stackoom
  简体   繁体   中英

Is is a security issue that Paypal uses dynamic certificate to verify webhook notification?

 原文  2022-05-17 02:04:15       paypal

Question

Refer to the documentation of the Paypal API at https://developer.paypal.com/api/rest/webhooks/

It says that the certificate to verify the signature comes from a header PAYPAL-CERT-URL of the HTTP request, so wouldn't the attacker bypass the verification by giving a certificate of the attacker's own?

1 answers

solution1
 1  2022-05-17 02:09:02

Potentially. But the <webhookId> is not known by an attacker. This is only obtained when you create/register the webhook, or in the developer.paypal.com dashboard. It is not the event id.

So it shouldn't be necessary since that 17 digit id isn't something they can spoof to create a body that will pass checksum signature validation; but if you're still concerned about the PAYPAL-CERT-URL, you could restrict it to ones from domains *.paypal.com and *.paypalobjects.com

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question paypal webhook notification not received How to verify a Paypal webhook notification DIY style (without using Paypal SDK) How to verify PayPal Webhook signature? PHP verify Paypal webhook signature PayPal: Verify webhook notifications in PHP Paypal IPN: certificate verify failed How to verify Paypal webhook signature in PHP? Verify Paypal Restful Webhook Signature in Java PayPal Webhook Notification Billing Subscription PHP paypal webhook notification not received - sandbox mode
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM