473,320 Members | 1,868 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,320 software developers and data experts.

Warning - ComponentOne's PayPal component is VERY insecure!!

Hello,

I've just been looking at the free PayPal component from ComponentOne
and am somewhat amazed how insecure it is. They include all the
transaction details in plain text in the querystring, meaning that any
rank novice can click the Buy button on your site, then when the PayPal
page loads, change the amount for the transaction and press Enter. This
reloads the page with the new amount. This is so obvious that anyone
could do it.

The result is that someone can place an order on your site and change
the amount to 0.01, with the order still being placed. You are powerless
to stop this. What's even worse, is that it looks like they could enter
a negative amount and get a refund!!

If anyone is using this component, I recommend you check this issue
immediately as your site could be open to abuse.

I contacted C1's (lack of) technical support who were typically
unhelpful. They avoided the issue and gave obscure answers to questions
I hadn't asked. This is consistent with my previous experience of their
technical support.

On a related issue, is anyone using PayPal's ASP.NET SDK? I just had a
look at that too and wondered how easy it is to use.

--
Alan Silver
(anything added below this line is nothing to do with me)
Nov 19 '05 #1
7 2544
I am currently using the PayPal .NET SDK - but for POSTing a custom cart
(not for using their new web service API).

For the most part it is easy to use. The documentation and component have
not been updated since about October '04 or something like that and if you
read their NG posts it appears that PayPal isn't supporting it all that
well. Having said that, I can report no problems, really. I installed the
sample application that demonstrates how to upload the contents of a custom
3rd party shopping cart. I used it as a model for my purposes and everything
seems cool so far. Just set a reference to it in your project and go from
there. Your ticket to sanity here is to just accept that you'll have to
really understand the sample application (which takes all of 15 minutes to
do - if that). The documentation/help file won't really help you if your're
implementing for ASP.NET. I don't think that PayPal really acknowledges that
ASP.NET even exists - at least from reading their printed (non help file)
documentation.

Now, about your observation about the cleartext querystring issue. That is
not an issue of ComponentOne (although they just might suck as much as you
claim). The querystring issue is more of an architectural decision you have
to make. PayPal's non helpfile documentation clearly states that there are
two methods for sending them data - encrypted or not encrypted - and they
clearly state the costs and benefits of each. PayPal's documentation referes
to everything as "buttons" rather than querystrings and such (presumably
because most people will generate static buttons at PayPal's site and
copy/paste the HTML into their own static Web pages). When you go to create
your payment buttons on PayPal's site, you can have it encrypt the
querystring data or not (presented as two 'types' of buttons you can
create). Additionally, when you go with the encrypted option, then that
somehow limits your options for receiving Instant Payment Notification data
back from paypal regarding the transaction (or something like that) - so you
have to decide what's more important to you.

Now, from my purusings of the PayPal NG, it appears that for those of us who
are implementing our own ("custom 3rd party") shopping cart, then if we also
want to encrypt the QueryString, then we'd have to pretty much roll our own
encryption that would have to of course exactly match what PayPal is
expecting (which is undocumented for those of us with the balls to do it).
Doing that would subsequently impose the same limitations on receiving IPN
data back from PayPal. So if you really want encryption and you are NOT
generating your "buttons" dynamically, then it appears that the easiest way
would be to use PayPal's "payment button generator" and copy-n-paste the
HTML into your .NET app.

Finally - if you don't have the current PayPal documentation for developers,
you might want to get it. The most recent was published (PDF format on their
site) in August 2005.

-HTH
"Alan Silver" <al*********@nospam.thanx> wrote in message
news:s3**************@nospamthankyou.spam...
Hello,

I've just been looking at the free PayPal component from ComponentOne and
am somewhat amazed how insecure it is. They include all the transaction
details in plain text in the querystring, meaning that any rank novice can
click the Buy button on your site, then when the PayPal page loads, change
the amount for the transaction and press Enter. This reloads the page with
the new amount. This is so obvious that anyone could do it.

The result is that someone can place an order on your site and change the
amount to 0.01, with the order still being placed. You are powerless to
stop this. What's even worse, is that it looks like they could enter a
negative amount and get a refund!!

