0

I'm using PayPal as payment gateway. I pass the address of one of my website's non-browsable pages in the notify_url param of the querystring, along with other info. Upon receiving a ping from PayPal server on my notify page, I take appropriate actions to mark user as member.

Now the question I want to ask: what if someone reads the value of notify_url parameter from the original querystring and pings that page manually from his browser with fake transaction id, amount etc. How do I make sure this call was actually from PayPal server?

One preliminary check that came to my mind was to check Request.UserHostAddress and compare it with the PayPal server's IP address. I implemented this but would still like to hear from the experts. Is it safe enough? Can people fake UserHostAddress when making a call to a webpage?

dotNET
  • 33,414
  • 24
  • 162
  • 251

2 Answers2

1

Only if I knew this is called spoofing, I'd have Googled this much earlier. From PayPal themselves (here is the link), they provide a simple (postback) and a complex (shared secret keys) way of ensuring that a notification was actually forwarded by PayPal.

dotNET
  • 33,414
  • 24
  • 162
  • 251
1

UserHostAddress can only be spoofed theoretically - in practise this would be almost impossible as the TCP connection setup (three way handshake) would have to be spoofed, along with correct sequence numbers which would not be known as the reply packets would be sent to the spoofed IP address instead of the attacker. See here for an interesting post: Can I trust the source IP of an HTTP request?

You could use this UserHostAddress verification (assuming the IP is always the same) in combination with the shared secret approach in your answer as a double layer of security.

Also, it will be more secure if your notify_url is secured by TLS (i.e. is HTTPS). e.g. <input name="notify_url" value="https://www.example.com/notify_url.php" type="hidden" />. This will help protect your notification ping from a MITM attack.

Community
  • 1
  • 1
SilverlightFox
  • 32,436
  • 11
  • 76
  • 145
  • Thanks. In this particular case though, I believe spoofing might not be all that difficult. The attacker doesn't need to address packet sequencing or anything that low-level. All he needs to do is to change the UserHostAddress and just push it to my server. No further communication is done with the client before the specified user is marked as member. PostBack alone is a good enough solution of the problem after which IP checking becomes meaningless. This is what I ended up implementing. TLS thing however is important and is recommended by PayPal too. Hope my client soon gets that :). – dotNET Dec 31 '13 at 14:09
  • That is what I mean - the attacker could not change `Request.UserHostAddress` because this is set by ASP.NET to the IP address of the client machine. – SilverlightFox Dec 31 '13 at 14:40