Penetration Testing mailing list archives

Re: Are paypal buttons secure from e-lifting? Is this data secure?

From: Alexander Klimov <alserkli () inbox ru>
Date: Tue, 24 Jul 2007 17:45:57 +0300 (IDT)

Hi.

On Tue, 17 Jul 2007, Mifa wrote:

I have set up a webpage that allows payments via paypal.  Is it
secure?


This depends on what is your threat model.

Below is the data submitted (as seen with tamper data)
[...]
1) Can this be decrypted?  This string is after all hard coded into the paypal button.
    a)If so how?
2) What apps might decode and recode this data.


First you need to urldecode it, e.g., `%2F' is `/', `%3D' is `=', and
`+' is ` ' (space) after it is looks like a base64-encoded data (you
can use, e.g., `openssl base64 -d' to decode it) and PKCS#7
(Cryptographic Message Syntax Standard) can also be decoded by
openssl.

-- 
Regards,
ASK

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

Current thread:

Are paypal buttons secure from e-lifting? Is this data secure? Mifa (Jul 17)
- Re: Are paypal buttons secure from e-lifting? Is this data secure? Alexander Klimov (Jul 24)
- <Possible follow-ups>
- Re: Re: Are paypal buttons secure from e-lifting? Is this data secure? steingra (Jul 25)