If anyone is using this component, I recommend you check this issue
immediately as your site could be open to abuse.

I contacted C1's (lack of) technical support who were typically unhelpful.
They avoided the issue and gave obscure answers to questions I hadn't
asked. This is consistent with my previous experience of their technical
support.

On a related issue, is anyone using PayPal's ASP.NET SDK? I just had a
look at that too and wondered how easy it is to use.

--
Alan Silver
(anything added below this line is nothing to do with me)

Nov 19 '05 #2
"Jeremy S." <A@B.com> wrote in message
news:es**************@TK2MSFTNGP14.phx.gbl...
I am currently using the PayPal .NET SDK - but for POSTing a custom cart


Is that the one which allows people to purchase either with their own PayPal
account or by typing in their credit card details...?

I will very soon have a need to incorporate this into an existing website,
and am just waiting for my client to upgrade to a PayPal business account...
Nov 19 '05 #3
<< Is that the one which allows people to purchase either with their own
PayPal account or by typing in their credit card details >>

All of the PayPal options allow that now. PayPal has come a long way. They
no longer do these ridiculous things:
1. Require the use of a PayPal account (your customer can pay with any
credit card). They call it their PayPal Optional feature.
2. Dump your customer in the PayPal site after each transaction. You can now
specify a return URL to which your customers go after (1) completing a
successful transaction, or (2) after canceling a transaction.

Furthermore - we, as developers, have two ways to use PayPal for payment
processing:
1. customer starts the process on our site - additems to a cart on our
site - then POST cart data to PayPal -- customer at this point is viewing a
PayPal page (customized with your logo) -- customer then is returned to your
site after completing the transaction. This option is free (no setup or
monthly fee; PayPal just keeps 2.x percent of the valueof the transaction.
2. customer completes entire transaction on our site -- never sees any
PayPal pages, never goes to PayPal and comes back. Behind the scenes we have
to use PayPal's web service api to transfer data. This option is not free.
There is a $20/month charge for doing this.

-HTH

"Mark Rae" <ma**@mark-N-O-S-P-A-M-rae.co.uk> wrote in message
news:eN**************@TK2MSFTNGP09.phx.gbl...
"Jeremy S." <A@B.com> wrote in message
news:es**************@TK2MSFTNGP14.phx.gbl...
I am currently using the PayPal .NET SDK - but for POSTing a custom cart


Is that the one which allows people to purchase either with their own
PayPal account or by typing in their credit card details...?

I will very soon have a need to incorporate this into an existing website,
and am just waiting for my client to upgrade to a PayPal business
account...

Nov 19 '05 #4
"Jeremy S." <A@B.com> wrote in message
news:uT**************@TK2MSFTNGP14.phx.gbl...
Furthermore - we, as developers, have two ways to use PayPal for payment
processing:
1. customer starts the process on our site - additems to a cart on our
site - then POST cart data to PayPal -- customer at this point is viewing
a PayPal page (customized with your logo) -- customer then is returned to
your site after completing the transaction. This option is free (no setup
or monthly fee; PayPal just keeps 2.x percent of the valueof the
transaction.


That's the option my client has chosen. It sounds from your earlier post
that it's pretty simple to achieve, though the PayPal help itself is less
than ideal...
Nov 19 '05 #5
<< though the PayPal help itself is less than ideal >>
But I wouldn't go so far as to say it's "bad". There is just not as much
ASP.NET-specific guidance as I would have preferred. I'd suggest this
approach: Read through their developer guide (August 2005 version) to learn
their system in general, set up a PayPal Sandbox account, get a plain old
HTML form to POST so you can see how the guts of it all works (it's really
just a straight-forward form post with a bunch of hidden HTML input fields;
the html listed below works with your sandbox account - just swap out your
email address), then study up on the ASP.NET SDK sample app.

