将交易发布到 PayPal 和安全性
PayPal 有一种方法,我们可以通过表单将交易发布到 PayPal。
难道有人不能一次又一次地构建我们的表单并发布到 PayPal 吗?
我知道不会发生真正的伤害,因为他们必须在 PayPal 上输入 CC 信息才能继续,但他们可能会通过发布数百笔虚假交易来造成很多麻烦。
有什么办法可以防止这种情况的发生吗?
PayPal 是否有任何指示它只接受来自某些网站/页面的表单帖子?
PayPal has a method where we can post our transaction to PayPal via a form.
Isn't it possible for someone to construct our form and post to PayPal over and over again?
I know no real harm can happen as they would have to enter their CC information on PayPal to continue, but they could cause a lot of trouble by posting hundreds of fake transactions.
Is there any way to prevent this type of situation?
Does PayPal have anything that tells it to only accept form posts from certain sites/pages?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
如果您指的是他们的 NVP API,则 PayPal 的文档告诉您他们如何避免该问题(称为“重放攻击”,因为攻击者正在重放合法用户发送的相同数据)。发布应用程序必须发送用户名、密码和签名,开发人员不得向任何人透露这些信息,并且这些信息是作为 API 过程的一部分通过安全传输发送的。试图冒充开发者的攻击者不知道用户名、密码或签名,因此无法向 PayPal 提交虚假请求。
这并不能阻止攻击者滥用应用程序的输入(即应用程序用户看到的浏览器页面,这会导致应用程序发出 PayPal 请求),这取决于您:-)。
If you mean their NVP API, then PayPal's documentation tells you how they avoid that problem (known as a "replay attack", because an attacker is replaying the same data sent by the legitimate user). The posting application must send a username, password and signature, which the developers must not disclose to anyone and which is sent over secure transport as part of the API procedure. An attacker trying to pose as the developer does not know the username, password or signature and cannot submit false requests to PayPal.
That doesn't stop the attacker from misusing the input of the application (i.e. the browser page seen by application users, which causes the application to make PayPal requests), that bit being up to you :-).