297
edits
Security/Reviews/CloudServices/Marketplace Payments: Difference between revisions
Security/Reviews/CloudServices/Marketplace Payments (view source)
Revision as of 04:23, 30 March 2015
, 30 March 2015→Threat Model: add items
(→Introduction: add link) |
(→Threat Model: add items) |
||
| (45 intermediate revisions by the same user not shown) | |||
| Line 70: | Line 70: | ||
'''Links'''<br /> | '''Project Links'''<br /> | ||
* Payments team home - https://wiki.mozilla.org/CloudServices/Payments | * Payments team home - https://wiki.mozilla.org/CloudServices/Payments | ||
* Payments tied to FxA project wiki page - https://wiki.mozilla.org/CloudServices/Payments/FirefoxAccounts | * Payments tied to FxA project wiki page - https://wiki.mozilla.org/CloudServices/Payments/FirefoxAccounts | ||
* In App Payments - https://wiki.mozilla.org/Marketplace/InAppPayments | |||
'''Mana pages (Mozilla staff/contrib LDAP account needed)''' | '''Project Links - Mana pages (Mozilla staff/contrib LDAP account needed)''' | ||
* Addons/Marketplace - https://mana.mozilla.org/wiki/pages/viewpage.action?pageId=9601080 | * Addons/Marketplace - https://mana.mozilla.org/wiki/pages/viewpage.action?pageId=9601080 | ||
* Payments - https://mana.mozilla.org/wiki/display/MARKET/Payments | * Payments - https://mana.mozilla.org/wiki/display/MARKET/Payments | ||
* Payments Production Support - https://mana.mozilla.org/wiki/display/MARKET/Payments+Support | * Payments Production Support - https://mana.mozilla.org/wiki/display/MARKET/Payments+Support | ||
* Processing refunds - https://mana.mozilla.org/wiki/display/MARKET/Processing+refunds | * Processing refunds - https://mana.mozilla.org/wiki/display/MARKET/Processing+refunds | ||
* Spartacus / Webpay physical network architecture - https://mana.mozilla.org/wiki/display/NOC/VLAN+assignments | * Spartacus / Webpay physical network architecture (search page for "Spartacus") - https://mana.mozilla.org/wiki/display/NOC/VLAN+assignments | ||
* Marketplace / AMO physical infrastructure - https://mana.mozilla.org/wiki/display/SVCOPS/Marketplace+AMO | * Marketplace / AMO physical infrastructure - https://mana.mozilla.org/wiki/display/SVCOPS/Marketplace+AMO | ||
'''Project Links - Receipt Verification''' | |||
* https://developer.mozilla.org/en-US/Marketplace/Monetization | |||
* https://developer.mozilla.org/en-US/Marketplace/Monetization/Validating_a_receipt | |||
* https://github.com/mozilla/receiptverifier | |||
* https://inapp-pay-test.paas.allizom.org/ | |||
'''API Docs''' | |||
* http://firefox-marketplace-api.readthedocs.org/en/latest/topics/payment.html#in-app-products | |||
* http://firefox-marketplace-api.readthedocs.org/en/latest/topics/payment.html#preparing-payment | |||
* http://firefox-marketplace-api.readthedocs.org/en/latest/topics/payment.html#payment-status | |||
* WebPayment API (navigator.Mozpay) - https://wiki.mozilla.org/WebAPI/WebPayment | |||
* Web Payments Provider - https://wiki.mozilla.org/WebAPI/WebPaymentProvider | |||
'''Related''' | |||
* Firefox Accounts Payments Proposal - https://wiki.mozilla.org/CloudServices/Payments/FirefoxAccounts | |||
* Jugband engineering metrics and activity for Marketplace - https://jugband.paas.allizom.org/ | |||
'''Historical examples of app payment fraud''' | |||
* How to detect and prevent in-app payment fraud - http://blog.soom.la/2013/09/how-to-detect-and-prevent-in-app.html | |||
* Apple/Google FTC & EU billing scrutiny - http://yottafire.com/2014/07/apple-is-showing-resentment-with-limit-in-in-app-purchases/ | |||
* Kids and in-app purchases, FTC, EU - http://finance.yahoo.com/news/amazon-ready-fight-ftc-app-181013610.html | |||
=== Use Cases === | === Use Cases === | ||
[https://webpay.readthedocs.org/en/latest/api.html Webpay] is an implementation of the [[WebAPI/WebPaymentProvider|WebPaymentProvider spec]]. It hosts the payment flow inside [https://developer.mozilla.org/en-US/docs/Web/API/Navigator/mozPay navigator.mozPay]() when making app purchases or in-app payments on Firefox OS. | |||
* Webpay provides a REST API for clients to interact with the server. | |||
* All API’s use JSON for request and responses. | |||
=== Data Flows === | === Data Flows === | ||