<form target="paypal" action="https://www.sandbox.paypal.com/cgi-bin/webscr"
method="post">
<input type="hidden" name="cmd" value="_cart">
<input type="hidden" name="upload" value="1">
<input type="hidden" name="business" value="Yo*************@Whatever.com">
<!-- Begin First Item -->
<input type="hidden" name="quantity_1" value="1">
<input type="hidden" name="item_name_1" value="The Meaning of Corn">
<input type="hidden" name="item_number_1" value="Test SKU A">
<input type="hidden" name="amount_1" value="12.34">
<input type="hidden" name="shipping_1" value="2.01">
<input type="hidden" name="shipping2_1" value="0.01">
<input type="hidden" name="handling_1" value="0.01">
<input type="hidden" name="tax_1" value="0.01">
<input type="hidden" name="on0_1" value="Option Name1 A">
<input type="hidden" name="os0_1" value="Option Selection1 A">
<input type="hidden" name="on1_1" value="Option Name2 A">
<input type="hidden" name="os1_1" value="Option Selection2 A">
<!-- End First Item -->
<!-- Begin Second Item -->
<input type="hidden" name="quantity_2" value="2">
<input type="hidden" name="item_name_2" value="Cooking With Heat">
<input type="hidden" name="item_number_2" value="Test SKU B">
<input type="hidden" name="amount_2" value="1.99">
<input type="hidden" name="shipping_2" value="0.02">
<input type="hidden" name="shipping2_2" value="0.02">
<input type="hidden" name="handling_2" value="0.02">
<input type="hidden" name="tax_2" value="0.02">
<input type="hidden" name="on0_2" value="Option Name1 B">
<input type="hidden" name="os0_2" value="Option Selection1 B">
<input type="hidden" name="on1_2" value="Option Name2 B">
<input type="hidden" name="os1_2" value="Option Selection2 B">
<!-- End Second Item -->
<!-- Begin Third Item -->
<input type="hidden" name="quantity_3" value="3">
<input type="hidden" name="item_name_3" value="Fill Your Life With
Croutons">
<input type="hidden" name="item_number_3" value="Test SKU C">
<input type="hidden" name="amount_3" value="3.03">
<input type="hidden" name="shipping_3" value="0.03">
<input type="hidden" name="shipping2_3" value="0.03">
<input type="hidden" name="handling_3" value="0.03">
<input type="hidden" name="tax_3" value="0.03">
<input type="hidden" name="on0_3" value="Option Name1 C">
<input type="hidden" name="os0_3" value="Option Selection1 C">
<input type="hidden" name="on1_3" value="Option Name2 C">
<input type="hidden" name="os1_3" value="Option Selection2 C">
<!-- End Third Item -->
<input type="hidden" name="currency_code" value="USD">
<!-- Invoice and Custom can be only one per order -->
<input type="text" name="invoice" value="INVOICE 1234567890"><BR><BR>
<input type="checkbox" name="custom" value="CUSTOM_1234567890"
checked>Custom Textis Here.<BR><BR>
<input type="hidden" name="handling_cart" value="0.04">
<input type="image" src="../userImg/cartCheckout.gif" border="0"
name="submit" alt="Make payments with PayPal - it's fast, free and secure!">
</form>

-HTH

"Mark Rae" <ma**@mark-N-O-S-P-A-M-rae.co.uk> wrote in message
news:%2****************@TK2MSFTNGP12.phx.gbl...
"Jeremy S." <A@B.com> wrote in message
news:uT**************@TK2MSFTNGP14.phx.gbl...
Furthermore - we, as developers, have two ways to use PayPal for payment
processing:
1. customer starts the process on our site - additems to a cart on our
site - then POST cart data to PayPal -- customer at this point is viewing
a PayPal page (customized with your logo) -- customer then is returned to
your site after completing the transaction. This option is free (no setup
or monthly fee; PayPal just keeps 2.x percent of the valueof the
transaction.


That's the option my client has chosen. It sounds from your earlier post
that it's pretty simple to achieve, though the PayPal help itself is less
than ideal...

Nov 19 '05 #6
"Jeremy S." <A@B.com> wrote in message
news:ul**************@TK2MSFTNGP12.phx.gbl...

