Sagepay - Payment Authorised despite 3dSecure Failure - opayo

We're currently updating our SagePay integration to enforce 3DSecure in line with the EU regulations coming into force.
However our tests have found that, even though 3DSecure is marked as a 'Fail', the payment was still authorised. We havent set up any specific rules in the Admin system other than the 3D Secure check. (none of the other 3d secure tick boxes are checked and there are no values in the min/max fields).
We want to set up our system so that if 3Dsecure fails it does not authorise the transaction. How do we do this?

I'm getting exactly the same issues. Pass all of the details correctly and every test card comes back as successfully authorised. This is different to yesterday when I was being sent to the challenge page (which subsequently gave me a 404 error), so I can only surmise that SagePay haven't actually finished writing their 3DSv2 handling.
The "Magic Value" you can pass as the CardHolder doesn't actually do anything either and I'm also getting a server error when passing some of the new fields such as ThreeDSRequestorAuthenticationInfoXML and AcctInfoXML.
Waiting to hear back from an e-mail I've sent to their support team yesterday.

Changing the Cardholder field to the magic value CHALLENGE worked for me
That will make the status returned as "3DAUTH" (I was always getting "OK" before using the magic value); you will also get the Sage simulator ACSURL ("https://test.sagepay.com/3ds-simulator/html_challenge"). See example of my request and response
SENT:
"VPSProtocol=4.00&TxType=PAYMENT&Vendor=[YOUR_VENDOR_HERE]&VendorTxCode=[YOUR_VENDOR_TX_CODE]&Amount=8.05&Currency=GBP&Description=LDN payment&CardHolder=CHALLENGE&CardNumber=4929 0000 0000 6&CV2=123&ExpiryDate=0120&CardType=VISA&BillingSurname=TestSurname&BillingFirstnames=TestName&BillingAddress1=88&BillingCity=Glasgow&BillingPostCode=412&BillingCountry=GB&DeliverySurname=TestSurnameB&DeliveryFirstnames=TestNameB&DeliveryAddress1=test address line 1&DeliveryCity=Glasgow&DeliveryPostCode=412&DeliveryCountry=GB&CustomerEMail=test#email.com&Apply3DSecure=1&ChallengeWindowSize=01&ThreeDSNotificationURL=[YOUR_URL]&BrowserAcceptHeader=text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3&BrowserUserAgent=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36&BrowserJavascriptEnabled=1&BrowserJavaEnabled=1&BrowserLanguage=en-GB&BrowserColorDepth=8&BrowserScreenHeight=480&BrowserScreenWidth=640&BrowserTZ=0&ClientIPAddress=127.0.0.1"
RECEIVED:
"VPSProtocol=4.00; Status=3DAUTH; StatusDetail=2021 : Please redirect your customer to the ACSURL, passing CReq.; VPSTxId={9A9461B6-C8A8-CDE5-75FC-EBABFA6BB5FD}; 3DSecureStatus=OK; ACSURL=https://test.sagepay.com/3ds-simulator/html_challenge; CReq=ewogICJtZXNzYWdlVHlwZSIgOiAiQ1JlcSIsCiAgIm1lc3NhZ2VWZXJzaW9uIiA6ICIyLjEuMCIsCiAgInRocmVlRFNTZXJ2ZXJUcmFuc0lEIiA6ICJmMWZkNWJhOS0xZTAzLTQ4NGQtOGQzNi0zMTU5MTM5N2Y2YmIiLAogICJhY3NUcmFuc0lEIiA6ICJmNzgxOTYwMS1iN2VhLTRkMWUtYWY0MS00ZjRhYTY1NjQ3MjMiLAogICJjaGFsbGVuZ2VXaW5kb3dTaXplIiA6ICIwMSIKfQ"
See link to the documentation on this, magic numbers on page 28:
Sage direct-integration protocol 4.00