==== | ==== Diagrams ==== | ||
[[ | ===== Payments Flow Sequence ===== | ||
[[Image:Pay_Flow_Sequence.png]] | |||
==== | ===== Payments Data Flow Diagram ===== | ||
[[Image:PaymentsDFD.jpg]] | |||
==== | ===== Pin Flow ===== | ||
[[Image:Pin-flow.png]] | |||
<br />''(Note: Persona was replaced with FxA)'' | |||
==== | === Architecture Diagram === | ||
=== | ====Top-level architecural view==== | ||
[[File:Mkt_layers.png|830px]] | |||
====Payment Systems Diagram==== | |||
[[File:Pmt systems.png|600px|Payment Systems diagram - by Wil Clouser]] | [[File:Pmt systems.png|600px|Payment Systems diagram - by Wil Clouser]] | ||
<br /> | <br />Logical diagram of Payments application services architecture. | ||
'''Diagram Key''' | |||
''' | |||
The dotted line from a red service goes to a breakout describing the logical components of its service stack. | The dotted line from a red service goes to a breakout describing the logical components of its service stack. | ||
| Line 145: | Line 144: | ||
Starting from a Red Services box, | Starting from a Red Services box, | ||
* Solid line represents dependency/backend component relationships | * Solid line represents dependency/backend component relationships | ||
* Dotted lines point to breakouts describing the logical components of a service stack | * Dotted lines point to breakouts describing the logical components of a service stack | ||
===== Mozilla Services ===== | ===== Mozilla Services ===== | ||
| Line 157: | Line 156: | ||
| Solitude || A server for processing payments for Mozilla’s Marketplace and Add-ons site. || Project Documentation - http://readthedocs.org/docs/solitude/en/latest/<br />Sourcecode - https://github.com/mozilla/solitude | | Solitude || A server for processing payments for Mozilla’s Marketplace and Add-ons site. || Project Documentation - http://readthedocs.org/docs/solitude/en/latest/<br />Sourcecode - https://github.com/mozilla/solitude | ||
|- | |- | ||
| Webpay || | | Webpay || Webpay is an implementation of the WebPaymentProvider spec <br />Spartacus is a single page app front-end for Webpay. || Webpay Sourcecode - https://github.com/mozilla/webpay<br />Spartacus Sourcecode - https://github.com/mozilla/spartacus | ||
|} | |} | ||
| Line 190: | Line 189: | ||
| align="center" style="background:#f0f0f0;"|'''Rating''' | | align="center" style="background:#f0f0f0;"|'''Rating''' | ||
| align="center" style="background:#f0f0f0;"|'''Likelihood''' | | align="center" style="background:#f0f0f0;"|'''Likelihood''' | ||
| align="center" style="background:#f0f0f0;"|'''Impact''' | | align="center" style="background:#f0f0f0;"|'''Impact''' | ||
| align="center" style="background:#f0f0f0;"|'''Notes''' | | align="center" style="background:#f0f0f0;"|'''Notes''' | ||
|- | |- | ||
|- | |- | ||
| 2|| | | 1||malicious access to apps device ||If a phone is stolen or given to a friend/family member, it is possible for that person to make purchases.||A PIN is to be implemented that is required for purchases and in-app purchases. CEF logging on transactions to track excessive purchases. Incident response to deal wiht stolen phone.||Malicious User||12||3||4 – Reputation||In other systems (i.e. iOS, this i a configured parameter. | ||
|- | |||
| 2||Malicious extension could steal authentication credentials ||A rogue extension could possibly steal credentials or cause transactions to happen.||A PIN is to be implemented that is required for purchases and in-app purchases. CEF logging on transactions to track excessive purchases. Incident response to deal with stolen credentials.||Malicious Developer||12||3||4 – Reputation|| Must be registered with marketplace. | |||
|- | |||
| 3||Malicious App creates fake iframe ||An app could create an iframe in order to overlay a purchase iframe. || CEF logging on transactions to track excessive purchases. Incident response to deal with stolen credentials. ||Malicious App||12||3||4 – Reputation|| | |||
|- | |||
| 4||Malicious App creates fake iframe ||An app could create an iframe in order to overlay a purchase iframe. ||CEF logging on transactions to track excessive purchases. Incident response to deal with stolen credentials. Paypal account shows all purchases. ||Malicious App||12||3||4 – Reputation|| | |||
