473,569 Members | 2,597 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

Warning - ComponentOne's PayPal component is VERY insecure!!

Hello,

I've just been looking at the free PayPal component from ComponentOne
and am somewhat amazed how insecure it is. They include all the
transaction details in plain text in the querystring, meaning that any
rank novice can click the Buy button on your site, then when the PayPal
page loads, change the amount for the transaction and press Enter. This
reloads the page with the new amount. This is so obvious that anyone
could do it.

The result is that someone can place an order on your site and change
the amount to 0.01, with the order still being placed. You are powerless
to stop this. What's even worse, is that it looks like they could enter
a negative amount and get a refund!!

If anyone is using this component, I recommend you check this issue
immediately as your site could be open to abuse.

I contacted C1's (lack of) technical support who were typically
unhelpful. They avoided the issue and gave obscure answers to questions
I hadn't asked. This is consistent with my previous experience of their
technical support.

On a related issue, is anyone using PayPal's ASP.NET SDK? I just had a
look at that too and wondered how easy it is to use.

--
Alan Silver
(anything added below this line is nothing to do with me)
Nov 19 '05 #1
7 2566
I am currently using the PayPal .NET SDK - but for POSTing a custom cart
(not for using their new web service API).

For the most part it is easy to use. The documentation and component have
not been updated since about October '04 or something like that and if you
read their NG posts it appears that PayPal isn't supporting it all that
well. Having said that, I can report no problems, really. I installed the
sample application that demonstrates how to upload the contents of a custom
3rd party shopping cart. I used it as a model for my purposes and everything
seems cool so far. Just set a reference to it in your project and go from
there. Your ticket to sanity here is to just accept that you'll have to
really understand the sample application (which takes all of 15 minutes to
do - if that). The documentation/help file won't really help you if your're
implementing for ASP.NET. I don't think that PayPal really acknowledges that
ASP.NET even exists - at least from reading their printed (non help file)
documentation.

Now, about your observation about the cleartext querystring issue. That is
not an issue of ComponentOne (although they just might suck as much as you
claim). The querystring issue is more of an architectural decision you have
to make. PayPal's non helpfile documentation clearly states that there are
two methods for sending them data - encrypted or not encrypted - and they
clearly state the costs and benefits of each. PayPal's documentation referes
to everything as "buttons" rather than querystrings and such (presumably
because most people will generate static buttons at PayPal's site and
copy/paste the HTML into their own static Web pages). When you go to create
your payment buttons on PayPal's site, you can have it encrypt the
querystring data or not (presented as two 'types' of buttons you can
create). Additionally, when you go with the encrypted option, then that
somehow limits your options for receiving Instant Payment Notification data
back from paypal regarding the transaction (or something like that) - so you
have to decide what's more important to you.

Now, from my purusings of the PayPal NG, it appears that for those of us who
are implementing our own ("custom 3rd party") shopping cart, then if we also
want to encrypt the QueryString, then we'd have to pretty much roll our own
encryption that would have to of course exactly match what PayPal is
expecting (which is undocumented for those of us with the balls to do it).
Doing that would subsequently impose the same limitations on receiving IPN
data back from PayPal. So if you really want encryption and you are NOT
generating your "buttons" dynamically, then it appears that the easiest way
would be to use PayPal's "payment button generator" and copy-n-paste the
HTML into your .NET app.

Finally - if you don't have the current PayPal documentation for developers,
you might want to get it. The most recent was published (PDF format on their
site) in August 2005.

-HTH
"Alan Silver" <al*********@no spam.thanx> wrote in message
news:s3******** ******@nospamth ankyou.spam...
Hello,

I've just been looking at the free PayPal component from ComponentOne and
am somewhat amazed how insecure it is. They include all the transaction
details in plain text in the querystring, meaning that any rank novice can
click the Buy button on your site, then when the PayPal page loads, change
the amount for the transaction and press Enter. This reloads the page with
the new amount. This is so obvious that anyone could do it.

The result is that someone can place an order on your site and change the
amount to 0.01, with the order still being placed. You are powerless to
stop this. What's even worse, is that it looks like they could enter a
negative amount and get a refund!!

If anyone is using this component, I recommend you check this issue
immediately as your site could be open to abuse.

