Moneris - Setting up a Test Hosting Pay Page - payment

I'm trying to make a fix to a moneris website, but I have to change the mode of moneris to test to test the changes before pushing in production.
I'm trying the code on the example page as is and got an error. "Invalid store credentials."
<FORM METHOD="POST" ACTION= https://esqa.moneris.com/HPPDP/index.php >
<INPUT TYPE="HIDDEN" NAME="ps_store_id" VALUE="AF4Fs1024">
<INPUT TYPE="HIDDEN" NAME="hpp_key" VALUE="Hsjh4GSr4g">
<INPUT TYPE="HIDDEN" NAME="charge_total" VALUE="1.00">
<!--MORE OPTIONAL VARIABLES CAN BE DEFINED HERE -->
<INPUT TYPE="SUBMIT" NAME="SUBMIT" VALUE="Click to proceed to Secure Page">
</FORM>
So if this is not how you can make a test payment to test the process, how can you?
PS: Seems there's no moneris tag.

You need to goto the developers page of Moneris and create a test environment first Developer Page
After creating the test store you'll need to input the store id and hp key in the values of the form you posted.

Related

REST API Security : Use ID to update database

I built a simple REST FULL API with NodeJS.
When it comes to HTML code, I do have :
<form method="post" action="/registry/api">
<input name="id" type="text" value="6" readonly>
<input name="name" type="text" value="TEST name">
<input name="description" type="text" value="TEST desc">
<input name="approved" type="checkbox" checked>
<input type="submit" value="Update">
</form>
But if I go in the console, erase 'readonly' and change this id from '6' to '7', my API indeed receives the bad id and update the bad row in database.
How can I fight this ?
Your API should implement some kind of authentication and authorisation layer. One way to do this is to pass a token along with the request (e.g. in Authorization header), so you will know on the backend side, who is the user requesting this action. Then you can simple check whether given user is permitted to do such an action (with given id).
You can take a look at this blogpost, which describes this pattern using JWT (JSON web tokens):
https://scotch.io/tutorials/authenticate-a-node-js-api-with-json-web-tokens

j_security_check invalid direct reference

I currently have a login form on a public, unprotected http page. Upon login I want the page to redirect to a secure https page. I am receiving this error screen when I try to login however:
I'm 90% sure my syntax is accurate. I have this exact form as a login page elsewhere on the site. This implementation is for a drop down box that enables the user to login. Here is my form for reference. Any help is appreciated, Thanks.
<div class="login-options">
<form id="login" name="j_security_form" action="<%out.write(Dropdown.getXML("https://www.xxx.com/public/j_security_check")); %>" method="post" accept-charset="UTF-8">
<strong>Account Login</strong><br>
Username:<br>
<input type="text" name="j_username"><br>
Password:<br>
<input type="password" name="j_password"><br>
<br>
<input type="submit" value="Login"><br>
<br>
New users register here<br>
Forgot password?
<input type="hidden" name="auth_mode" value="basic">
<script>
var newloc = document.location.href;
newloc =newloc.replace('index.jsp','index.jsp');
document.write('<input type="hidden" name="orig_url" value="'+newloc+'">');
</script>
</form>
</div>
Might be because you're trying to directly reference the url for j_security_check. I would try referencing a page that requires login creds, then it'll redirect to the secure page once it sees that there are adequate credentials.

