#Paypal #IPN vulnerability – and how to fix it.

December 8, 2016 Leave a comment

paypal-earnings

The other day, I got a notification of a paypal payment for £0.01, which was odd, but I didn’t realise the significance until a few days later, when I realised that someone had managed to buy 800 euros of credit for only £0.01

The hack was, that the user modified the payment link to change the price, by changing the amount parameter:

https://www.paypal.com/cgi-bin/webscr?…&amount=800

to

https://www.paypal.com/cgi-bin/webscr?…&amount=0.01

But left the “custom” field the same, which typically indicates the basket ID. When the IPN callback was called, it was passed the correct basket ID, but an incorrect mc_gross value. This lead to the user being credited with 800 euros worth, but only paying £0.01

A similar hack could have been done by changing the currency from GBP to JPY.

Simple fix:

In the IPN callback check that the mc_gross and mc_currency matches the expected total in the basket, or include a salted hash of the amount and currency in the custom field

PS: This issue has now been fixed on our website, don’t even bother trying this hack!🙂

 

Categories: Uncategorized

H4sIAAA What’s so important about this string?

December 7, 2016 1 comment

my_tweet

This may be a long shot, but if anyone ever searches for this string, I know exactly what you are looking at – It’s a base64 encoded zipped string.

Want to see what it actually it, base64 decode the sting, and unzip the result, here’s the code you need in c#

public static void CopyTo(Stream src, Stream dest)
{
byte[] bytes = new byte[4096];

int cnt;

while ((cnt = src.Read(bytes, 0, bytes.Length)) != 0)
{
dest.Write(bytes, 0, cnt);
}
}

public static byte[] Zip(string str)
{
var bytes = Encoding.UTF8.GetBytes(str);

using (var msi = new MemoryStream(bytes))
using (var mso = new MemoryStream())
{
using (var gs = new GZipStream(mso, CompressionMode.Compress))
{
//msi.CopyTo(gs);
CopyTo(msi, gs);
}

return mso.ToArray();
}
}

public static string Unzip(byte[] bytes)
{
using (var msi = new MemoryStream(bytes))
using (var mso = new MemoryStream())
{
using (var gs = new GZipStream(msi, CompressionMode.Decompress))
{
//gs.CopyTo(mso);
CopyTo(gs, mso);
}

return Encoding.UTF8.GetString(mso.ToArray());
}
}

Categories: Uncategorized

#Parse #JSON in MS #SQL server @procurios

December 6, 2016 1 comment

aaeaaqaaaaaaaacvaaaajdg4mwqwmtbjltayyjitndaxmy1imtq2lwu1ztazmte4nzm0yw

If your application stores data in SQL server as a JSON value, you will find it difficult to read out individual properties on this data. This means that you can’t do joins on fields that are held within the data, or any aggregate queries. It’s just not flexible at all.

So, as the name suggests, I’ve used a C# CLR UDF (User defined function) to do this, where it takes in the string, processes it within the CLR and returns it to SQL server.

To give you a few “anti-patterns” of things that don’t work. You may find that SQL server only supports a limited set of .NET assemblies, so you can’t import Newtonsoft to handle the JSON, nor can you use System.Runtime.Serialization, which is not allowed by SQL server either. So I had to use a home grown JSON parser, by Procurios (http://techblog.procurios.nl/k/news/view/14605/14863/how-do-i-write-my-own-parser-(for-json).html) – thanks @procurios

So, creating a new CLR Project in Visual Studio, I added the procurios JSON class, and this code;

[Microsoft.SqlServer.Server.SqlFunction]
public static SqlString CLR_ReadJSON(string json, string property)
{
var o = JSON.JsonDecode(json) as Hashtable;
return o[property].ToString();
}

I compiled the DLL, transferred it to the server, and added a new Assembly, which I’ve called CLR_DataTools (The above code was in a namespace called StoredProcedures)

Then I wrote the following SQL code to define the UDF

CREATE FUNCTION [dbo].[CLR_UdfReadJson]
(
@json [nvarchar](4000),
@property [nvarchar](4000)
)
RETURNS nvarchar(max)
WITH EXECUTE AS CALLER
AS
EXTERNAL NAME [CLR_DataTools].[StoredProcedures].[CLR_ReadJSON]
GO

And that’s all you need! (Although this took me a few hours to figure out)

As an aside, here’s some code I wrote to handle XPath queries on XML within SQL server, but I am aware that there are better ways to do this;

[Microsoft.SqlServer.Server.SqlFunction]
public static SqlString CLR_ReadXML(string xml, string xPath)
{
XmlDocument xdoc = new XmlDocument();
xdoc.LoadXml(xml);
var xn = xdoc.DocumentElement.SelectSingleNode(xPath);
var strXml = xn.InnerXml;
return strXml;
}

and then defined the SQL UDF as follows;

CREATE FUNCTION [dbo].[CLR_UdfReadXML]
(
@xml [nvarchar](4000),
@xPath [nvarchar](4000)
)
RETURNS nvarchar(max)
WITH EXECUTE AS CALLER
AS
EXTERNAL NAME [CLR_DataTools].[StoredProcedures].[CLR_ReadXML]
GO

 

Categories: Uncategorized

Uncaught SoapFault exception: [Sender] SOAP-ERROR: Encoding: Violation of encoding rules

December 6, 2016 Leave a comment

btakggn9c

WTF?, why the hell is every PHP developer saying my webservice is returning Uncaught SoapFault exception: [Sender] SOAP-ERROR: Encoding: Violation of encoding rules – and there’s no problem with those using .NET, or parsing the XML response over HTTP GET/POST

Ok, let’s break down the problem.
1. It’s not a problem with PHP,it’s your WSDL, so here’s how to diagnose it.

