tags:

views:

235

answers:

3
+4  Q: 

PayPal IPN Security

PayPal IPN sends a POST request with a variable number of fields to the notify URL, in order to confirm that the POST request is legit we need to resubmit the same request along with a additional cmd=_notify-validate field to PayPal, which then replies VERIFIED or INVALID.

My question is, why do we need to resend the request to PayPal? Wouldn't something like this suffice?

if (preg_match('~^(?:.+[.])?paypal[.]com$~i', gethostbyaddr($_SERVER['REMOTE_ADDR'])) > 0)
{
    // request came from PayPal, it's legit.
}

Iff we can trust the server to correctly resolve IPs, I assume we can trust all requests from PayPal, no?

A: 

Here is a reason to reply to the POST, from the IPN Guide:

Your listener must respond to each message, whether or not you intend to do anything with it. If you do not respond, PayPal assumes that the message was not received and resends the message. PayPal continues to resend the message periodically until your listener sends the correct message back, although the interval between resent messages increases each time.

IMPORTANT: PayPal expects to receive a response to an IPN message within 30 seconds.

Alix Axel  2010-05-18 11:50:22
+2  A: 

PayPal is simply enforcing a higher standard of security for your own site/application's benefit.

IP spoofing can easily fool your example function, as relying on REMOTE_ADDRESS alone is quite prone to attack.

When you are working with financial transactions security is of great importance. If I can spoof an IPN request, I can trick your site/application into performing false transactions. By sending an additional request to a known and trusted location, we obtain a much higher standard of credential upon which to act. The entire original IPN request is sent in this confirmation so that PayPal may verify that all of the transaction details are in fact valid, thereby preventing a Man-in-the-Middle Attack whereby an attacker modifies details (say, changing a price or quantity) of an otherwise valid request as it is sent from PayPal to your server.

Dustin Fineout  2010-05-18 16:11:10
I understand the PayPal position and I totally agree with the MITM vulnerability (although I've the impression that those kind of attacks are much more difficult to pull of in reality than in theory). What I don't understand is how one can spoof the REMOTE_ADDR - care to give a (practical) example?
Alix Axel  2010-05-18 16:20:07
Edited 'as' not 'also', I meant that IP spoofing is a way to alter REMOTE_ADDRESS. You are right in that for most settings/targets, spoofing is probably out of the question (but not at wifi hot spots, college dorms, and other wide open subnets with a shared uplink). Once you've actually positioned yourself as a neighbor, altering the packets is rather trivial.
Dustin Fineout  2010-05-18 19:19:16
+1  A: 

the whole thing falls apart if someone manages to alter the hosts file on the machine running your ipn listener;

  • bad person sends false payment notification

  • your compromised server sends duplicate to 'paypal.com' which is actually pointed to bad persons' machine

  • bad person replies VERIFIED, receives goods as if they had paid.

this isn't so much of a problem as if a person has r/w access to your hosts file they could probably just put the payment record into your database by hand, or do many other bits of damage.

just a thought.

lynks  2010-09-28 19:47:20
Indeed, there isn't much to do if this happens...
Alix Axel  2010-09-28 22:15:07

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases