XSS POST to GET transform prevents 3-D Secure payments
Posted: Fri Apr 24, 2009 7:39 am
The 3-D Secure standard (http://en.wikipedia.org/wiki/3-D_Secure) will redirect the cardholder during the shopping to the access control server of his card issuing bank. This redirect is done with a form-submission to a another domain than the shop.
Following post-parameters are necessary on the ACS:
PaReq (base64 encoded, signed XML document)
MD (session identifier)
TermUrl (return url to the shop)
After cardholder authentication on the ACS, the cardholder's browser must return to the shop-system. This is done with a form-submission to the above mentioned TermUrl. On this page following post-parameters are necessary:
PaRes (Base64 encoded, signed XML document)
MD (same session identifier as above)
With a standard-configuration of the great NoScript-Plugin no 3DS-payment is possible.
Thanks for investigation/thinking about.
Thomas
Following post-parameters are necessary on the ACS:
PaReq (base64 encoded, signed XML document)
MD (session identifier)
TermUrl (return url to the shop)
After cardholder authentication on the ACS, the cardholder's browser must return to the shop-system. This is done with a form-submission to the above mentioned TermUrl. On this page following post-parameters are necessary:
PaRes (Base64 encoded, signed XML document)
MD (same session identifier as above)
With a standard-configuration of the great NoScript-Plugin no 3DS-payment is possible.
Thanks for investigation/thinking about.
Thomas