php 漏洞中的票务系统
[英]Ticket system in php vulnerabilities
问题描述
I am building a ticket system for some website from which the user can book tickets for some event.
我正在为某个网站建立一个票务系统,用户可以从中预订某些活动的门票。 My mechanism of booking goes like that:我的预订机制是这样的:
- User clicks the buy now button.用户点击立即购买按钮。
- PayPal handles the payment. PayPal 处理付款。
- PayPal redirects the user, after successful checkout, to some "generate_ticket.php" page which generates the ticket number. PayPal 在成功结账后将用户重定向到生成票号的“generate_ticket.php”页面。
- The user gets redirected to the first page with the ticket number shown to them.用户将被重定向到显示给他们的票号的第一页。
Here is the problem: any malicious user could know the url to which the successful checkout gets redirected, by observing the network tap in the developer tools, and send requests to this page "generate_ticket.php" and get free tickets.这就是问题所在:任何恶意用户都可以通过观察开发者工具中的网络点击,了解成功结账被重定向到的 url,并向此页面“generate_ticket.php”发送请求并获得免费门票。
Here is what I thought of to fix this problem:这是我想解决这个问题的方法:
- check the
$_SERVER['HTTP_REFERER']variable for the referer URL and compare it with the URL from paypal.检查引用者 URL 的$_SERVER['HTTP_REFERER']变量,并将其与 paypal 中的 URL 进行比较。 But the problem is that, as mentioned in the manual .但问题是,如手册中所述。
The address of the page (if any) which referred the user agent to the current page.
This variable can be modified.这个变量可以修改。 So, it is not reliable, at least not alone.所以,它是不可靠的,至少不是单独的。
- When the user clicks the buy now button, I stop the form from submitting and generate a token in some "token.php" file, attach it to the form, using a PayPal feature of attaching custom variables to the url from the form, and also store it in some session, then submit the form.当用户单击立即购买按钮时,我停止提交表单并在一些“token.php”文件中生成一个令牌,将其附加到表单,使用 PayPal 功能将自定义变量附加到表单中的 url,并且也将其存储在一些 session 中,然后提交表单。 And when the "generate_ticket.php" page gets requested, it compares the token in the session with that from the URL.当请求“generate_ticket.php”页面时,它会将 session 中的令牌与 URL 中的令牌进行比较。 But again, any user can click the button, make the "token.php" file generate token and attach it to the form.但同样,任何用户都可以单击该按钮,使“token.php”文件生成令牌并将其附加到表单中。 Then take that token, attach it to the url, and request a ticket using the first vulnerability.然后获取该令牌,将其附加到 url,并使用第一个漏洞请求票证。
So, does anybody have any solution to fix these vulnerabilities or prevent the user from requesting free tickets?那么,是否有人有任何解决方案来修复这些漏洞或阻止用户请求免费门票?
1 个解决方案
解决方案1
1 已采纳 2020-04-18 11:46:09
Paypal has a feature called IPN, basically you will not directly send tickets to user once u get data on generate_ticket.php, Once a transaction is created u might inserting a record in db with Pending state and update it on response of paypal, here IPN comes into play, after the transaction gets completed paypal will send a post request you provide as notify_url where you will handle the script of sending user his tickets. Paypal has a feature called IPN, basically you will not directly send tickets to user once u get data on generate_ticket.php, Once a transaction is created u might inserting a record in db with Pending state and update it on response of paypal, here IPN开始发挥作用,交易完成后 paypal 将发送一个您提供为 notify_url 的发布请求,您将在其中处理向用户发送门票的脚本。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.