|- | |||
| 5||XSS vuln could allow malicious user to force purchase ||If a XSS is found in the marketplace, this could be used to force a purchase. ||CSP is enabled on Payments. CEF logging on transactions to track excessive purchases. Incident response to deal with stolen credentials. Paypal account shows all purchases. ||Malicious App||12||3||4 – Reputation|| | |||
|- | |||
| 6||CSRF could force purchase. ||If a XSS is found in the marketplace, this could be used to force a purchase. ||CSRF protection token on the marketplace site. CEF logging on transactions to track excessive purchases. Incident response to deal with stolen credentials. ||Malicious App||12||3||4 – Reputation|| | |||
|- | |||
| 7||Compromise web heads||The attacker could then leverage their access to attack other parts of the application environment or to serve arbitrary/manipulated content to users.||Mitigation possibilities are being discussed.||System access||12||3||4 – Reputation|| | |||
|- | |||
| 8||Appplication Theft||The attacker could begin a payment, cancel the payment, and craft a postback to the app server, fooling it into thinking the cancelled payment was successful. (BID 1145024)||Bug detected, application patched.||System access||12||3||4 – Reputation|| | |||
|- | |- | ||
| | | 9||Appplication Theft||The attacker could modify the JWT for payment to craft $0 payment that executes successfully. (BID 1145024)||Bug detected, application patched.||System access||12||3||4 – Reputation|| | ||
|- | |- | ||
|} | |} | ||
==== User Interactions ==== | ==== User Interactions ==== | ||
{| | |||
| | Payment flow user interactions for | ||
* Marketplace App Payment Flows | |||
| | * In-App Payment Flows | ||
====== Marketplace App Payment Flows ====== | |||
Payments flows are initiated from the Marketplace which is under Mozilla’s control | |||
====== A. Desktop ====== | |||
{| class="wikitable" | |||
|- | |||
! ID !! Actions !! Element | |||
|- | |||
| 1. || Pre-provider flows PIN creation/enter/reset etc (Same domain as marketplace) | |||
|| Popup | |||
|- | |||
| 2. || Provider payment entry || Popup, page hosted by payment provider | |||
|- | |||
| 3. || Communication with popup || Javascript library: fxpay | |||
|} | |||
====== B. Firefox OS / Android ====== | |||
{| class="wikitable" | |||
|- | |||
! ID !! Actions !! Element | |||
|- | |- | ||
| 1. | | 1. || Pre-provider flows PIN creation/enter/reset etc (Same domain as marketplace) | ||
|| Trusted UI | |||
|- | |- | ||
| | | 2. || Provider payment entry || Trusted UI, page hosted by payment provider | ||
|- | |- | ||
| | | 3. || Open and communicate with Trusted UI || JavaScript platform function: navigator.mozPay() | ||
|- | |- | ||
| | | 4. || Open and communicate with MozPay || JavaScript library: fxpay | ||
|} | |} | ||
==== | ====== In-App Payment Flows ====== | ||
{| | Payment flows are initiated from 3rd party app domains - Mozilla no control over the apps or domains. They have been approved by and have a payments account on the Marketplace, but can change their code at any time (for hosted apps). | ||
| | |||
| | ===== A. Desktop ===== | ||
| | {| class="wikitable" | ||
|- | |||
! ID !! Actions !! Element | |||
|- | |||
| 1. || Pre-provider flows PIN creation/enter/reset etc (3rd party app domain) | |||
|| Popup, page hosted by payment provider | |||
|- | |||
| 2. || Provider payment entry || Popup, page hosted by payment provider | |||
|- | |- | ||
| | | 3. || Communication with popup || Javascript payments library run from 3rd party app domain: fxpay | ||
|} | |} | ||
==== | ====== B. Firefox OS / Android ====== | ||
{| | |||
| | {| class="wikitable" | ||
| | |- | ||
| | ! ID !! Actions !! Element | ||
| | |- | ||
| | | 1. || Pre-provider flows PIN creation/enter/reset etc (Same domain as marketplace) | ||
| | || Trusted UI | ||
| | |- | ||
| 2. || Provider payment entry || Trusted UI, page hosted by payment provider | |||
|- | |- | ||
| 3. | | 3. || Open and communicate with Trusted UI || JavaScript platform function: navigator.mozPay() | ||
|- | |- | ||
| | | 4 || Open and communicate with MozPay || JavaScript library: fxpay | ||
|} | |} | ||
