Breaking Payment Gateways

Published in

InfoSec Write-ups

8 min readApr 24, 2020

What is the Payment Gateway ???

An online payment gateway (PG) is a tunnel that connects your bank account to the platform where you need to transfer your money. A PG is software that authorizes you to conduct an online transaction through different payment modes like net banking, credit card, debit card, Unified Payments Interface (UPI), and the many online wallets available today.

A PG is a third party that securely transfers your money from the bank account to the merchant’s payment portal.

To explain this in simpler terms, when buying a book from a popular digital platform like Flipkart, when you make the payment for the book, a payment gateway helps you transfer your money to Flipkart.

Let’s understand how Payment Gateway works:

A payment gateway focuses on securing the sensitive information given by the user throughout the payment process. It encrypts data such as card information and bank account details to ensure security for the user.

The following are the basic steps showing how a typical payment gateway works:

1. A customer places his or her order and then presses the Submit or Checkout button, or its equivalent button, on the website

2. Once this happens, the website or the e-commerce platform takes the customer to a payment gateway, where he or she enters all the relevant information about the bank or the card they use to pay. The PG then takes the user directly to the page of the issuing bank or a 3D secure page, asking for the transaction to be authorized.

3. Once the payment gateway gets the approval for the transaction, the bank then checks whether the customer has sufficient balance in the account to make this transaction successful or not

4. The payment gateway sends a message to the merchant accordingly.

→ If the reply from the bank is a “No’”, then the merchant subsequently sends an error message to the customer, telling them about the issue with the card or the bank account.

→ If the response is a “Yes” from the bank portal, then the merchant seeks the transaction from the bank

5. The bank settles the money with the payment gateway, which in turn settles the money with the merchant

Once this process is completed, the customer gets a confirmation of placing the order.

As mentioned earlier, money transactions involve sensitive information about a person’s bank and card details that are entirely personal to him or her. Therefore, it is imperative to make sure that this information stays safe.

How a payment gateway keeps information secure:

A payment gateway ensures the security of the information you put in. Here is a list of things that a PG does to keep your data safe:

First, the entire transaction is carried out through an HTTPS web address. This differs from HTTP as the S in HTTPS stands for Secure. The transaction takes place through this same tunnel.
As a result of the hash function, the system often uses a signed request from the merchant to validate the transaction request. This signed request is a secret word which only the merchant and the payment gateway know.
To secure the payment page result of the process, the IP of the requesting server is verified to detect any malicious activity.
Virtual Payer Authentication (VPA) is something that the acquirers, issuers, and payment gateways are backing to secure the process even more. VPA, implemented under the 3-D secure protocol, adds a layer of security and helps online buyers and sellers authenticate easily.

It’s time for Hacking!

We are in a generation where e-commerce has boomed so rapidly that it is no stopping. Alibaba has set a new record with more than $30.8 billion in sales in just 24 hours, giving that a moment to settle in.
Yet the mechanism behind all these transactions is just bits of information flowing all over the giant interconnected web of devices we call the internet. Anyone who understands the science behind how these transactions occur can figure out a way to shop online forever, free of cost.

I’ll explain three different ways with different levels of difficulties.
1. The noob’s way
2. The hacker’s way
3. The pro hacker’s way
These three points are the stepping stones to hacking and being able to manipulate any payment gateway.

1. The noob’s way

Now, this is the easiest way to manipulate the amount of the product you are buying. So this is when the cost/amount of the product is present in the hidden element of the form on the HTML page. So, while we are choosing an item that we are planning to buy, the price of the item gets added to the total amount of the product. Then, the Price is taken from the hidden field, filled into the form, and presented as the grand total.

<input type=”hidden” name=”business” value=”abc@xyz.com”>
<input type=”hidden” name=”cmd” value=”_xclick”>
<input type=”hidden” name=”item_name” value=”Classmate_Notebook”>
<input type=”hidden” name=”amount” value=”550">
<input type=”hidden” name=”currency_code” value=”INR”>

How to bypass it -

To change the product's price, all you have to do is change it in the hidden form field where the price is mentioned before adding the product to the cart. This way, the actual cost is never added to the cart, and you can buy the product for free.

