İçeriğe atla
ÖzelliklerFiyatlandırmaİş OrtaklığıBlogYardımHakkımızdaİletişim
BaşlaGiriş Yap
Bloga Dön
industry2026-05-2513 dk okuma

Stripe payment-intent endpoint de auth yoktu session_id ownership bypass — PP C2 (PR #548)

Bursa Mudanya 35-yas bagimsiz payment systems security researcher Cagri 8-yil 5-yil Garanti BBVA AppSec Stripe/iyzico/Innovate + 3-yil solo @cagri-paysec Turk + EU payment processor entegrasyon guvenligi. Q1 2026 thMenu open-source repo customer-side payment flow audit POST /api/stripe/payment-intent endpoint masadan-siparis customer kart bilgisi Stripe PaymentIntent body session_id + amount + currency zero authentication + session_id ownership check yok + amount client-controllable. 3 attack vector (1) session ID enumeration + PI forgery cross-customer URL leak screenshot social engineering crafted session_id Stripe Elements kart attacker PI charge; (2) amount manipulation client body amount validate edilmiyor orders.total_cents server-side ama bu endpoint independent; (3) DoS amplification auth yok rate-limit IP-level botnet distributed milyonlarca PI Stripe quota burn. Lab repro 2 hesap A+B A masadan-siparis session_id kop yala B POST session_id A amount 1 currency 200 OK client_secret ownership check yok. Writeup CVSS 8.6 HIGH triad fix session_id ownership table_sessions.host_device_id + server-side amount derive order_id + per-IP 10/min daily-salted IP hash PR #318 pattern. Engineering 45 dakika reproduce 3 yanlis teori (1) Stripe Elements client-side validation server gerek yok yanlis sunucu PaymentIntent metadata butunlugu garanti etmiyor server-side zorunlu; (2) orders.total server-side hesaplanmis dogru ama eksik /api/stripe/payment-intent ayri endpoint independent body kendi amount validate etmeli; (3) session_id secret-ish UUID v4 yanlis customer goruntilenir URL network tab QR-scan history predictable degil observable ownership check ayri validation layer. Dogru triad ownership verify + server-side amount derive + per-IP rate-limit. Adli analiz apps/web-menu/src/app/api/stripe/payment-intent/route.ts hic validation yok Platinum tier customer-side payment ilk-tasarim auth/ownership TODO atlanmis production deploy table_sessions.host_device_id field PR M20 var table-session/join ownership check zaten shipped payment-intent uygulanmamis. Production audit 90-day 28000 request 0 exploit hipotetik kullanilabilir henuz exploit edilmemis. PR #548 batch PP C2 3-katmanli fix Layer 1 session_id ownership SELECT 1 FROM table_sessions WHERE id=? AND host_device_id=? AND expires_at>now AND restaurant_id=? host_device_id cookie table-session/join PR #335 magic-link pattern set 403 session_ownership_mismatch. Layer 2 amount server-side derive body amount IGNORE SELECT total_cents currency FROM orders WHERE table_session_id=? AND status='pending' derived amount Stripe.create client manipulation impossible. Layer 3 per-IP rate-limit 10/min checkRateLimit endpointId stripe-pi-create limit 10 windowMs 60000 daily-salted IP hash + session_id composite key legitimate 1-3 PI/order yeterli botnet PI-bomb bound. Bonus structured audit log console.log event pi_created session_id + amount + restaurant_id + host_device_id + caller_ip Logpush + Sentry SOC 2 evidence + suspicious pattern detection. Post-deploy 30-day 24000 PI legitimate 0 session_ownership_mismatch Stripe Elements dogru session_id 0 rate-limit hit endpoint stable. Cagri €2400 Wise CVSS 8.6 + Hall of Fame + advisory board blog 2.7k Turk payment security topluluk Bursa Mudanya disclosure response benchmark. Aoife Manchester Northern Quarter 37-yo 8-yr ex-Klarna platform security @aoife-paysec paralel disclosure €2800 LinkedIn 5.6k. Pattern payment-affecting endpoint (PaymentIntent create, refund, tip-adjust, dispute) HER ZAMAN 3-prong hardening ownership verify + server-side amount derive client body IGNORE + per-IP rate-limit + structured audit log. Sibling sweep /api/stripe/payment-intent PP C2 + /api/orders/[id]/tip PR #326 tip cap + rate-limit + /api/orders/[id]/refund PR #328 cumulative + race-guard + /api/orders PR #11 H10 + idempotency-key + rate-limit + /api/loyalty/redeem PR #311 atomic + IP hash + /api/promo/apply PR #507 atomic + rate-limit. Implementation payment endpoint identify + ownership verify session_id/order_id × host_device_id/user_id + amount derive + per-IP rate-limit 10/min payment default + structured audit log + Stripe idempotency-key PR #661 XI F2 + PR template checkbox + quarterly grep audit. PR #548 referans.

th

thMenu Ekibi

thmenu.com

Faydalı buldunuz mu? Paylaşın.

X / TwitterLinkedIn

İlgili makaleler

🔻
industry

Müşteri Aboneliğini Düşürünce Eski Özellikler Ne Olur? — SaaS Sessiz Feature-Drift Problemi

Çoğu SaaS abonelik tier’ı düştüğünde tek satır kod çalıştırır ama eski özellikle

🛡️
industry

JWT alg-confusion atağı — Supabase HS256'dan RS256/JWKS'e geçince eski verifier'lar neden yıkılır?

JWT header'ı decode etmeyen verifier'lar `alg=none` ve `alg-confusion` saldırıla

📒
industry

Her bakiye değişikliğinin neden bir 'journal row'u olmalı? — SaaS finansal audit'in temel taşı

SaaS bakiyeleri tek satır UPDATE ile yönetince "drift var ama HANGİ mutasyon yan