==== Security Recommendations / Open Issues ==== | ==== Security Recommendations / Open Issues ==== | ||
| Line 260: | Line 298: | ||
==== CEF Logging Requirements ==== | ==== CEF Logging Requirements ==== | ||
'''Authentication''' | |||
* bad password provided at login (or anywhere where user is prompted for auth) | |||
* bad username provided at login | |||
* account created | |||
* password changed | |||
* password reset requested | |||
* new privileged (e.g. reviewer, admin, etc) account created | |||
* account modified and granted additional rights (e.g. reviewer, admin, etc) | |||
'''Authorization''' | |||
'''Denial of Service''' | |||
'''Request Specific''' | |||
'''Input Validation Exceptions''' | |||
'''File Upload''' | |||
* Large number of file uploads | |||
* Attempt to upload something other than expected file | |||
=== Privacy Risk Analysis === | === Privacy Risk Analysis === | ||
| Line 269: | Line 325: | ||
=== Application Security Requirements === | === Application Security Requirements === | ||
It is expected that the [https://wiki.mozilla.org/WebAppSec/Secure_Coding_Guidelines Secure Coding Guidelines] is followed but these requirements are especially important for this application. | |||
'''CSP''' | |||
Content Security Policy in blocking mode. | |||
'''Password Requirements''' | |||
*Threshold based CAPTCHA for login Restrict password guesses without CAPTCHA to 5. | |||
*Blacklist top bad passwords that could be selected by a user. | |||
'''Account Requirements''' | |||
*Allow users to view last login time and IP address after authentication | |||
''' | |||
'''Coding Requirements''' | |||
*Session based CSRF protection (e.g. not Django cookie based CSRF protection) | |||
*Clickjacking (x-frame-options) and XSS protection (CSP) | |||
'''Other Requirements''' | |||
*Uploaded links must be verified against google safe browsing list (real time or daily cron) | |||
*Uploaded images must be strictly checked to validate only images are uploaded. [https://wiki.mozilla.org/WebAppSec/Secure_Coding_Guidelines#Image_Upload More Info] | |||
'''SSL Requirements''' | |||
*SSL is required to the connection to paypal (user redirects and any backend connections) | |||
*The SSL cert must be strictly validated (specific code needed for backend connections) | |||
*HSTS must be enabled | |||
*No HTTP pages. Full HTTPS | |||
*Third party connections (e.g. twitter, facebook, paypal, etc) must link to the HTTPS page for that site. That may require rewriting the widget (twitter specifically) | |||
=== Operation Security Requirements === | === Operation Security Requirements === | ||
Document network/platform security requirements here (e.g. IDS concerns, firewall changes, system hardening reqs, etc) | Document network/platform security requirements here (e.g. IDS concerns, firewall changes, system hardening reqs, etc) | ||
=== Critical Security Requirements === | === Critical Security Requirements === | ||
Itemize individual security blockers here. Reference components in section AppSec or OpSec subsections. | Itemize individual security blockers here. Reference components in section AppSec or OpSec subsections. | ||
| Line 282: | Line 362: | ||
=== Repeatable Security Test Cases === | === Repeatable Security Test Cases === | ||
Document individual repeatable security test cases here. Include a reference to the source repo, and documentation that governs how to execute test cases. | Document individual repeatable security test cases here. Include a reference to the source repo, and documentation that governs how to execute test cases. | ||
=== Secure Coding Guidelines === | === Secure Coding Guidelines === | ||
Document specific secure coding guidelines to be followed and relate them to specific issues/requirements that are specified; capture bug ids related to those issues. | Document specific secure coding guidelines to be followed and relate them to specific issues/requirements that are specified; capture bug ids related to those issues. | ||
| Line 293: | Line 374: | ||
==== Code Review ==== | ==== Code Review ==== | ||
==== Automated Security Testing ==== | ==== Automated Security Testing ==== | ||
* | * Minion scanner | ||
==== Manual Security Testing ==== | ==== Manual Security Testing ==== | ||