Payment Gateways and CSRF protection

   —   

Changes and improvements on CSRF protection and their relation to payment gateway IPNs, that are neccessary as a new approach that creates a HttpHandler from the IPN

With great security comes great responsibility. We had tightened our security (In regards to continuous improvement from malicious attacks and request forgery) throughout Kentico 9. In one of our later hotfixes, we increased request checks to all post requests regardless of their headers. However, this created a slight problem with payment gateways IPNs.

The issue lies in the fact that the gateway itself inherits from the CMSPage class and thus is subject to CSRF protection. All posts requests are validated for a hidden field value against a cookie token value but with the way that these gateways work (which only listen to requests from a provider), this is an issue. The Payment provider is not aware of our security policy and does not send any headers much less security tokens generated by us.

This is why we created a hotfix for Kentico 10.0.3 where we check for Page.Items["CsrfProtectionDisabledOnPage"] = true. This is added as part of the out of the box gateways functionality (PayPal and Authorize.net) and can be utilized in your custom gateways as well.

Update (16.1.2018)! This workaround is no longer available in Kentico 11 and higher and API checking for this item was removed. Workaround was added due to issues with protection and payment gateways only and they have been rewritten during v11 e-commerce rebuild. 

This approach, however, should only be used as a workaround! Please do not put pages out of the CSRF checks deliberately!

If you want to avoid these complications, you can consider another approach. Gateways are naturally just "receivers" and they do not have to be implemented in an aspx page at all. All they need to do is utilize Kentico API to process and finish the payment process and order.

Instead of the hotfix, you can rewrite your handlers to be http handlers which then process these requests. All you need to do is create a new class that inherits from IhttpHandler and set it up inside Kentico to be the IPN. The following is a rewrite of the PayPal IPN that we used with Kentico 9 ( for version 10 a change of namespace is required CMS.EcommerceProvider does not exist in Kentico 10, and CMS.Ecommerce.Web.UI should be used instead , but that should be all): 

<%@ WebHandler Language = "C#" Class="PayPalIPN" %>
using System;
using System.Web;
using CMS.Ecommerce;
using CMS.EcommerceProvider;
using CMS.EventLog;
using CMS.Helpers;
using CMS.Localization;
public class PayPalIPN : IHttpHandler
{
private int mOrderId = 0;
private string mTransactionId = "";
private string mPaymentStatus = "";
private string mOrderCulture = null;
public void ProcessRequest(HttpContext context)
{
var request = context.Request;
// Get order id
mOrderId = ValidationHelper.GetInteger(request.Form["invoice"], 0);
// Get transaction id
mTransactionId = ValidationHelper.GetString(request.Form["txn_id"], "");
// Get payment status
mPaymentStatus = ValidationHelper.GetString(request.Form["payment_status"], "");
// Get notification culture stored in custom field
mOrderCulture = ValidationHelper.GetString(request.Form["custom"], "");
CMSPayPalProvider payPalProvider;
string errorMessage;
// Get PayPal provider
OrderInfo oi = OrderInfoProvider.GetOrderInfo(mOrderId);
if (oi != null)
{
try
{
payPalProvider = (CMSPayPalProvider)CMSPaymentGatewayProvider.GetPaymentGatewayProvider(oi.OrderPaymentOptionID);
payPalProvider.OrderId = mOrderId;
}
catch (Exception ex)
{
// Log exception
errorMessage = EventLogProvider.GetExceptionLogMessage(ex);
LogEvent(errorMessage, "Payment_Provider_Not_Found");
return;
}
}
else
{
// Order not found
errorMessage = string.Format(LocalizationHelper.GetString("PaymentGatewayProvider.ordernotfound"), mOrderId);
LogEvent(errorMessage, "Order_Not_Found");
return;
}
PayPalPaymentResultInfo paypalResult = (PayPalPaymentResultInfo)(payPalProvider.PaymentResult);
// Confirm payment and get PayPal payment gateway response
string response = payPalProvider.ConfirmPayment(request.Form).ToLowerCSafe();
// Check IPN validation result
var verified = (response == "verified");
if (!verified)
{
LogEvent(LocalizationHelper.GetString("com.ipninvalidnotification"), "IPNNotificationValidation");
return;
}
// Set payment as verified
paypalResult.PayPalPaymentVerified = true;
// Set transaction ID
paypalResult.PaymentTransactionID = mTransactionId;
// Set payment status
paypalResult.PayPalPaymentStatus = PayPalPaymentResultInfo.GetPayPalPaymentStatus(mPaymentStatus);
// Set payment as completed / not completed
switch (paypalResult.PayPalPaymentStatus)
{
case PayPalPaymentStatusEnum.CanceledReversal:
case PayPalPaymentStatusEnum.Completed:
case PayPalPaymentStatusEnum.Processed:
paypalResult.PaymentIsCompleted = true;
break;
default:
paypalResult.PaymentIsCompleted = false;
break;
}
// Compare payment data to order data
string error = payPalProvider.ComparePaymentDataToOrderData(request.Form);
if (error != "")
{
paypalResult.PaymentIsCompleted = false;
paypalResult.PayPalPaymentVerified = false;
paypalResult.PaymentDescription = error;
}
// Order culture
payPalProvider.ShoppingCartInfoObj.ShoppingCartCulture = mOrderCulture;
// Update order payment result in database
errorMessage = payPalProvider.UpdateOrderPaymentResult();
if (errorMessage != "")
{
// Log the event
errorMessage += error;
LogEvent(errorMessage, "Order_Payment_Result_Update");
}
}
/// <summary>
/// Logs error.
/// </summary>
/// <param name="message">Error message</param>
/// <param name="eventCode">Event code</param>
protected void LogEvent(string message, string eventCode)
{
try
{
// Add some additional information to the error message
string info = "ORDER ID: " + mOrderId + "\r\n";
info += "TRANSACTION ID: " + mTransactionId + "\r\n";
info += "PAYMENT STATUS: " + mPaymentStatus + "\r\n";
message = info + message;
EventLogProvider.LogEvent(EventType.ERROR, "PayPal IPN", eventCode, message);
}
catch
{
// Unable to log the event
}
}
public bool IsReusable
{
get
{
return false;
}
}
}
view raw KenticoPayPalHttpHandler.ashx hosted with ❤ by GitHub
Share this article on   LinkedIn

Michal Samuhel

I am solution architect at Kentico. I help with all possible and impossible issues, development, deployment and others. Kinda wild card in here. I like reading new information and sometimes I even publish a line or two.