Warning - ComponentOne's PayPal component is VERY insecure!!

[Alan Silver]

Hello,

I've just been looking at the free PayPal component from ComponentOne
and am somewhat amazed how insecure it is. They include all the
transaction details in plain text in the querystring, meaning that any
rank novice can click the Buy button on your site, then when the PayPal
page loads, change the amount for the transaction and press Enter. This
reloads the page with the new amount. This is so obvious that anyone
could do it.

The result is that someone can place an order on your site and change
the amount to 0.01, with the order still being placed. You are powerless
to stop this. What's even worse, is that it looks like they could enter
a negative amount and get a refund!!

If anyone is using this component, I recommend you check this issue
immediately as your site could be open to abuse.

I contacted C1's (lack of) technical support who were typically
unhelpful. They avoided the issue and gave obscure answers to questions
I hadn't asked. This is consistent with my previous experience of their
technical support.

On a related issue, is anyone using PayPal's ASP.NET SDK? I just had a
look at that too and wondered how easy it is to use.

 

[Jeremy S.]

I am currently using the PayPal .NET SDK - but for POSTing a custom cart
(not for using their new web service API).

For the most part it is easy to use. The documentation and component have
not been updated since about October '04 or something like that and if you
read their NG posts it appears that PayPal isn't supporting it all that
well. Having said that, I can report no problems, really. I installed the
sample application that demonstrates how to upload the contents of a custom
3rd party shopping cart. I used it as a model for my purposes and everything
seems cool so far. Just set a reference to it in your project and go from
there. Your ticket to sanity here is to just accept that you'll have to
really understand the sample application (which takes all of 15 minutes to
do - if that). The documentation/help file won't really help you if your're
implementing for ASP.NET. I don't think that PayPal really acknowledges that
ASP.NET even exists - at least from reading their printed (non help file)
documentation.

Now, about your observation about the cleartext querystring issue. That is
not an issue of ComponentOne (although they just might suck as much as you
claim). The querystring issue is more of an architectural decision you have
to make. PayPal's non helpfile documentation clearly states that there are
two methods for sending them data - encrypted or not encrypted - and they
clearly state the costs and benefits of each. PayPal's documentation referes
to everything as "buttons" rather than querystrings and such (presumably
because most people will generate static buttons at PayPal's site and
copy/paste the HTML into their own static Web pages). When you go to create
your payment buttons on PayPal's site, you can have it encrypt the
querystring data or not (presented as two 'types' of buttons you can
create). Additionally, when you go with the encrypted option, then that
somehow limits your options for receiving Instant Payment Notification data
back from paypal regarding the transaction (or something like that) - so you
have to decide what's more important to you.

Now, from my purusings of the PayPal NG, it appears that for those of us who
are implementing our own ("custom 3rd party") shopping cart, then if we also
want to encrypt the QueryString, then we'd have to pretty much roll our own
encryption that would have to of course exactly match what PayPal is
expecting (which is undocumented for those of us with the balls to do it).
Doing that would subsequently impose the same limitations on receiving IPN
data back from PayPal. So if you really want encryption and you are NOT
generating your "buttons" dynamically, then it appears that the easiest way
would be to use PayPal's "payment button generator" and copy-n-paste the
HTML into your .NET app.

Finally - if you don't have the current PayPal documentation for developers,
you might want to get it. The most recent was published (PDF format on their
site) in August 2005.

-HTH

 

[Mark Rae]

I am currently using the PayPal .NET SDK - but for POSTing a custom cart

Is that the one which allows people to purchase either with their own PayPal
account or by typing in their credit card details...?

I will very soon have a need to incorporate this into an existing website,
and am just waiting for my client to upgrade to a PayPal business account...

 

[Jeremy S.]

<< Is that the one which allows people to purchase either with their own
PayPal account or by typing in their credit card details >>

All of the PayPal options allow that now. PayPal has come a long way. They
no longer do these ridiculous things:
1. Require the use of a PayPal account (your customer can pay with any
credit card). They call it their PayPal Optional feature.
2. Dump your customer in the PayPal site after each transaction. You can now
specify a return URL to which your customers go after (1) completing a
successful transaction, or (2) after canceling a transaction.

Furthermore - we, as developers, have two ways to use PayPal for payment
processing:
1. customer starts the process on our site - additems to a cart on our
site - then POST cart data to PayPal -- customer at this point is viewing a
PayPal page (customized with your logo) -- customer then is returned to your
site after completing the transaction. This option is free (no setup or
monthly fee; PayPal just keeps 2.x percent of the valueof the transaction.
2. customer completes entire transaction on our site -- never sees any
PayPal pages, never goes to PayPal and comes back. Behind the scenes we have
to use PayPal's web service api to transfer data. This option is not free.
There is a $20/month charge for doing this.

-HTH

 

[Mark Rae]

Furthermore - we, as developers, have two ways to use PayPal for payment
processing:
1. customer starts the process on our site - additems to a cart on our
site - then POST cart data to PayPal -- customer at this point is viewing
a PayPal page (customized with your logo) -- customer then is returned to
your site after completing the transaction. This option is free (no setup
or monthly fee; PayPal just keeps 2.x percent of the valueof the
transaction.

That's the option my client has chosen. It sounds from your earlier post
that it's pretty simple to achieve, though the PayPal help itself is less
than ideal...