I contacted C1's (lack of) technical support who were typically unhelpful.
They avoided the issue and gave obscure answers to questions I hadn't
asked. This is consistent with my previous experience of their technical
support.

On a related issue, is anyone using PayPal's ASP.NET SDK? I just had a
look at that too and wondered how easy it is to use.

--
Alan Silver
(anything added below this line is nothing to do with me)

Nov 19 '05 #2
"Jeremy S." <A@B.com> wrote in message
news:es******** ******@TK2MSFTN GP14.phx.gbl...
I am currently using the PayPal .NET SDK - but for POSTing a custom cart


Is that the one which allows people to purchase either with their own PayPal
account or by typing in their credit card details...?

I will very soon have a need to incorporate this into an existing website,
and am just waiting for my client to upgrade to a PayPal business account...
Nov 19 '05 #3
<< Is that the one which allows people to purchase either with their own
PayPal account or by typing in their credit card details >>

All of the PayPal options allow that now. PayPal has come a long way. They
no longer do these ridiculous things:
1. Require the use of a PayPal account (your customer can pay with any
credit card). They call it their PayPal Optional feature.
2. Dump your customer in the PayPal site after each transaction. You can now
specify a return URL to which your customers go after (1) completing a
successful transaction, or (2) after canceling a transaction.

Furthermore - we, as developers, have two ways to use PayPal for payment
processing:
1. customer starts the process on our site - additems to a cart on our
site - then POST cart data to PayPal -- customer at this point is viewing a
PayPal page (customized with your logo) -- customer then is returned to your
site after completing the transaction. This option is free (no setup or
monthly fee; PayPal just keeps 2.x percent of the valueof the transaction.
2. customer completes entire transaction on our site -- never sees any
PayPal pages, never goes to PayPal and comes back. Behind the scenes we have
to use PayPal's web service api to transfer data. This option is not free.
There is a $20/month charge for doing this.

-HTH

"Mark Rae" <ma**@mark-N-O-S-P-A-M-rae.co.uk> wrote in message
news:eN******** ******@TK2MSFTN GP09.phx.gbl...
"Jeremy S." <A@B.com> wrote in message
news:es******** ******@TK2MSFTN GP14.phx.gbl...
I am currently using the PayPal .NET SDK - but for POSTing a custom cart


Is that the one which allows people to purchase either with their own
PayPal account or by typing in their credit card details...?

I will very soon have a need to incorporate this into an existing website,
and am just waiting for my client to upgrade to a PayPal business
account...

Nov 19 '05 #4
"Jeremy S." <A@B.com> wrote in message
news:uT******** ******@TK2MSFTN GP14.phx.gbl...
Furthermore - we, as developers, have two ways to use PayPal for payment
processing:
1. customer starts the process on our site - additems to a cart on our
site - then POST cart data to PayPal -- customer at this point is viewing
a PayPal page (customized with your logo) -- customer then is returned to
your site after completing the transaction. This option is free (no setup
or monthly fee; PayPal just keeps 2.x percent of the valueof the
transaction.


That's the option my client has chosen. It sounds from your earlier post
that it's pretty simple to achieve, though the PayPal help itself is less
than ideal...
Nov 19 '05 #5
<< though the PayPal help itself is less than ideal >>
But I wouldn't go so far as to say it's "bad". There is just not as much
ASP.NET-specific guidance as I would have preferred. I'd suggest this
approach: Read through their developer guide (August 2005 version) to learn
their system in general, set up a PayPal Sandbox account, get a plain old
HTML form to POST so you can see how the guts of it all works (it's really
just a straight-forward form post with a bunch of hidden HTML input fields;
the html listed below works with your sandbox account - just swap out your
email address), then study up on the ASP.NET SDK sample app.

