问题描述

PayPal IPN将具有可变字段数的POST请求发送到通知URL，为了确认POST请求是合法的，我们需要将同一请求以及一个附加的cmd=_notify-validate字段重新提交给PayPal，然后回复VERIFIED或INVALID.

PayPal IPN sends a POST request with a variable number of fields to the notify URL, in order to confirm that the POST request is legit we need to resubmit the same request along with a additional cmd=_notify-validate field to PayPal, which then replies VERIFIED or INVALID.

我的问题是，为什么我们需要重新向PayPal发送请求?这样就够了吗?

My question is, why do we need to resend the request to PayPal? Wouldn't something like this suffice?

if (preg_match('~^(?:.+[.])?paypal[.]com$~i', gethostbyaddr($_SERVER['REMOTE_ADDR'])) > 0)
{
    // request came from PayPal, it's legit.
}

Iff 我们可以信任服务器来正确解析IP，我认为我们可以信任来自PayPal的所有请求，不是吗?

Iff we can trust the server to correctly resolve IPs, I assume we can trust all requests from PayPal, no?

推荐答案

我知道这个问题已经很老了，但是:

I know this question is quite old, but:

攻击者甚至不需要欺骗其IP或执行任何类型的MITM即可通过您的验证:

The attacker does not even need to spoof his ip or perform any sort of MITM to pass your validation:

1. 他从自己的计算机连接IP地址为x.y.z.t.
2. 您的服务器调用gethostbyaddr("x.y.z.t")，该DNS发送dns查询，名称为t.z.y.x.in-addr.arpa.
3. 如果x.y.z.t属于攻击者，则他也有可能(至少)控制dns域z.y.x.in-addr.arpa(因为它包含自己的ip).因此，他可以响应该查询返回"paypal.com".
4. 您的服务器从攻击者的dns服务器接收到"paypal.com"，您的验证检查成功.

1. He connects from his own machine with IP address x.y.z.t.
2. Your server calls gethostbyaddr("x.y.z.t") which sends a dns query for the name t.z.y.x.in-addr.arpa.
3. If x.y.z.t belongs to the attacker, chances are he controls (at least) the dns domain z.y.x.in-addr.arpa as well (since that contains his own ip). So he can return "paypal.com" in response to that query.
4. Your server receives "paypal.com" from the attacker's dns server, and your validation check succeeds.

按照Lobos的建议向Paypal发送请求，从而击败了这种攻击.

This attack is defeated by sending a request to paypal as recommended by Lobos.

这篇关于贝宝IPN安全的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！