I was shopping online and at the time of payment, a login dialog from my bank appears in an iframe, I filled my details and the the online shop page let me go on with the purchase.
How does it work? I guess:
The online shop shows you the page with an iframe pointing to your
bank login widget.
You fill the login details and the bank authenticate you.
Now, how the bank now pass information to the online shop site to tell them you can go on?
Because the login is in an iframe, and as far as I know what happen in the iframe cannot affect the container page. So once you are authenticated in your bank, how the bank tell the online shop page "it's good, go on" ?
Cheers.
In a typical checkout situation there is as you can imagine a lot that goes on behind the scenes. But typically in this scenario, one would include with the request to the payment provider (i.e. PayPal, SagePay (formerly Protx), DataCash) a return success URL and return error URL. Typically a handler of some description on the ecommerce site would receive a callback from the payment provider (i.e not the iframe) once you have successfully completed authentication with your bank.
The website could have some webservices or other services running in the background handling the bank response and setting some sort of cookie or session for the site and loading another page.
Related
I'm facing card testing attack lately on a website that uses stripe checkout.
After two days of being under attack, I finally deactivate the concerned page which leaves my website without any way to pay for services.
Now I would like to add a recaptcha to protect the stripe button, but just can't seem to understand how to do it.
I have a page with three services, under each one is a stripe checkout button. What I would like to do is to prevent bots to access the Stripe checkout page, which is external and hosted on stripe servers.
I did recaptcha integrations before in php and with a regular form. Here I'm working with nodejs and there's no real form to query. Is it possible to prevent bots from accessing those buttons ?
I saw some tutorials online but everytime the form is hosted on local server.
If you have a clue, it would be a great help.
Thank you
Have you followed the official Google docs for reCAPTCHA v3? They provide code snippets and go into detail about how to do this.
https://developers.google.com/recaptcha/docs/v3
It's easiest to implement it in the payment flow before your customers ever get to the page with the Checkout button (e.g. on the shopping cart page), but you can also bind it to the form action that triggers the creation of the Checkout Session.
So far I've created a product modal and upon proceeding to checkout, Stripe popup appears and the user can proceed with the payment.
https://streamable.com/30p4eh
Although, I have to change the checkout button to popup a checkout page first so the user can enter his delivery address and so on. How does a checkout page deliver the information the user has input, into Stripe? How does the whole process work? Do I have to add all my products into Stripe product page? Can Stripes checkout page be used like in this Firebase video? Firebase
The Checkout payments guide now includes a nice diagram that I think should help understand what you're asking about.
You create a Checkout Session with the payment information and then redirect your customer to Stripe. Stripe displays the information about the purchase and collects payment information from your customer, then redirects them back to the URL you specify. In the background, you're notified about the success of the payment and you can manage order fulfillment.
If you need more information about a particular piece of this, please feel free to ask with more details!
Update: on a second review, I see that I missed that your video is showing the Legacy Checkout integration. Stripe has a new Checkout integration that supports a wide range of payment methods and supports SCA-compliant authentication challenges. Take a look at the migration guide to update your integration.
I need to check how Instagram API workds.
I started registration and stuck on filling my information step.
Could i change later my registration information as an Instagram Developer
https://monosnap.com/file/IGF5ZpgQ22TM0Wr5gkSFR0PsnWyQDA
They ask to fill information as Company Name, WebSite URL and so on. I dont have this inf now. I just check how their API works. So could i change this inf later?
thank you.
Yes, and once your application is approved, you have some flexibility to change:
Application Name
Description
Company Name
Website URL
Privacy Policy URL
Contact email
Valid redirect URIs
Just remember, Instagram is very strict. If you're asking this because you're trying to skirt the API Policies, then the answer is, Yes but your Client will lose it's permissions. Just stay in compliance when you make changes or risk being banned. It's really not worth working against Instagram.
one of my friend has login for this forum but he was out of town for long time and did not access this forum for a long time and that is why he forgot his userid which he use to login to this web site. probably he use yahoo or gmail accound to login to this web site but now he could not remind his user id by which he login to this web site. so anyone can tell me how he can know what user id or mail id he used to login to this web site. how to request moderator of this web site to retrieve his login details.....at least his login id.
my friend profile is https://stackoverflow.com/users/750398/keith-costa looking for help. thanks
This is the List of Moderators at Stack Overflow. Only Moderators can see a user's email address. Try sending one of them a message with his user-id (750398), or contacting StackOverflow directly via Contact Us.
That user Keith Costa (750398) hasn't logged in since Jun 20 2012, so I would also recommend he checks all of his email accounts for mail from around that time.
Good luck!
I want to add Paypal functionality to my app but I'm kind of in the dark about some of the security issues.
Specifically, when the user wants to pay, I have to redirect them to Paypal and then Paypal sends me some kind of token/key to indicate whether the payment took place.
So, on the page where I pass the user to Paypal, do I need SSL? Why/why not?
What about the page where I receive the response token from Paypal?
Is it possible for a hacker, for example, to make up some random token and post it to my app to pretend that he paid?
If so, does this mean I need to make another call to Paypal after I receive the token - to make sure the token is real?
I've done this before using drupal e-commerce to sell app downloads via Paypal and used SSL neither on the redirection nor the landing page. While technically I suppose a hacker could intercept the token of someone who paid for the app and use it to pretend he paid, I don't think this is likely scenario because the average criminal is more interested in credit card numbers than one-time free access to some product/service. Further, one of the main reasons you would use Paypal in the first place is so that you wouldn't have to pay as much attention to security as you would if you had to process the users credit cards yourself since Paypal takes care of this for you (and their system is secured by SSL).
correct me if I'm wrong but I think that without ssl the following two scenarios are possible using a man-in-the-middle attack:
phishing:
the hacker redirects the user to a paypal-like site and receives his paypal user/pw or credit card details.
this attack isn't perfect as phishing sites do get found and pulled down.
hijacking the payment:
the hacker creates his own real paypal token (order data scrapped from your site) but with his own paypal account as the receiver and redirect the customer to that address. in this case paypal's policies might be enough to make this actions pointless.