Thanks for the recommendations, and the HTML - both most helpful.
Nov 19 '05 #7
>I am currently using the PayPal .NET SDK - but for POSTing a custom cart
(not for using their new web service API).
Yup, that's what I would be looking at initially. I might look at the
other later on though.
For the most part it is easy to use. <snip>

OK, thanks for the info. Maybe I'll download it and have a look.
Now, about your observation about the cleartext querystring issue. That is
not an issue of ComponentOne (although they just might suck as much as you
claim).
Their technical support is pretty useless, even when you have full
registered versions of commercial components. I suppose I shouldn't have
expected too much support for a free component, but I naively assumes
that a security issue might elicit some response - well, a sensible one
anyway!!
The querystring issue is more of an architectural decision you have
to make.

<snip>

So, the bottom line is that they have chosen to implement the component
in a very insecure way, that allows anyone to alter the transaction
amount, but they haven't warned any developers of the implications, nor
do they even admit the issue. All of which means that any developer with
even an ounce of sense wouldn't use it.

I haven't studied PayPal's docs (what there are of them), but I find it
hard to believe that their entire system is as poor as you describe.
There must be some way of doing this without such obvious security
issues. If there really aren't, then people shouldn't distribute free
components that encourage use of such a poor system.

Anyway, I'm certainly not going to use it. I will have to study the
PayPal samples and docs carefully before I'm convinced that it's worth
using.

Thanks for the comments. Ta ra

--
Alan Silver
(anything added below this line is nothing to do with me)
Nov 19 '05 #8

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

0
by: scorpion | last post by:
This question is more XML Security (and specifically, on the Apache XML security implementation). When I sign or open signed XML document, I see the following warning: .... WARNING: Found an...
11
by: Hazz | last post by:
is there something as easy as just providing a link to an inexpensive credit card approval/payment component to integrate into an asp.net app. My question isn't about the linking process itself but...
0
by: sameer | last post by:
Hi, Steve i been trying to use this component paypay control which is really easy and excellent but this is what i think is the limitation and i just can not be done with. My checkout page...
4
by: Mark | last post by:
Hi all, I have an ASP.NET application which I use to call paypal. I pass in the success URL as http://www.somedomain.com/success.aspx I go right through the paypal process and I finally get...
0
by: sameer | last post by:
Hi all, i am usng the component one's free paypal button for my asp.net checkout website it is the BUYNOW button. This button is on the checkout page of my screen and i feed it the total amount,...
3
by: dennist685 | last post by:
How to add a component in vs2005 I'm stepping through an asp.net walkthrough at:...
5
by: Jason James | last post by:
Guys, it seems that several people have enquired about how to communicate with Paypal as securely as possible. It is obvious that placing the shopping cart details in the URL is about as...
1
by: Alex | last post by:
Hi, I'm still rather green with Visual Basic, but I'm about to start maintaining code written by another developer. As I open the Solution it gives the following warning: "The referenced...
2
by: Edward Stammer | last post by:
I need to know what I can do to add input items to a PayPal button. Client wants a checkbox to know whether customer wants personalized inscription used in purchased of an item. Also need a space...
0
by: DolphinDB | last post by:
Tired of spending countless mintues downsampling your data? Look no further! In this article, you’ll learn how to efficiently downsample 6.48 billion high-frequency records to 61 million...
0
by: ryjfgjl | last post by:
ExcelToDatabase: batch import excel into database automatically...
0
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: Vimpel783 | last post by:
Hello! Guys, I found this code on the Internet, but I need to modify it a little. It works well, the problem is this: Data is sent from only one cell, in this case B5, but it is necessary that data...
0
by: jfyes | last post by:
As a hardware engineer, after seeing that CEIWEI recently released a new tool for Modbus RTU Over TCP/UDP filtering and monitoring, I actively went to its official website to take a look. It turned...
1
by: PapaRatzi | last post by:
Hello, I am teaching myself MS Access forms design and Visual Basic. I've created a table to capture a list of Top 30 singles and forms to capture new entries. The final step is a form (unbound)...
0
by: CloudSolutions | last post by:
Introduction: For many beginners and individual users, requiring a credit card and email registration may pose a barrier when starting to use cloud servers. However, some cloud server providers now...
0
by: af34tf | last post by:
Hi Guys, I have a domain whose name is BytesLimited.com, and I want to sell it. Does anyone know about platforms that allow me to list my domain in auction for free. Thank you
0
by: Faith0G | last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.