Notation used:

Unsigned argument: argument

Signed Argument: (ARGUMENT)

Attacker-accessible argument in red text

Attacker-accessible APIs in black text

Store arguments and code in blue text

Cashier arguments and code in green text

1. Read through the following URLs representing HTTP interactions between three parties. Suggest potential security flaws for each of the arguments, as if this were a black-box and the back end code is unknown.

The cart is the cart object stored by the Store. The IPN_Handler refers to the Instant Payment Notification API method used by the Store, where GoogleCheckout notifies the Store immediately after the user makes a payment.

1. Store.com/updateCart?price&sessionID
2. Store.com/checkout?price
3. Google.com/pay?(SESSIONID)&(CART)&(IPN_HANDLER)
4. Store.com/(IPN_HANDLER)?(SESSIONID)&(STATUS)
5. Order has been completed

2. Read through the following code and critique it. What was done securely? What are potential vulnerabilities? What is the logic flaw? Try to use the manual code review method described slides 5-10 of the PowerPoint. Refer to Section III. B 3) in How to Shop for Free Online for details about this case.

1. Store.com/updateCart?myPrice&mySessionID

if (mySessionID< 0 || mySessionID> currentSessionID)

return; //sessionID is invalid

carts[mySessionID].price = myPrice;

Attacker adds items to the cart. Cart object stored on the server side is updated.

2. Store.com/checkout?myPrice

createCart(myPrice)

carts[currentSessionID].price= myPrice;

currentSessionID++;

sign(currentSessionID-1);

sign(carts[currentSessionID-1]);

sign(IPN_HANDLER);

Attacker starts the checkout process. Store signs the sessionID, cart, and IPN_HANDLER (API method for Instant Payment Notification) objects. Attacker is redirected to Google Checkout for payment.

3. Google.com/pay?(SESSIONID)&(CART)&(IPN_HANDLER)

verifySignature( (SESSIONID));

verifySignature( (CART) );

verifySignature( (IPN_HANDLER));

recordPayment( (CART).price, (SESSIONID) )

payments[currentPaymentID].paymentAmount = (CART).price;

payments[currentPaymentID].orderID = (SESSIONID);

currentPaymentID++;

status = OK;

sign(status);

IPN_Handler((SESSIONID), (STATUS) )

Google Checkout verifies the digital signature of the signed (SESSIONID), (CART), and (IPN_HANDLER) parameters. The payment amount is retrieved from the (CART) object. After payment is completed, Google Checkout notifies the Store immediately by calling the Stores IPN_Handler. The Attacker does not have access to this communication; it is directly between the Google Checkout and the Store.

4. Store.com/(IPN_HANDLER)?(SESSIONID)&(STATUS)

if ( (STATUS) == OK){

if ( (SESSIONID)< 0 || (SESSIONID) > currentSessionID)

return; //(SESSIONID) is invalid

createOrder(carts[(SESSIONID)].price, PAID)

orders[currentOrderID].orderID = currentOrderID;

orders[currentOrderID].price = carts[(SESSIONID)].price;

orders[currentOrderID].status = PAID;

status = orders[currentOrderID].status;

sign(status);

}

Store verifies the payment status. If payment succeeded, an order object is created. The price is retrieved from the cart on the server side, given an orderID, and marked as paid.

5. Order has been completed

There is no additional step in the checkout process after the Store is notified about successful payment. Attacker may be given notification by the store that the order was completed.