2. The hacker’s way

This is the second way to manipulate the amount of the product you are buying online and change the price to your liking. So, in this process, we use an intercept tool like Burp Suite. The price isn’t in the hidden field in the form, so we can’t change it like the way before, and we add the product to the cart. (See the figure below)

How to bypass it -

So, once we are at the payment gateway, we manually turn on the intercept and manipulate the cost in the packet we just intercepted. After editing the price in the interceptor, we forward the packet, and just like that, we have our other free product ourselves.

3. The Pro hacker’s way

For the people working with payment gateways and online transactions, the steps leading here might be well known to them. They must have had security in place which might have addressed the vulnerabilities I mentioned above. The most well-known way to protect from these vulnerabilities is to use a hash.

Hashes are used as a method to check the integrity of the message that has been sent over from the e-commerce website to the payment gateway. The hash and the other values, including the product's price, are verified. If the hashes before and after the payment gateway match, the transaction is only allowed.

How to bypass it -

This is the method that most security vendors consider to be secure. The problem arises when you dig deeper and focus on one e-commerce website at a time.

The first that you learn as a hacker is never to give up and find a solution no matter how crazy it is. So, I started digging into the hash and how they formulate it. To make things easier for the developers to integrate their e-commerce website with the payment gateway, these companies publish articles in the public domain regarding how they formulate the hash and other details.

You can find A bit of reconnaissance documentation, i.e., the parameters involved and the hashing technique they use in creating the hash. Once you have the required parameters, most of them are present in the packet you have intercepted. One of the parameters is the password that is also utilized, known only to the e-commerce admin.

So the next step is to put together the parameters. Either brute force or use a dictionary attack to find that password, and once you do then, you can create your own hash according to the modified price of the product that you change it to and buy unlimited free products from that vendor as long as they don’t change the password.

This step is challenging, but some developers copy the code with the same password as it is in the documentation and thus leading to Payment Gateway security vulnerability and allowing to buy free online products.

Those three are the conventional ways to hack into a PG, Let’s move on to few other Bonus information that I discovered in my findings

Bonus Information!

As mentioned above, read the documentation provided by the Payment Gateway company for the developers of the merchant websites. That documentation contains some critical information that will help to bypass the payment confirmation. That includes:
$ Transaction success code
$ Transaction success message
$ The parameters that are involved and the hashing technique they use in creating the hash
$ Response code
$ Response messages
$ Promo code data
$ Etc…

Now, with helpful information like the Transaction success code and Transaction success message, try to replace them with the fail response in the intercept tab of Burp Suite. Believe me. This worked several times for me. This only works when the merchant is not validating the CheckSum Hash.

2. Everyone tries to tamper with the price at the merchant site or the Payment Gateway. But have you ever wondered about tampering with the quantity? The quantity can tamper on the merchant site or the payment gateway. Look for the Quantity or similar fields in the packets captured in the Burp Suite. Now what happens if we tamper with the quantity:

→ Quantity = 10 & Price = $ 120 ; Grand total = 10 X 120 = $ 1200
Tamper Quantity = 0.01 & Price = $ 120 ; Grand total = 0.01 X 120 = $ 1.2

We can do this if the price is secured with the server side. Try to manipulate the quantity. You can also try to make the quantity -ve.

3. Try to FUZZ other parameters as well. For example
> Promo codes
> Wallet amount
> Delivery charges
Every parameter that involves money🤑.

Well, to be honest, the most secure Payment Gateway I ever found is Razorpay. Almost, I have bypassed every Payment Gateways you just name it. But the Razorpay, I haven’t till now. But let’s see what happens in the near future😉.

I want to thank my colleagues at Twimbit, who encouraged me to publish these articles.

If you enjoyed it, please clap and contact me if you need any help with my article. Keep Hackkking!

The information provided in this article is only for educational purposes. I won’t be responsible for any damage caused by any individual using the info in this article.