Online payment logic vulnerabilities summary-vulnerability warning-the black bar safety net

ID MYHACK58:62201339791
Type myhack58
Reporter 佚名
Modified 2013-07-22T00:00:00


0×0 0 background description

With Internet users increasingly accustomed to Online Shopping, there has been more and more e-Commerce sites, the online trading platform.

Which certainly relates to the online payment process, and there is also a lot of logic.

Since this involves money, if poorly designed, is likely to result in 0 Yuan purchase merchandise and other very serious vulnerabilities.

0×0 1 detection method with case

According to the dark clouds on the case, the payment of vulnerabilities can generally be divided into five classes, if you find other types, welcome added:

1, the payment process can directly modify the data packet in the payment amount

This vulnerability should be a payment vulnerability in the most common.

Developers will often for convenience, directly in the Pay of the key steps in the data packet is transmitted directly need to pay the amount.

And this amount of rear end do not do check, the transfer process did not do a signature, cause you can feel free to tamper with the amount submitted.

Just need to bag see the amount of parameter modification to any can.

We take a look at the clouds on several case:

Tick: Pizza Hut home delivery payment forms forged amount

Tick: KFC Delivery payment forms forged amount

Tick: Sina micro number exists payment bypass vulnerability

Tick: Taobao somewhere there is a serious payment vulnerability

Tick: Jiayu phone official Mall payment vulnerability the highlight is really the arrival.......)

Tick: 9 1 sub-station there to pay to bypass

Tick: Jiangxi mobile 1 Yuan of money to buy a mobile phone vulnerabilities

Tick: loves to shoot the main station there is a serious vulnerability

Tick: further proof su ning some sites a major vulnerability

Tick: Suning a site there is a serious vulnerability

[1] [2] [3] next