Take this simple code snippet

$client = new SoapClient(“http://www.regcheck.org.uk/api/reg.asmx?wsdl”);
$params = array (
“RegistrationNumber” => “TNZ6972”,
“username” => “**Your Username**”
);
$response = $client->__soapCall(‘Check’, array($params));
print_r($response);

Now, take a copy of the WSDL, and save it as a text file, so you can edit it easily, i.e.

http://www.regcheck.org.uk/php.wsdl , then using HTML style comments, take out everything you can until you get a minimum working version. – i.e. a call that returns “something“, not all the data, but “something

<s:complexType name=”Vehicle>
<s:element minOccurs=”0 maxOccurs=”1 name=”vehicleJson type=”s:string/>
<s:element minOccurs=”0 maxOccurs=”1 name=”vehicleXml type=”s:string/>
<s:element minOccurs=”0 maxOccurs=”1 name=”numberOfSeats type=”s:string/>
<s:element minOccurs=”0 maxOccurs=”1 name=”carValue type=”s:string/>
<s:element minOccurs=”0 maxOccurs=”1 name=”immobiliser type=”s:string/>
<!– <s:element minOccurs=”0 maxOccurs=”1 name=”vehicleData> … –>

I had a hunch it was the VehicleData object, since it was the most complex type in the response, so I commented that out – and I now had a minimum working version.

After that, I progressively commented out elements within the VehicleData type, until I got my maximum working version – i.e. as much data as possible without it breaking.

At that point, I hit upon this:

<s:element minOccurs=”0″ maxOccurs=”1″ name=”CarModel”> <s:complexType> <s:simpleContent> <s:extension base=”s:integer“> <s:attribute name=”type” type=”s:NCName” /> </s:extension> </s:simpleContent> </s:complexType> </s:element>

Which was the point at which the webservice stopped returning data, and starting throwing the Uncaught SoapFault exception: [Sender] SOAP-ERROR: Encoding: Violation of encoding rules – and it did look odd, since I new that “CarModel” should be a string, not an integer.

Looking at the underlying C# code, the error was obvious

[System.Xml.Serialization.XmlTextAttribute(DataType=”integer“)]
public string Value {

There is no way that Value could both be a string and an integer, so I changed it to

[System.Xml.Serialization.XmlTextAttribute()]
public string Value {

Categories: Uncategorized

#Base64 decode using #SQL server #UDF

December 5, 2016 Leave a comment

base64-logo-352x200

Base64 is a way to encode data into a limited character set, that can allow binary data to be displayed using print-friendly text. For example, if you wanted to represent an image as text, and store it in a database. It does bloat data, but it’s certainly handy when it comes to passing data around.

SQL server doesn’t have a handy function to convert base64 text back into it’s original form, so I decided to write this UDF below;

CREATE FUNCTION dbo.Base64Decode (@Base64 varchar(max))
RETURNS varchar(max)
WITH SCHEMABINDING AS
BEGIN
DECLARE @TEXT AS varchar(max) ;
SELECT
@TEXT = CAST( CAST( @Base64 as XML ).value(‘.’,’varbinary(max)’) AS varchar(max) );

RETURN @TEXT ;
END;
GO

Categories: Uncategorized

#Stuck #App #Roadside assistance in #Australia @stuck_app

December 3, 2016 Leave a comment

Screen Shot 2016-12-03 at 14.05.58.png

Stuck is a new app for Australian drivers which you can download for iOS or Android via their website here;https://stuck.com.au/

Stuck is an on-demand service which calls local automotive experts to the rescue, saving you an annual insurance-style roadside assistance membership. Here’s how it works:

1. Share your required service and location with local, accredited automotive experts. The nearest available expert will arrive to help as soon as possible.

2. You are given the price upfront, which is usually about half the cost of a normal annual membership. Any extras can be added on if required (such as a new tyre).

3. Once your car problem is resolved, payment happens automatically without paperwork. Finally, you provide feedback to the automotive expert and get going!

From a technical point of view, it uses our Australian Car Registration API http://www.carregistrationapi.com/

 

 

Categories: Uncategorized

#MachineLearning using #Microsoft Azure

December 2, 2016 Leave a comment

"1+1=3" handwritten with white chalk on a blackboard

Me: Azure , what is 1 + 1 ?

Azure: It’s 1.999999999992212

Me: No it’s not.

Azure: Come on, I’m almost right!

I’ve just been playing with the Azure Machine Learning Studio, to see if it could be accurate enough for practical applications. The most simple example I could think of was a model where it was given 1,000 examples of one number, followed by a second number which was one greater.

1,2
2,3
3,4

You can see the model in the Cortana Intellegence Gallery here
https://gallery.cortanaintelligence.com//Experiment/Plus-one-webservice-1

Interestingly, the result is not perfect as would be expected, but it goes wrong in a way that only a machine would think is close to the correct answer.

scored-dataset

 

 

Categories: Uncategorized