Roman Alex

Extreme Faster Verified Trusted Prime Seller
Staff member
Verified Trusted Seller
Apr 1, 2019
3,111
1,019
113
Russia
www.russiancarders.se
#1
How information is secured by Payment Gateway
The transaction carried out on a website is done through an HTTPS web address, which is different from HTTP. The ‘S’ stands for “secure”, which means the transaction passes through a secure tunnel.
Due to the hash function, the system typically uses a merchant-signed request for validating transaction requests. The signed request is usually a secret word known only by the payment gateway and the merchant. The requesting server’s IP is also verified to identify malicious activity to keep the payment page result secure.
It turns out acquirers, issuers, and payment gateways are migrating to Virtual Payer Authentication (VPA) for additional security. When implemented under a 3-D secure protocol, VPA brings a security layer, making buyers’ and sellers’ online authentication easier.
Information flow is just the mechanism helping transactions on various websites. And when you understand how website transactions work, you’ll easily bypass credit card payments and shop more for free.
In this section, we discuss ways you can bypass credit card payment on a website:
1. Modify HTML hidden element
This method is simpler and used on poorly-secured websites—you just have to manipulate the product amount to buy on the credit card payment page.
For this method, check if the item cost is available in the hidden element of the HTML form page of the website.
When you select the item to buy, the price is added to the total item amount, taken from the hidden field, and filled into the form. Finally, the total is presented to the buyer. You should have something like:

<input type=”hidden” name=”business” value=[email protected]>

<input type=”hidden” name=”cmd” value=”_xclick”>

<input type=”hidden” name=”item_name” value=”Classmate_Notebook”>

<input type=”hidden” name=”amount” value=”550”>

<input type=”hidden” name=”currency_code” value=”INR”>
To bypass credit card payment on this payment page setup, you just change the product price in the hidden form field containing the price.
When you modify the price, the actual price never reflects in the cart, so you buy whatever you want without paying with your credit card.
2. Payment interception with Burp Suite
With Burp Suite software, you can manipulate the item amount you want to buy online with your credit card by changing the price to 0 or whatever you can afford.
For this method, the price of the item is usually not in the hidden field in the form, so you can’t just modify the HTML and add the item to the cart.
To bypass a credit card payment on a website with Burp Suite, you manually turn on the intercept and manipulate the cost in the intercepted packet once you’re on the payment gateway.
Read also: Some real credits with cash
After you edit the item price via the interceptor, forward the packet to bypass the credit card payment on that page.
3. Modify hash to bypass credit card
Many websites have strong security in place to check the vulnerabilities mentioned in the previous section, which you can easily get around with a credit card. More secure websites use a system like hash to protect the payment page.
Hashes are a method that checks the messages’ integrity sent from the payment page of the e-commerce website to the payment gateway, including the product price for payment. The transaction will only be approved if the hashes being sent before and after match.
a. Figure out the hash parameters and technique
A lot of security vendors consider hash as being secure. However, with deeper digging on a specific e-commerce website, you may be able to figure out the system and break in.
Just dig about the formulation of hash. You can start by looking up the publications made by the website developer regarding how their hash formulation, as well as other important details, to help you bypass the credit card page. It may take a bit of time to find the documentation containing the parameters used, as well as the hashing technique employed in the system.
b. Find the password
When you figure out the parameters, typically present in the packet you intercept, you’re some steps in. One of the parameters is the password used, known only to the admin.
To find the password, you can use brute force or use a dictionary attack after putting together the parameters.
c. Break in
With the password, you can then create your hash with a modified item price to buy from the cart without paying. You’d have to be quick about it before the admin changes the password.
Read also: Card demagnetized? Quick solution!
Getting the password can be tough. In some cases, the developer may merely copy the same password as in the documentation, making the Payment Gateway security vulnerable for you to bypass the credit card payment on the website.
 

Log in

Online statistics

Members online
4
Guests online
70
Total visitors
74