the credentials from the URI.
You cannot do this, the requirements are conflicting. You cannot hand out URIs that will authenticate anyone who fires a request to that URI.
You could do something with a token (like http://your-site/auth/$token), but then still, anyone with access to that URI can use it to authenticate themselves, or simply put it up on their own website.
If you have data you want to expose to a third-party site, let that site perform an HTTP request (with tokens, usernames, headers or whatever you want to use to authenticate) in the background to your site, and display the response in their site. Then the visitor won't see that traffic, can't share the URI and all will be secure.
No. No. NO. Like seriously, NO. Any sensitive information should be sent via a post body over a secure connection (HTTPS). You can't "hide" information in a GET request, because it's all part of the URI, or the location of a particular resource. If you remove a portion, it's an entirely different location.
UPDATE
I find it extremely hard to believe that any third-party application that needs to authenticate via HTTP and isn't designed by a chimp with a typewriter, wouldn't support a secure method to do so, especially if it's an Oracle application. I'm not familiar with this particular app, but, and no offense meant here, but I would more easily believe that you've missed something in the documentation or simply haven't found the right way to do it yet before I'd believe you have to send clear-text credentials over GET.
Regardless, as I said previously, there's no way to hide information in a GET request. All data in a GET is part of the URL, and therefore is plainly visible in the browser location bar or whatever. Unfortunately, I have no advice for you other than to look closer at the documentation, even reach out to Oracle if you have to. Whether by post or something like OAuth, there almost has to be another way.
In the code below:
https://github.com/jeyben/IOSLinkedInAPI/blob/master/IOSLinkedInAPI/LIALinkedInAuthorizationViewController.m
On lines 108-109, the author checks to see if the state parameter returned after the Oauth2.0 authentication is the same as the one passed in. Is that necessary? How would the state parameter change or be compromised in a webview?
RECOMMENDED. An opaque value used by the client to maintain
state between the request and callback. The authorization
server includes this value when redirecting the user-agent back
to the client. The parameter SHOULD be used for preventing
cross-site request forgery as described in Section 10.12.
From https://www.rfc-editor.org/rfc/rfc6749#section-4.1.1
However that said I do not think it is absolutely necessary as it would be a stretch for someone to try and do cross-site forgery due to the SSH provided by default from the OAuth 2.0 protocol. It is still a good security measure to take though as it is possible for someone to learn the way the requests are made, or a portion of them and try to fake things out. Also it is interesting how this changed on mobile but quite honestly it does not change all that much. Something that is important about the state being checked is that if the user was on a website that was hacked in the WebView then the mobile application could use that state to protect itself from accepting the hacked websites information as true. Anyways this is one of the many conversations that could be had about the state variable.
Hope this helps.
Anthony
I'm trying to process a payment for a transaction. Currently I'm redirecting to a paypal url in a controller's method and passing in the variables in the url. Paypal seems to convert this to secure it - https://www.sandbox.paypal.com/cgi-bin/webscr?cmd=_flow&SESSION=lUAK-18U7c_uxbs0wYsKTqcO7tDjb9M4O2A0hqd4gsKhEyhlC0xCxFabBL8&dispatch=50a222a57771920b6a3d7b606239e4d529b525e0b7e69bf0224adecfb0124e9b61f737ba21b081983b975b35e10fe14fd9a7167ca5aec13b
Summary:
User Form -> Controller Method -> Redirected to Paypal URL with variables
How secure is this? Can users access the url I'm redirecting to before Paypal converts it to a secure format? Do I need to implement the encryption recommended on this rails cast - http://asciicasts.com/episodes/143-paypal-security
I'm thinking I need to, but would rather not if it's not needed.
Thanks!
Not sure on your security question, but you may want to take a look at ActiveMerchant. It covers most types of Paypal payments, and is really easy to work with.
Need to submit some CC data from the View to the Controller where it will be processed, can I just POST it or is there some common way of securing the data in transit?
Post the data using SSL.
Here's a good resource on setting up SSL with IIS and ASP.NET.
Posting with SSL like Rex M mentioned is definitely the first step. You should probably make the page where they are typing their credit card number SSL as well. This will give your users the green URL of comfort.
You should also include protection against CSRF attacks. Use the anti-forgery token.
Also, you should use the PRG (Post, Redirect, Get) pattern to make sure that the credit card numbers aren't submitted twice. After the post, don't just render a different view, send a redirect so their browser does a GET against another URL - probably your confirmation page.
You'll run into a few ASP.NET MVC specific things:
If you have some http pages and some https pages, how will you code the links to the https pages from the http pages. You can hard code them, but you'll have to hard code the domain and protocol. You can't just use <%= Html.ActionLink(... see this SO question for more details.
You'll want to make sure you can't hit your controllers when you are not using SSL. This will help you catch any errors, and ensure that no one uses http instead of https. See the [RequireSsl] attribute in the futures assembly. Here's a blog post about it from Adam Salvo
I haven't read about the implementation of the ASP.net-MVC. However, i believe that you have mixed up the terminology.
The MVC Pattern would be evaluated on the server end. [So there is little need to do security checks between the components (unless they are exposed outside the program)]
I believe that many people get the impression that you are talking about HTTP POSTS after a form submission (as opposed to HTTP GETs)