#m3hrajbhat

hello! was the verification successful and your domain is now registered?

No, I am asking if this is a secure verification, as the site is sharing the cookies with my domain. I am actually testing the site.

what payments site is this - what's the URL?

here you can see

the site has a feature to verify your domain for apple pay, and it asks to enter your domain, the site sends a GET request to my domain as mydomain.com/.well-known/apple-developer-merchantid-domain-association and sends all cookies along, as well as stripe csrf tokens

I am asking is this a vulnerability or what?

👋 jumpping in here and could you elaborate a bit more? So this is not your website? Can you share its URL?

What do you mean by it allows you to verify apple pay domain?

Unfortunately, I can't share the site url, as this is the private bug bounty program

this is the payment's site, where we can verify our domain for apple pay. we need to enter our domain where our apple pay domain association file is hosted. If I enter my domain as mydomain.com, the site will send a GET request to https://mydomain.com/.well-known/apple-developer-merchantid-domain-association , as I was testing this site, I entered my burp collaborator url , and the site sends a GET request to my burp collaborator domain, as you can see in the screenshot above, the site is also sending the cookies along with this request, which I think is the vulnerability. I may be wrong, that is why I came here to know bit more about this.

Um we have no idea how that site work, just like you. I also don't know what is Stripe.mkt.csrf,stripe.customerportal.csrf TBH, and don't see the session token you mentioned so honestly can't tell

As far as I understand, the site is actually sending this request via curl https://api.stripe.com/v1/apple_pay/domains \ -u "sk_live_••••••••••••••••••••••••": \ -d domain_name="example.com"

I think this is the backend scenario

So they register your domain to their own Stripe account

I think so

You can create a Stripe account and send the same request, to see if it generate a same GET request with same cookie like they do

I actually did this right now, but I didn't got any request back to my domain

and the domain was added to my stripe account. I tell you, I have a test account

I believe you have a live account, can you please try this for me?

My be this is the reason, why I am not getting a request back to my domain ``` Stripe Elements doesn’t support Google Pay or Apple Pay for Stripe accounts and customers in India. Therefore, you can’t test your Google Pay or Apple Pay integration if the tester’s IP address is in India, even if the Stripe account is based outside India.

Well each account has both Live and Test mode

ok what's your domain?

you can request this 57ai063jf975fzxndalghua86zcy0n.oastify.com

See something?

yes I got the request without cookies!

So the site doing something else

yes, but I looks actually similar, the user agent is same