Skip to content
Permalink
Browse files Browse the repository at this point in the history
Fixed vulnerability that made a man-in-the-middle attack possible. Th…
…e checksum header is now always required on responses. If no checksum header is present, it is presumed that the Merchant ID was entered incorrectly.
  • Loading branch information
unknown authored and unknown committed Apr 14, 2016
1 parent 1d64706 commit 61f6b87
Show file tree
Hide file tree
Showing 13 changed files with 27 additions and 68 deletions.
4 changes: 0 additions & 4 deletions Classes/Base.cs
@@ -1,8 +1,4 @@
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;

namespace IcepayRestClient.Classes
{
Expand Down
7 changes: 1 addition & 6 deletions Classes/Payment/AutomaticCheckout.cs
@@ -1,9 +1,4 @@
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;


namespace IcepayRestClient.Classes.Payment
{
public class AutomaticCheckoutRequest : CheckoutRequest { }
Expand Down
7 changes: 1 addition & 6 deletions Classes/Payment/Checkout.cs
@@ -1,9 +1,4 @@
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;


namespace IcepayRestClient.Classes.Payment
{
public class CheckoutRequest : Base
Expand Down
7 changes: 1 addition & 6 deletions Classes/Payment/GetMyPaymentMethods.cs
@@ -1,9 +1,4 @@
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;


namespace IcepayRestClient.Classes.Payment
{
public class GetMyPaymentMethodsRequest : Base { }
Expand Down
7 changes: 1 addition & 6 deletions Classes/Payment/GetPayment.cs
@@ -1,9 +1,4 @@
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;


namespace IcepayRestClient.Classes.Payment
{
public class GetPaymentRequest :Base
Expand Down
7 changes: 1 addition & 6 deletions Classes/Payment/VaultCheckout.cs
@@ -1,9 +1,4 @@
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;


namespace IcepayRestClient.Classes.Payment
{
public class VaultCheckoutRequest:CheckoutRequest
Expand Down
7 changes: 1 addition & 6 deletions Classes/Refund/CancelRefund.cs
@@ -1,9 +1,4 @@
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;


namespace IcepayRestClient.Classes.Refund
{
public class CancelRefundRequest : Base
Expand Down
7 changes: 1 addition & 6 deletions Classes/Refund/GetPaymentRefunds.cs
@@ -1,9 +1,4 @@
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;


namespace IcepayRestClient.Classes.Refund
{
public class GetPaymentRefundsRequest : Base
Expand Down
7 changes: 1 addition & 6 deletions Classes/Refund/RequestRefund.cs
@@ -1,9 +1,4 @@
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;


namespace IcepayRestClient.Classes.Refund
{
public class RequestRefundRequest : Base
Expand Down
18 changes: 16 additions & 2 deletions Classes/RestClient.cs
@@ -1,5 +1,4 @@
using Newtonsoft.Json;
using System;
using System.IO;
using System.Net;
using System.Security.Cryptography;
Expand Down Expand Up @@ -59,16 +58,31 @@ public class RestClient
response = JsonConvert.DeserializeObject<TResponse>(rawResponse);

//verify response checksum
//always require presence of a checksum header
if (!string.IsNullOrWhiteSpace(webresponse.Headers["Checksum"]))
{
var responseChecksum = webresponse.Headers["Checksum"];
var responseSignString = webresponse.ResponseUri.AbsoluteUri + "POST" + merchantID.ToString() + merchantSecret + rawResponse;
var responseVerificationChecksum = Sha256(responseSignString);
if (!responseChecksum.Equals(responseVerificationChecksum, System.StringComparison.InvariantCultureIgnoreCase))
{
response = new TResponse { Message = "Response signature invalid." };
if (string.IsNullOrWhiteSpace(response.Message))
{
response = new TResponse { Message = "Authentication error: the checksum was incorrect. Verify your secret code." };
}
response = new TResponse { Message = response.Message };
}
}
else
{
//if no checksum header was present in the response, the most likely cause is that the sender ID was invalid
//return only the response message and regard the response as failed
if (string.IsNullOrWhiteSpace(response.Message))
{
response = new TResponse { Message = "Authentication error: no checksum found. Verify your merchant ID." };
}
response = new TResponse { Message = response.Message };
}

//close streams
writer.Dispose();
Expand Down
2 changes: 1 addition & 1 deletion LICENSE
@@ -1,4 +1,4 @@
Copyright (c) 2015, ICEPAY - Transaction Performance
Copyright (c) 2015-2016, ICEPAY - Transaction Performance
All rights reserved.

Redistribution and use in source and binary forms, with or without
Expand Down
5 changes: 0 additions & 5 deletions Refund.cs
@@ -1,9 +1,4 @@
using IcepayRestClient.Classes.Refund;
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;

namespace IcepayRestClient
{
Expand Down
10 changes: 2 additions & 8 deletions ServiceBase.cs
@@ -1,10 +1,4 @@
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;

namespace IcepayRestClient
namespace IcepayRestClient
{
public abstract class ServiceBase
{
Expand All @@ -14,7 +8,7 @@ public abstract class ServiceBase
public ServiceBase(int merchantID, string merchantSecret)
{
this.MerchantID = merchantID;
this.MerchantSecret=merchantSecret;
this.MerchantSecret = merchantSecret;
}
}
}

0 comments on commit 61f6b87

Please sign in to comment.