#ganon551-card-testing

1 messages · Page 1 of 1 (latest)

coarse loom
#

Can you give me the Payment Intent Id?

patent rune
#

Hi, you mean one of the successfull payments id ?

#

I have the logs from developper dashboard too

coarse loom
#

yes, just give me the id pi_xxx

#

or request id req_xxx

patent rune
#

pm_1LDh9fEWxG45zMzrgDtjeZnR

#

I calmed down the attack by deleting these checkout buttons but since this morning it's getting back and I get several test per minutes again

#

pi_3LDgVQEWxG45zMzr0bW2ZGsr_secret_jerM4ZJ2m72TVRQ08hbGiyNZe

#

oups not this one sorry

#

this one :

"id": "pi_3LDgVQEWxG45zMzr0bW2ZGsr"

#

payment intent

coarse loom
#

this created the Checkout Session that the attacker is trying to confirm

#

it's from your server, Node

#

You would want to check which endpoint trigger this call

#

can disable that endpoint, or the button trigger request to that endpoint

patent rune
#

How could I do that ? I don't know where they found a checkout access on the website, there's nothing left

coarse loom
#

You have your code right? where do you create a Checkout Session?

patent rune
#

I have all my pages opened in visual studio, a search for "stripe" doesn't show me any node code that would make a call to checkout

#

here's a "out of session " payment

coarse loom
#

They are all comes from Checkout Session. Each Session has 24 hours active so the attacker could still use them

#
  1. Revoke every endpoint that created the Checkout Session
  2. Expire every currently active Checkout Session
#

For 1 I believe you already did it, but you may want to double check your backend, the code where you created Session

#

for 2, you can use the List Session API https://stripe.com/docs/api/checkout/sessions/list then loop through the result, call Expire Session API https://stripe.com/docs/api/checkout/sessions/expire

Stripe API reference – List all Checkout Sessions – curl

Complete reference documentation for the Stripe API. Includes code snippets and examples for our Python, Java, PHP, Node.js, Go, Ruby, and .NET libraries.

Stripe API reference – Expire a Session – curl

Complete reference documentation for the Stripe API. Includes code snippets and examples for our Python, Java, PHP, Node.js, Go, Ruby, and .NET libraries.

patent rune
#

For 1, I did remove all buttons that lead to Stripe checkout, and removed all the nodeJS code that has to do with Stripe on the main-site. In the backend there's still the JS codes to create sessions but they cannot access it

#

I'll check the later

#

Ok I made a request using curl

coarse loom
#

Using some script/code would be easier, as you would likely need to loop through the result

patent rune
#

I'm looking at timestamps

#

The first visit date for one of them for instance was 21/06/2022 16:53:53 and the expiration date is 23/06/2022 21:00:48

#

I will end all of them

coarse loom
#

Yeah

#

after expiring all then you should be free from those attack

patent rune
#

Looks like all the sessions were marked as "null"

#

Well, no subscriptions since an hour so will see if it continues

#

You agree that if every trace of stripe js code, buttons, etc are removed from the main public site they shouldn't be able to access checkout right ?

spark delta
#

you can also consider rolling both your secret and publishable key to be extra safe