views:

235

answers:

3

PayPal IPN sends a POST request with a variable number of fields to the notify URL, in order to confirm that the POST request is legit we need to resubmit the same request along with a additional cmd=_notify-validate field to PayPal, which then replies VERIFIED or INVALID.

My question is, why do we need to resend the request to PayPal? Wouldn't something like this suffice?

if (preg_match('~^(?:.+[.])?paypal[.]com$~i', gethostbyaddr($_SERVER['REMOTE_ADDR'])) > 0)
{
    // request came from PayPal, it's legit.
}

Iff we can trust the server to correctly resolve IPs, I assume we can trust all requests from PayPal, no?

A: 

Here is a reason to reply to the POST, from the IPN Guide:

Your listener must respond to each message, whether or not you intend to do anything with it. If you do not respond, PayPal assumes that the message was not received and resends the message. PayPal continues to resend the message periodically until your listener sends the correct message back, although the interval between resent messages increases each time.

IMPORTANT: PayPal expects to receive a response to an IPN message within 30 seconds.

Alix Axel
+2  A: 

PayPal is simply enforcing a higher standard of security for your own site/application's benefit.

IP spoofing can easily fool your example function, as relying on REMOTE_ADDRESS alone is quite prone to attack.

When you are working with financial transactions security is of great importance. If I can spoof an IPN request, I can trick your site/application into performing false transactions. By sending an additional request to a known and trusted location, we obtain a much higher standard of credential upon which to act. The entire original IPN request is sent in this confirmation so that PayPal may verify that all of the transaction details are in fact valid, thereby preventing a Man-in-the-Middle Attack whereby an attacker modifies details (say, changing a price or quantity) of an otherwise valid request as it is sent from PayPal to your server.

Dustin Fineout
I understand the PayPal position and I totally agree with the MITM vulnerability (although I've the impression that those kind of attacks are much more difficult to pull of in reality than in theory). What I don't understand is how one can spoof the REMOTE_ADDR - care to give a (practical) example?
Alix Axel
Edited 'as' not 'also', I meant that IP spoofing is a way to alter REMOTE_ADDRESS. You are right in that for most settings/targets, spoofing is probably out of the question (but not at wifi hot spots, college dorms, and other wide open subnets with a shared uplink). Once you've actually positioned yourself as a neighbor, altering the packets is rather trivial.
Dustin Fineout
+1  A: 

the whole thing falls apart if someone manages to alter the hosts file on the machine running your ipn listener;

  • bad person sends false payment notification

  • your compromised server sends duplicate to 'paypal.com' which is actually pointed to bad persons' machine

  • bad person replies VERIFIED, receives goods as if they had paid.

this isn't so much of a problem as if a person has r/w access to your hosts file they could probably just put the payment record into your database by hand, or do many other bits of damage.

just a thought.

lynks
Indeed, there isn't much to do if this happens...
Alix Axel