Related

Diagnosing 403 forbidden error from wget command

When I try the following code, I get a 403 forbidden error, and I can't work out why.
wget --random-wait --wait 1 --no-directories --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36" --no-parent --span-hosts --accept jpeg,jpg,bmp,gif,png --secure-protocol=auto referer=https://pixabay.com/images/search/ --recursive --level=2 -e robots=off --load-cookies cookies.txt --input-file=pixabay_background_urls.txt
It returns:
--2021-09-01 18:12:06-- https://pixabay.com/photos/search/wallpaper/?cat=backgrounds&pagi=2
Connecting to pixabay.com (pixabay.com)|104.18.20.183|:443... connected.
HTTP request sent, awaiting response... 403 Forbidden
2021-09-01 18:12:06 ERROR 403: Forbidden.
Notes:
-The input file has the the url 'https://pixabay.com/photos/search/wallpaper/?cat=backgrounds&pagi=2 ' page3, page 4 etc separated by new lines
-I used the long form for the flags just so I could remember what they were.
-I used a cookie file generated from the website called 'cookies.txt' and made sure it was up to date.
-I used the referer 'https://pixabay.com/images/search/' that I found by looking at the headers in Google DevTools.
-I'm able to visit these URLs normally without any visible captcha requirements
-I noticed one of the cookies _cf_bm had a Secure = TRUE- so needed to be sent using https. I'm not sure whether I'm doing that or not
It might not actually be possible to do, perhaps cloudflare is a deciding factor. But I'd like to know if it was something that could be circumvented and whether or not it's doable to download a large number of files from this website
Any solutions, insights or any other way of downloaded large numbers of image files would be very appreciated.I know pixabay has an API which I might use as a last resort, but I think it's very rate limited.
It seems these images download sites detect that a server is querying them, rather than a real person on a normal browser. It would probably appear as futile to try to circumvent this as to try and fool Google with SEO tricks, as they will likely be in an ongoing battle trying to stop people doing mass downloads.
I quit from a company that was trying to do that to manipulate images from Google images to pass off as their own.
The 403 is usually reserved for failed logins, but is applicable if being used to reject non-standard access to resources.
I think that these image download sites should return a 200 response for HEAD ONLY https requests so that links to their images can be checked for validity. This would protect their resources while allowing proper automated site maintenance checks that include checking external links.

Kibana String URL image template authentication

I am trying to work out whether it is possible to attach authentication, or make kibana send some sort of authentication with URL templates for field formatters in kibana.
Field formatters are found in:
Management -> Kibana -> Indices -> INDEX_NAME -> Field.
It is possible to display images on URLs with this. For this purpose, I have configured my URL template to be something among the lines of:
localhost:8080/resolve/{imageId}
The imageId is provided via the {{value}} variable and this works all fine.
now, the server running the image resolver has access to data beyond the scope of the image. I would like to add some authentication to the request coming in from Kibana. I have printed available headers and only gotten this:
{host=[localhost:8082], connection=[keep-alive], user-agent=[Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36], accept=[image/webp,image/apng,image/*,*/*;q=0.8], referer=[http://localhost:5601/app/kibana], accept-encoding=[gzip, deflate, br], accept-language=[en-GB,en;q=0.9,de-DE;q=0.8,de;q=0.7,en-US;q=0.6], cookie=[JSESSIONID.1f47f03c=node01x3mhn2jmd7g4qby84ryfcxmd1.node0; screenResolution=1920x1080; JSESSIONID.d86b4be4=node01gzefm5lc0i3c9itul3p0zoil1.node0; JSESSIONID.9211a7ee=node01v32dtus1uphtcvg72es74h681.node0]}
I can't find any basic authentication in there that I can take advantage of. I am not sure if the cookies can be used to resolve the authentication in a way?
My question is: Can I send basic authentication of the logged in user as part of my request? If so, how?
I realise this is not too much to go on. I am attaching a screenshot for hopefully a little more clarity.
I asked this on the elastic board as well who informed me of:
The cookies won't be sent to the third-party because of the same
origin restrictions that browsers put in place. Its not possible.
https://discuss.elastic.co/t/kibana-string-url-image-template-authentication/165786/2
Thanks!

