Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Introduction
Recent Security Breaches
• Root cause
• Input Validation
• Poor Design
• No reconciliation
• Poor visibility
• Exposed Tes...
Various Approaches for Exploitation
• Price Manipulation
Various Approaches for Exploitation
• Payment Gateway Response Manipulation
Various Approaches for Exploitation
• Direct 'success API' attack; via referral injection
Various Approaches for Exploitation
• Attacking Refund API
• Header Manipulation (test server Redirect)
• DNS Cache Manipu...
Various Approaches for Exploitation
• Currency Manipulation
Limitations of Payment Gateway
Industry/ Design Gaps
• Absence of CSRF tokens and S2S Validations
• Coupons and offers??
How to Secure?
• Don’t RUN from PCI-DSS compliance!!
• Secure S2S validations
• Real-time Reconciliation
Questions !!!
Thank You
https://null.co.in/event_sessions/1127-exploiting-payment-gateway-integration
Upcoming SlideShare
Loading in …5
×

https://null.co.in/event_sessions/1127-exploiting-payment-gateway-integration

164 views

Published on

Exploiting payment gateway integration (35 Minutes)

Introduction (5 Min)
Recent Security Breaches (2 Min) a. Root cause
Various Approaches for Exploitation (10 Min) a. Price Manipulation b. Payment Gateway Response Manipulation c. Direct 'success API' attack; via referral injection d. Disabling Client Side (web browser level) Validations e. Attacking Refund API's f. Header Manipulation (test server Redirect) g. Currency Manipulation
Limitations of Payment Gateway Industry/ Design Gaps (5 Min) a. Absence of CSRF tokens and S2S Validations b. Coupons and offers??
How to Secure? (3 Min) a. Don’t RUN from PCI-DSS compliance!! b. Secure S2S validations and Real-time Reconciliation
Demo (5 Min)
Questions (5 Min)

Published in: Technology
  • Be the first to comment

  • Be the first to like this

https://null.co.in/event_sessions/1127-exploiting-payment-gateway-integration

  1. 1. Introduction
  2. 2. Recent Security Breaches • Root cause • Input Validation • Poor Design • No reconciliation • Poor visibility • Exposed Test servers • Missing CSRF tokens • Missing Request and Response Checksum integrity
  3. 3. Various Approaches for Exploitation • Price Manipulation
  4. 4. Various Approaches for Exploitation • Payment Gateway Response Manipulation
  5. 5. Various Approaches for Exploitation • Direct 'success API' attack; via referral injection
  6. 6. Various Approaches for Exploitation • Attacking Refund API • Header Manipulation (test server Redirect) • DNS Cache Manipulation TEST
  7. 7. Various Approaches for Exploitation • Currency Manipulation
  8. 8. Limitations of Payment Gateway Industry/ Design Gaps • Absence of CSRF tokens and S2S Validations • Coupons and offers??
  9. 9. How to Secure? • Don’t RUN from PCI-DSS compliance!! • Secure S2S validations • Real-time Reconciliation
  10. 10. Questions !!!
  11. 11. Thank You

×