 

[Jeremy S.]

<< though the PayPal help itself is less than ideal >>
But I wouldn't go so far as to say it's "bad". There is just not as much
ASP.NET-specific guidance as I would have preferred. I'd suggest this
approach: Read through their developer guide (August 2005 version) to learn
their system in general, set up a PayPal Sandbox account, get a plain old
HTML form to POST so you can see how the guts of it all works (it's really
just a straight-forward form post with a bunch of hidden HTML input fields;
the html listed below works with your sandbox account - just swap out your
email address), then study up on the ASP.NET SDK sample app.

<form target="paypal" action="https://www.sandbox.paypal.com/cgi-bin/webscr"
method="post">
<input type="hidden" name="cmd" value="_cart">
<input type="hidden" name="upload" value="1">
<input type="hidden" name="business" value="(e-mail address removed)">
<!-- Begin First Item -->
<input type="hidden" name="quantity_1" value="1">
<input type="hidden" name="item_name_1" value="The Meaning of Corn">
<input type="hidden" name="item_number_1" value="Test SKU A">
<input type="hidden" name="amount_1" value="12.34">
<input type="hidden" name="shipping_1" value="2.01">
<input type="hidden" name="shipping2_1" value="0.01">
<input type="hidden" name="handling_1" value="0.01">
<input type="hidden" name="tax_1" value="0.01">
<input type="hidden" name="on0_1" value="Option Name1 A">
<input type="hidden" name="os0_1" value="Option Selection1 A">
<input type="hidden" name="on1_1" value="Option Name2 A">
<input type="hidden" name="os1_1" value="Option Selection2 A">
<!-- End First Item -->
<!-- Begin Second Item -->
<input type="hidden" name="quantity_2" value="2">
<input type="hidden" name="item_name_2" value="Cooking With Heat">
<input type="hidden" name="item_number_2" value="Test SKU B">
<input type="hidden" name="amount_2" value="1.99">
<input type="hidden" name="shipping_2" value="0.02">
<input type="hidden" name="shipping2_2" value="0.02">
<input type="hidden" name="handling_2" value="0.02">
<input type="hidden" name="tax_2" value="0.02">
<input type="hidden" name="on0_2" value="Option Name1 B">
<input type="hidden" name="os0_2" value="Option Selection1 B">
<input type="hidden" name="on1_2" value="Option Name2 B">
<input type="hidden" name="os1_2" value="Option Selection2 B">
<!-- End Second Item -->
<!-- Begin Third Item -->
<input type="hidden" name="quantity_3" value="3">
<input type="hidden" name="item_name_3" value="Fill Your Life With
Croutons">
<input type="hidden" name="item_number_3" value="Test SKU C">
<input type="hidden" name="amount_3" value="3.03">
<input type="hidden" name="shipping_3" value="0.03">
<input type="hidden" name="shipping2_3" value="0.03">
<input type="hidden" name="handling_3" value="0.03">
<input type="hidden" name="tax_3" value="0.03">
<input type="hidden" name="on0_3" value="Option Name1 C">
<input type="hidden" name="os0_3" value="Option Selection1 C">
<input type="hidden" name="on1_3" value="Option Name2 C">
<input type="hidden" name="os1_3" value="Option Selection2 C">
<!-- End Third Item -->
<input type="hidden" name="currency_code" value="USD">
<!-- Invoice and Custom can be only one per order -->
<input type="text" name="invoice" value="INVOICE 1234567890"><BR><BR>
<input type="checkbox" name="custom" value="CUSTOM_1234567890"
checked>Custom Textis Here.<BR><BR>
<input type="hidden" name="handling_cart" value="0.04">
<input type="image" src="../userImg/cartCheckout.gif" border="0"
name="submit" alt="Make payments with PayPal - it's fast, free and secure!">
</form>

-HTH

 

[Mark Rae]

Thanks for the recommendations, and the HTML - both most helpful.

 

[Alan Silver]

I am currently using the PayPal .NET SDK - but for POSTing a custom cart

(not for using their new web service API).

Yup, that's what I would be looking at initially. I might look at the
other later on though.

For the most part it is easy to use.

<snip>

OK, thanks for the info. Maybe I'll download it and have a look.

Now, about your observation about the cleartext querystring issue. That is
not an issue of ComponentOne (although they just might suck as much as you
claim).

Their technical support is pretty useless, even when you have full
registered versions of commercial components. I suppose I shouldn't have
expected too much support for a free component, but I naively assumes
that a security issue might elicit some response - well, a sensible one
anyway!!

The querystring issue is more of an architectural decision you have
to make.

<snip>

So, the bottom line is that they have chosen to implement the component
in a very insecure way, that allows anyone to alter the transaction
amount, but they haven't warned any developers of the implications, nor
do they even admit the issue. All of which means that any developer with
even an ounce of sense wouldn't use it.

I haven't studied PayPal's docs (what there are of them), but I find it
hard to believe that their entire system is as poor as you describe.
There must be some way of doing this without such obvious security
issues. If there really aren't, then people shouldn't distribute free
components that encourage use of such a poor system.

Anyway, I'm certainly not going to use it. I will have to study the
PayPal samples and docs carefully before I'm convinced that it's worth
using.

Thanks for the comments. Ta ra