Sagepay Server Integration 5003 error code on first POST

I'm attempting to initiate a test transaction with sagepay by POSTing to https://test.sagepay.com/gateway/service/vspform-register.vsp
I've followed the documentation with regards to the format such a request should take, I've whitelisted my IP in the portal on the test environment and I'm using VPSProtocol=3.00 (Which are the two problems that I've seen reported to cause this) but I'm still getting a 5003 error.
I've spoken to support on the phone and POSTed to their showpost endpoint (https://test.sagepay.com/showpost/showpost.asp). It doesn't seem to be able to understand any of the details of my POST despite it being in a Name=Value format separated by &, URL encoding the values like the documentation dictates and providing all the required fields.
I've tried URL encoding the =s as well as the &s just in case I had misunderstood the documentation in that regards but it didn't make any difference.
I believe that I must be sending the body incorrectly somehow. I'd appreciate any suggestions anyone can give. The body I'm sending is below:
VPSProtocol=3.00&TxType=PAYMENT&Vendor=anyjunko&VendorTxCode=123&Amount=143.33&Currency=GBP&Description=TODO&NotificationURL=https%3A%2F%2Fstaging-nelly.anyjunk.co.uk%2Fvs%2Fsagepay-transactions%2F1%2Fsagepay-updates&BillingSurname=NameB&BillingFirstnames=NameA&BillingAddress1=1&BillingAddress2=Putney&BillingCity=London&BillingPostCode=SW11%209YZ&BillingCountry=GB&DeliverySurname=NameB&DeliveryFirstnames=NameA&DeliveryAddress1=1&DeliveryAddress2=Putney&DeliveryCity=London&DeliveryPostCode=SW11%209YZ&DeliveryCountry=GB
Update: I've now tried this with cURL and it worked correctly, but it doesn't work when I send it from Postman or from my code using akka http client.
The cURL command I used was:
curl -X POST "https://test.sagepay.com/gateway/service/vspserver-register.vsp" -d "VPSProtocol=3.00&TxType=PAYMENT&Vendor=anyjunko&VendorTxCode=123&Amount=143.33&Currency=GBP&Description=TODO&NotificationURL=https%3A%2F%2Fstaging-nelly.anyjunk.co.uk%2Fvs%2Fsagepay-transactions%2F1%2Fsagepay-updates&BillingSurname=NameB&BillingFirstnames=NameA&BillingAddress1=1&BillingAddress2=Putney&BillingCity=London&BillingPostCode=SW11%209YZ&BillingCountry=GB&DeliverySurname=NameB&DeliveryFirstnames=NameA&DeliveryAddress1=1&DeliveryAddress2=Putney&DeliveryCity=London&DeliveryPostCode=SW11%209YZ&DeliveryCountry=GB"
There are some requirements missing from the Sage Pay documentation which must be provided otherwise you will get a HTTP 500 Internal Error 5003
Documentation for Server Integration named
"SERVER_Integration_and_Protocol_Guidelines_270815.pdf" is available here:
https://www.sagepay.co.uk/support/find-an-integration-document/server-inframe-integration-documents
First make sure that you have followed the documentation to the letter, especially be careful to include all the mandatory fields and URLencode the values of the name=value pairs.
The following requirements are not mentioned in the documentation:
1 IP Addresses
The IP address from which you send your POST to ~/vspserver-register.vsp must be added to the whitelist on your account settings.
login to My Sage Pay here https://testportal.sagepay.com/mysagepay/login.msp using your administrator account (usually your vendor name)
Go to "IP Válidas" (sorry admin suite is in Spanish for some reason)
Click [Añadir] ("Add") button in bottom right
In the dialog that pops up enter your
"Dirección IP" ("IP address") - type "Whats my IP" into a Google search if you don't know it
your "Máscara de subred" ("Subnet mask") - 255.255.255.000
"Descripción" - just any name you want, has to be unique
Click [Añadir] ("Add") button
2 Firewall
Make sure your firewall is not blocking ports 80 and 443 for HTTP or SSL in either direction
3 HTTPS Protocol
Make sure that you are POSTing to the server using TLS version 1.0 or higher. Also make sure you can use one of the TLS protocols, at time of writing Sage Pay only supports these protocols
TLS1-AES-256-CBC-SHA
TLS1-AES-128-CBC-SHA
TLS1-DHE-DSS-RC4-SHA
TLS1-DHE-DSS-AES-256-CBC-SHA
TLS1-DHE-DSS-AES-128-CBC-SHA
TLS1-DHE-RSA-AES-256-CBC-SHA
TLS1-DHE-RSA-AES-128-CBC-SHA
4 HTTP Headers
There is only one HTTP header required, although it still works if you pass in extra headers such as "Host" or "Content-Length" it will fail if you do not provide exactly
Content-Type: application/x-www-form-urlencoded

