Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

Traditionally most Payment providers only provide Hosted Payment Sites via redir

ID: 659728 • Letter: T

Question

Traditionally most Payment providers only provide Hosted Payment Sites via redirect or iframe. But now an increasing number is also supporting payment integration via a Javascript library.

I imagine the case in which an attacker is able to inject code into the Web App: the attacker would still not be able to read the iframe's content because of Same-origin policy. On the other hand in the JS lib case, a jQuery 1-liner is enough to send the user's credit card data to some server.

Is this view correct? Or are both options equally safe, because once an attacker can inject code, he could do (almost) anything anyway?

Explanation / Answer

Although the same-origin policy may stop an attacker from accessing the legitimate iFrame content, the problem is that the user has no way to verify that they're actually interacting with the legitimate iFrame (short of going to the source which most users won't do). An attacker could just as easily replace the iFrame source with a phishing page and gain the users credit card details that way.

Both iFrame and JS based gateways are vulnerable to approximately the same issues, so I would argue that they're both equally insecure compared hosted gateways. The benefits of hosted gateways are that:

- The user can verify the URL to be sure who they're interacting with
- The user can validate the SSL/TLS certificate and encryption to be even more sure about who they're interacting with
- A payment gateway operated by a bank is most likely better tested for vulnerabilities than some arbitrary site.
- Users can be reasonably confident in the integrity of their payment details if the totals, etc. are displayed by the external gateway. Compared to onsite where the site may say they'll charge you one thing then charge you another.

On the other hand, transferring users to an external payment gateway is considered a bad user experience and interfacing with a payment processor securely on the server side is complicated, so compromises are made and these JS based gateways are becoming popular.

Related Questions

Trade restrictions affect the overall welfare of an economy, since they change t
Question #1250072
Trade with any nation can be mutually beneficial. The government can potentially
Question #1256916
Trade, exchange rates, budget balances and interest rates Current-account balanc
Question #1142018
Trademark Infringement. Nike, Inc., manufactures and markets footwear, ap­parel,
Question #463765
Trademark rights in the United States exist from use of a trademark in interstat
Question #337306
Trader Joe\'s case 1. In what ways does Trader Joe’s demonstrate the importance
Question #457598
Trader Joe\'s has one register open with the customer service employee able to p
Question #426980
Trader Joe’s case 1. In what ways does Trader Joe\'s demonstrate the importance
Question #457599
Hire Me For All Your Tutoring Needs
Integrity-first tutoring: clear explanations, guidance, and feedback.
Drop an Email at
drjack9650@gmail.com
Chat Now And Get Quote

Navigate

Previous
Traditionally law enforcement agencies have used arrest, citations written, the
Next
Traditionally, Granite Company has accepted a proposal only if the payback perio

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.