OSWAP (Open Source Web Application Security Project) Replay attack

OSWAP (Open Source Web Application Security Project) focused on improving the security of a software and they provides “OSWAP top 10”, a collection of most frequent vulnerabilities exist in a Web, IoT and mobile applications.

Everyone who develops web, mobile or any IoT project MUST know about OSWAP and you may be wondering why I am writing this post now. 

I lead an initiative to migrate the payment provider for our existing B2B and B2C portfolios. The following are the integration flows:

•  Application(s) use a back end service to authenticate with the payment provider and then authorize for the $ amount.

• The payment provider authorizes and redirects to an external hosting page to enter credit card details

•   After the payment, the third party provider redirects to an application page with the payment status.

•  Based on the payment status, an application can decide what's the next steps.

Since the payment provider redirects back to an application URL, there is a potential chance of a replay attack. An attacker can use the URL in another transaction.

To mitigate the risk, we used a token-based approach - a signed token is send to the payment provider during the authorization process. After the payment, the token will be send along with the redirect URL and on the confirmation page; the token will be invalidated so that the same token cannot be used in another session.