Cannot track the user securely who made the purchase in PayPal IPN

I am building a website which utilizes paypal payment system and I came up with one security challenge issue:
I have the following form from paypal IPN:
<form class="form-horizontal" action="https://www.paypal.com/cgi-bin/webscr" method="post" target="_top">
<input type="hidden" name="cmd" value="_s-xclick">
<input type="hidden" name="hosted_button_id" value="ABCDEFEGDEDS">
<input type="hidden" name="on0" value="Balance">
<label>Amount</label>
<select class="form-control" name="os0" id="deposit_paypal">
<option value="1000">$1000.00 USD</option>
<option value="2000">$2000.00 USD</option>
</select>
<input type="hidden" name="custom" value="<?php echo $user->id; ?>">
<input type="image" src="https://www.paypalobjects.com/ru_RU/i/btn/btn_buynow_SM.gif" border="0" name="submit" alt="PayPal">
<img alt="" border="0" src="https://www.paypalobjects.com/en_US/i/scr/pixel.gif" width="1" height="1">
I wanted to know which user has made the transaction. Searching the internet, I've found that I can create a custom field as I did above. The reason I track the user is I should add balance to his virtual account after purchase completed.
But the problem is: What if malicious code(javascript malware) just changes the user id in the custome form field to 4?
The balance will be added to that user which has the id of 4 not previous one.
Ok. One would recommend me inserting the form data to db before sending to paypal for later comparison.
Second problem arises. What if the user just exits the paypal page without completing the order after pressing the submit button? This is something I cannot track since paypal does not belong to me and it opens in other page.
Please, any other solution to these issues? I want some best practice where I can track securely which user has made the purchase through paypal IPN.
You could store the data in your database within a temp table, then once the IPN completes you can move it over to the permanent table. Set up a cron job or scheduled task to go through your system every 24 hours or so and delete any records that have not completed in that time.

"Cannot POST /dialog/authorize/decision" while implementing the OAuthorize example

I'm implementing OAuth 1.0a with the OAuthorize library. I'm following the example provided by the library.
I'm hosting my app at Heroku. Using the test client I'm able to GET a request token, and use it to /dialog/authorize:
Hi Bob Smith!
Samplr is requesting access to your account.
Do you approve?
When I press Allow, I get a Cannot POST /dialog/authorize/decision.
I've registered the endpoint in app.js:
app.post('/dialog/authorize/decision', oauth.userDecision);
Either I am missing something silly from the OAuthorize example or there is a fault in the way I'm handling the transaction.
dialog.ejs:
<form action="/dialog/authorize/decision" method="post">
<input name="transaction_id" type="hidden" value="<%= transactionID %>">
<div>
<input type="submit" value="Allow" id="allow">
<input type="submit" value="Deny" name="cancel" id="deny">
</div>
</form>
For me, the issue was that I didn't provide a proper callbackURL in server.userAuthorization callback.
see https://github.com/jaredhanson/oauthorize/blob/master/examples/express2/db/accessTokens.js#L10 and https://github.com/jaredhanson/oauthorize/blob/master/examples/express2/oauth.js#L152

Creating Paypal Donate button without access to PayPal account

I am building a website for a not for profit. I had the treasurer of the charity create a PayPal account for the charity and they have the PayPal login information.
I am trying to follow best practices for security and for this reason I, as the programmer, should not need to have the ability to login to their PayPal account. If for no other reason than if someone screws with the account or diverts money they will not put me on the list of suspects this seems to be the best way.
What I do need to do is put a donate button on their website. Normally one would simply login to PayPal and PayPal will generate the HTML code for you. If the client were proficient I could have them do this and email me the code snippet, but such is not the case.
What is the minimum amount of information I need from the treasurer, the account number? Also what is the easiest way for them to get me the information I require?
You should only need the email associated with the Paypal account receiving the donations to Create a Donate Button.
The above link will generate the following markup for you:
<form action="https://www.paypal.com/cgi-bin/webscr" method="post">
<input type="hidden" name="cmd" value="_donations">
<input type="hidden" name="business" value="josh#example.com">
<input type="hidden" name="lc" value="US">
<input type="hidden" name="item_name" value="Stackoverflow">
<input type="hidden" name="no_note" value="0">
<input type="hidden" name="currency_code" value="USD">
<input type="hidden" name="bn" value="PP-DonationsBF:btn_donateCC_LG.gif:NonHostedGuest">
<input type="image" src="https://www.paypalobjects.com/en_US/i/btn/btn_donateCC_LG.gif" border="0" name="submit" alt="PayPal - The safer, easier way to pay online!">
<img alt="" border="0" src="https://www.paypalobjects.com/en_US/i/scr/pixel.gif" width="1" height="1">
</form>
The only line you will have to alter is the business input, which will be the Paypal account recipient.

Resources