<form target="paypal" action="https://www.sandbox.pay pal.com/cgi-bin/webscr"
method="post">
<input type="hidden" name="cmd" value="_cart">
<input type="hidden" name="upload" value="1">
<input type="hidden" name="business" value="Yo****** *******@Whateve r.com">
<!-- Begin First Item -->
<input type="hidden" name="quantity_ 1" value="1">
<input type="hidden" name="item_name _1" value="The Meaning of Corn">
<input type="hidden" name="item_numb er_1" value="Test SKU A">
<input type="hidden" name="amount_1" value="12.34">
<input type="hidden" name="shipping_ 1" value="2.01">
<input type="hidden" name="shipping2 _1" value="0.01">
<input type="hidden" name="handling_ 1" value="0.01">
<input type="hidden" name="tax_1" value="0.01">
<input type="hidden" name="on0_1" value="Option Name1 A">
<input type="hidden" name="os0_1" value="Option Selection1 A">
<input type="hidden" name="on1_1" value="Option Name2 A">
<input type="hidden" name="os1_1" value="Option Selection2 A">
<!-- End First Item -->
<!-- Begin Second Item -->
<input type="hidden" name="quantity_ 2" value="2">
<input type="hidden" name="item_name _2" value="Cooking With Heat">
<input type="hidden" name="item_numb er_2" value="Test SKU B">
<input type="hidden" name="amount_2" value="1.99">
<input type="hidden" name="shipping_ 2" value="0.02">
<input type="hidden" name="shipping2 _2" value="0.02">
<input type="hidden" name="handling_ 2" value="0.02">
<input type="hidden" name="tax_2" value="0.02">
<input type="hidden" name="on0_2" value="Option Name1 B">
<input type="hidden" name="os0_2" value="Option Selection1 B">
<input type="hidden" name="on1_2" value="Option Name2 B">
<input type="hidden" name="os1_2" value="Option Selection2 B">
<!-- End Second Item -->
<!-- Begin Third Item -->
<input type="hidden" name="quantity_ 3" value="3">
<input type="hidden" name="item_name _3" value="Fill Your Life With
Croutons">
<input type="hidden" name="item_numb er_3" value="Test SKU C">
<input type="hidden" name="amount_3" value="3.03">
<input type="hidden" name="shipping_ 3" value="0.03">
<input type="hidden" name="shipping2 _3" value="0.03">
<input type="hidden" name="handling_ 3" value="0.03">
<input type="hidden" name="tax_3" value="0.03">
<input type="hidden" name="on0_3" value="Option Name1 C">
<input type="hidden" name="os0_3" value="Option Selection1 C">
<input type="hidden" name="on1_3" value="Option Name2 C">
<input type="hidden" name="os1_3" value="Option Selection2 C">
<!-- End Third Item -->
<input type="hidden" name="currency_ code" value="USD">
<!-- Invoice and Custom can be only one per order -->
<input type="text" name="invoice" value="INVOICE 1234567890"><BR ><BR>
<input type="checkbox" name="custom" value="CUSTOM_1 234567890"
checked>Custom Textis Here.<BR><BR>
<input type="hidden" name="handling_ cart" value="0.04">
<input type="image" src="../userImg/cartCheckout.gi f" border="0"
name="submit" alt="Make payments with PayPal - it's fast, free and secure!">
</form>

-HTH

"Mark Rae" <ma**@mark-N-O-S-P-A-M-rae.co.uk> wrote in message
news:%2******** ********@TK2MSF TNGP12.phx.gbl. ..
"Jeremy S." <A@B.com> wrote in message
news:uT******** ******@TK2MSFTN GP14.phx.gbl...
Furthermore - we, as developers, have two ways to use PayPal for payment
processing:
1. customer starts the process on our site - additems to a cart on our
site - then POST cart data to PayPal -- customer at this point is viewing
a PayPal page (customized with your logo) -- customer then is returned to
your site after completing the transaction. This option is free (no setup
or monthly fee; PayPal just keeps 2.x percent of the valueof the
transaction.


That's the option my client has chosen. It sounds from your earlier post
that it's pretty simple to achieve, though the PayPal help itself is less
than ideal...

Nov 19 '05 #6
"Jeremy S." <A@B.com> wrote in message
news:ul******** ******@TK2MSFTN GP12.phx.gbl...

Thanks for the recommendations , and the HTML - both most helpful.
Nov 19 '05 #7
>I am currently using the PayPal .NET SDK - but for POSTing a custom cart
(not for using their new web service API).
Yup, that's what I would be looking at initially. I might look at the
other later on though.
For the most part it is easy to use. <snip>

OK, thanks for the info. Maybe I'll download it and have a look.
Now, about your observation about the cleartext querystring issue. That is
not an issue of ComponentOne (although they just might suck as much as you
claim).
Their technical support is pretty useless, even when you have full
registered versions of commercial components. I suppose I shouldn't have
expected too much support for a free component, but I naively assumes
that a security issue might elicit some response - well, a sensible one
anyway!!
The querystring issue is more of an architectural decision you have
to make.