jmeter - Authorization header goes missing

I have a fairly simple jmeter script for our site. As part of the flow through the site, I use our API in order to update the user's application.
The API uses OAuth authentication, which I'm familiar with using our own proprietary testing tool.
First I get a auth token via a call to our authorization endpoint. This returns a bit of JSON like this:
{"access_token":"a really long auth token string"}
In my script I use a regex to capture this token string. As part of investigating this problem, I've used a Debug PostProcessor to check that I get the correct string out, which I do. It's saved as variable 'authToken'.
In the very next step in the script, I add a header via a HTTP Header Manager, like so:
I know this header is correct as we have many instances of it in our API tests.
The relevant part of the script looks like this:
Each time I run the script however, the step that uses the token/header returns a 401 unauthorized.
I've tested the actual URL and header in a Chrome plugin and the call works as expected.
In the 'View Results Tree' listener, there is no evidence at all that the Authorization header is set at all. I've tried hard-coding an auth token but no joy - it still doesn't seem to be part of the request.
From the results tree, the request looks like this:
POST <correct URL>
POST data:{"id":"<item id>"}
Cookie Data: SessionProxyFilter_SessionId=<stuff>; sessionToken=<stuff>
Request Headers:
Content-Length: 52
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.124 Safari/537.36
Connection: keep-alive
Content-Type: application/json
The results tree also shows no redirects.
I've tried the solutions here and here but neither of these worked.
Oddly, I'm almost certain that this worked about a month ago and as far as I can tell nothing has changed on the machine, in the script or with the jmeter installation. Obviously one of these is not true but I'm at my wit's end.
Another member of my team answered this for me and it's fairly simple. I just needed to set the 'Implementation' for the problem step to 'HttpClient4'.

spring security session identifier not updated

We have scanned an Spring security app in lab with IBM appscan, and there is a "Session Identifier Not Updated" medium alert . Everything is default, and it is running under Tomcat. So this is a Tomcat issue or Spring Security issue? We are kind of confused by this because it should be a popular out of box combination
Original Request:
j_username&j_password
then it was posted to:
http://localhost/j_spring_security_checkj
Original Response
POST /sp/j_spring_security_check HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Cookie: JSESSIONID=14FF774AB81BC86D988D588AC2555BE6
Accept-Language: en-US
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Referer: http://localhost/sp/
Host: localhost
 User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Content-Length: 23

j_username=&j_password=
Appscan seems complained about:
The test result seems to indicate a vulnerability because the session identifiers in the Original Request (on the left) and in the Response (on the right) are identical. They should have been updated in the response.
AppScan is reporting that the application may be a potential target for Session Fixation Attacks.
Spring Security documentation has a section dedicated to preventing this type of attacks. You will want to try the newSession setting mentioned in this section to get rid of the AppScan warning.

Resources