POSTing CC numbers?!

Status
Not open for further replies.
Enigmabomb

Enigmabomb

New member
Feb 26, 2007
2,035
66
0
Than Franthithco
I'm installing a shopping cart this guy had made in china. However, I'm noticing that the cart POSTS the number from page to page. WTF?! How cna that be secure? What's the proper way to do this? This is what's happening now:

/cartpage.php?cc=039480398409ccdate=0508


That shit cant be secure.... Unless maybe I use SSL?


Thanks in advance.

Josh
 


That looks like a GET (query params). If you're accepting credit cards you need to always use SSL with POSTs.
 
Sounds like bad design all around. I think you mean form GET, form POST would be better but I still wouldn't pass that data around to each page. Using a DB would be the best option and even then I don't think you want to be storing credit card details.

Making the payment step the last step would be the most logical order flow.
 
DavidR said:
Yeah, POST + SSL is secure.
Click to expand...

More secure. There is no truly secure. One more step would be base64_encode it while transmitting but that's like taking a sentence and writing it upside down on a piece of paper before passing it to a friend. It's no more secure if the person has an IQ over 20.

But it will confuse stupid people that get their hands on tools like ettercap, wireshark, etc.
 
Bofu2U said:
More secure. There is no truly secure. One more step would be base64_encode it while transmitting but that's like taking a sentence and writing it upside down on a piece of paper before passing it to a friend. It's no more secure if the person has an IQ over 20.

But it will confuse stupid people that get their hands on tools like ettercap, wireshark, etc.
Click to expand...

I'd love to meet the guy who can crack SSL! Maybe you know him. And yes, let's base64 encode it for good measure, because when someone intercepts it they can run base64 decode on the encrypted signal and get back the original cipher text!

On a more serious note:
I'm pretty sure you can't base64 encode SSL cipher text since the receiving end would need to accept base64 encoded SSL cipher text and that's not something that happens. SSL is strong enough without introducing random shit that the other end won't accept/decrypt.
 
DavidR said:
I'd love to meet the guy who can crack SSL! Maybe you know him. And yes, let's base64 encode it for good measure, because when someone intercepts it they can run base64 decode on the encrypted signal and get back the original cipher text!

On a more serious note:
I'm pretty sure you can't base64 encode SSL cipher text since the receiving end would need to accept base64 encoded SSL cipher text and that's not something that happens. SSL is strong enough without introducing random shit that the other end won't accept/decrypt.
Click to expand...


There are plenty of places that show you how to exploit a sniff'd SSL session. It's not hard if you're the interceptor between their PC and the server ...
 
Well, I rewrote the script with Posting and sessions. Now, I just throw some SSL on there, and it should be acceptable. Thanks for the nudge in the right direction guys.

josh
 
Status
Not open for further replies.
Top Bottom