<snip>

So, the bottom line is that they have chosen to implement the component
in a very insecure way, that allows anyone to alter the transaction
amount, but they haven't warned any developers of the implications, nor
do they even admit the issue. All of which means that any developer with
even an ounce of sense wouldn't use it.

I haven't studied PayPal's docs (what there are of them), but I find it
hard to believe that their entire system is as poor as you describe.
There must be some way of doing this without such obvious security
issues. If there really aren't, then people shouldn't distribute free
components that encourage use of such a poor system.

Anyway, I'm certainly not going to use it. I will have to study the
PayPal samples and docs carefully before I'm convinced that it's worth
using.

Thanks for the comments. Ta ra

--
Alan Silver
(anything added below this line is nothing to do with me)
Nov 19 '05 #8

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

0
1613
by: scorpion | last post by:
This question is more XML Security (and specifically, on the Apache XML security implementation). When I sign or open signed XML document, I see the following warning: .... WARNING: Found an Element using an insecure Id/ID/id search method: claim:StreetAndNumber Apr 27, 2004 3:41:10 PM org.apache.xml.security.utils.IdResolver
11
3254
by: Hazz | last post by:
is there something as easy as just providing a link to an inexpensive credit card approval/payment component to integrate into an asp.net app. My question isn't about the linking process itself but rather about my wanting a very simple but robust credit card transaction component that I would not have to build myself. I already have a...
0
1113
by: sameer | last post by:
Hi, Steve i been trying to use this component paypay control which is really easy and excellent but this is what i think is the limitation and i just can not be done with. My checkout page (checkout.aspx) has customer mailing address, details of the shopping item, the total amount and an order no. I have this Component One button here on...
4
2427
by: Mark | last post by:
Hi all, I have an ASP.NET application which I use to call paypal. I pass in the success URL as http://www.somedomain.com/success.aspx I go right through the paypal process and I finally get the "Return to merchant" button on the PayPal screen. If I look at the source code of the Paypal page the form action looks like
0
965
by: sameer | last post by:
Hi all, i am usng the component one's free paypal button for my asp.net checkout website it is the BUYNOW button. This button is on the checkout page of my screen and i feed it the total amount, invoice no when the page loads. when the user clicks this BUYNOW button, it takes him to paypal and show him the amount and all the rest is fine....
3
1614
by: dennist685 | last post by:
How to add a component in vs2005 I'm stepping through an asp.net walkthrough at: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/vsintro7/html/vxwlkwalkthroughcreatingwebapplicationusingvisualcorvisualbasic.asp The goal of the walkthrough is to "In this section, you create a Visual C# or Visual Basic Web Application project...
5
2728
by: Jason James | last post by:
Guys, it seems that several people have enquired about how to communicate with Paypal as securely as possible. It is obvious that placing the shopping cart details in the URL is about as insecure as could be. Therefore why not use a POST and hide them in hidden variables? Well I would if I could figure it out. The contents of the cart...
1
3548
by: Alex | last post by:
Hi, I'm still rather green with Visual Basic, but I'm about to start maintaining code written by another developer. As I open the Solution it gives the following warning: "The referenced component 'VBIDE' could not be found", and when listing the References in the References Folder it shows an error with VBIDE where the Path for this...
2
1501
by: Edward Stammer | last post by:
I need to know what I can do to add input items to a PayPal button. Client wants a checkbox to know whether customer wants personalized inscription used in purchased of an item. Also need a space to input that inscription if customer chooses the checkbox. PayPal is very picky about their buttons and nothing can be secure with additional...
0
7711
marktang
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main...
0
7938
Oralloy
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. ...
1
7694
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For...
0
7993
tracyyun
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the...
0
6317
agi2029
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then...
0
5245
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert...
0
3679
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in...
0
3667
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
1
1236
muto222
by: muto222 | last post by:
How can i add a mobile payment intergratation into php mysql website.

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.