Penetration Testing mailing list archives

Are paypal buttons secure from e-lifting? Is this data secure?

From: Mifa <mifa () stangercorp com>
Date: Tue, 17 Jul 2007 14:36:43 -0500

I have set up a webpage that allows payments via paypal.  Is it secure?  Below is the data submitted (as seen with 
tamper data)
-----BEGIN+PKCS7-----MIIHRwYJKoZIhvcNAQcEoIIHODCCBzQCAQExggEwMIIBLAIBADCBlDCBjjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRQwEgYDVQQKEwtQYXlQYWwgSW5jLjETMBEGA1UECxQKbGl2ZV9jZXJ0czERMA8GA1UEAxQIbGl2ZV9hcGkxHDAaBgkqhkiG9w0BCQEWDXJlQHBheXBhbC5jb20CAQAwDQYJKoZIhvcNAQEBBQAEgYCc5oTmKIwgJyxLT7AH%2FkU95ngx35fugoCRC79u%2FtwnfxwW5Oth51QmRQNFiRoTxNAjBqIcITW1ksND9mt5nfYj9N9xdqJFnPILwwLZuU9yIJ9fWzVKkibdu6Gm5da%2FLrp47c4%2FOK2BIce1Qn7jgNkLAeG2mQJjQegyNazBUw%2BrbzELMAkGBSsOAwIaBQAwgcQGCSqGSIb3DQEHATAUBggqhkiG9w0DBwQIiT%2BOyGkXv7iAgaDzcHdRRpeyrK2gvJ65Eyk0%2FFY9jdHEzYQDIQvo2Ji%2BZPaWsu46klCci7AXq29nyI0xT4PdM67a69FAUSAZ2zjdcB7oTjfyQW42YrnyTHX1GyFBNwIZRoMxsfZWYSjqUMNBnTMgN8TJV6b2UKj3WPbtTVRkEW%2FsUk2XnS1BNqoW7NvDae91IQkcCg9jCOZD8Por1e0YC5p9wIQCPzfxCjgMoIIDhzCCA4MwggLsoAMCAQICAQAwDQYJKoZIhvcNAQEFBQAwgY4xCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMNTW91bnRhaW4gVmlldzEUMBIGA1UEChMLUGF5UGFsIEluYy4xEzARBgNVBAsUCmxpdmVfY2VydHMxETAPBgNVBAMUCGxpdmVfYXBpMRwwGgYJKoZIhvcNAQkBFg1
 yZUBwYXl
wYWwuY29tMB4XDTA0MDIxMzEwMTMxNVoXDTM1MDIxMzEwMTMxNVowgY4xCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMNTW91bnRhaW4gVmlldzEUMBIGA1UEChMLUGF5UGFsIEluYy4xEzARBgNVBAsUCmxpdmVfY2VydHMxETAPBgNVBAMUCGxpdmVfYXBpMRwwGgYJKoZIhvcNAQkBFg1yZUBwYXlwYWwuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDBR07d%2FETMS1ycjtkpkvjXZe9k%2B6CieLuLsPumsJ7QC1odNz3sJiCbs2wC0nLE0uLGaEtXynIgRqIddYCHx88pb5HTXv4SZeuv0Rqq4%2BaxW9PLAAATU8w04qqjaSXgbGLP3NmohqM6bV9kZZwZLR%2FklDaQGo1u9uDb9lr4Yn%2BrBQIDAQABo4HuMIHrMB0GA1UdDgQWBBSWn3y7xm8XvVk%2FUtcKG%2BwQ1mSUazCBuwYDVR0jBIGzMIGwgBSWn3y7xm8XvVk%2FUtcKG%2BwQ1mSUa6GBlKSBkTCBjjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRQwEgYDVQQKEwtQYXlQYWwgSW5jLjETMBEGA1UECxQKbGl2ZV9jZXJ0czERMA8GA1UEAxQIbGl2ZV9hcGkxHDAaBgkqhkiG9w0BCQEWDXJlQHBheXBhbC5jb22CAQAwDAYDVR0TBAUwAwEB%2FzANBgkqhkiG9w0BAQUFAAOBgQCBXzpWmoBa5e9fo6ujionW1hUhPkOBakTr3YCDjbYfvJEiv%2F2P%2BIobhOGJr85%2BXHhN0v4gUkEDI8r2%2FrNk1m0GA8HKddvTjyGw%2FXqXa%2BLSTlDYkqI8OwR8GEYj4efEtcRpRYBxV8KxAW93YDWzFGvru
 KnnLbDAF
6VR5w%2FcCMn5hzGCAZowggGWAgEBMIGUMIGOMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExFjAUBgNVBAcTDU1vdW50YWluIFZpZXcxFDASBgNVBAoTC1BheVBhbCBJbmMuMRMwEQYDVQQLFApsaXZlX2NlcnRzMREwDwYDVQQDFAhsaXZlX2FwaTEcMBoGCSqGSIb3DQEJARYNcmVAcGF5cGFsLmNvbQIBADAJBgUrDgMCGgUAoF0wGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMDQxMjMwMDA1MTA1WjAjBgkqhkiG9w0BCQQxFgQUDSIlB0j07QkPIipNhxb3NOiHCOkwDQYJKoZIhvcNAQEBBQAEgYACa2fySHHuwkTbxKilmWHeGpREnfcq%2BHwvoTeAcSoyaRZQqpIERt2XN16KdHetCi%2FSkLNe%2F0jc9G3IR1Pn5zuIV8WIcf5FCis1eafeTakaPnQFcXWSr93S2w42oUTrMCLxx3%2F545p7uvU4w%2Fgis1J6BvXuR0R5MLrb719xszZzQQ%3D%3D-----END+PKCS7-----%0D%0A

1) Can this be decrypted?  This string is after all hard coded into the paypal button.
    a)If so how?
2) What apps might decode and recode this data.




------------------------------------------------------------------------
This List Sponsored by: Cenzic

Swap Out your SPI or Watchfire app sec solution for
Cenzic's robust, accurate risk assessment and management
solution FREE - limited Time Offer

http://www.cenzic.com/c/wf-spi
------------------------------------------------------------------------

Current thread:

Are paypal buttons secure from e-lifting? Is this data secure? Mifa (Jul 17)
- Re: Are paypal buttons secure from e-lifting? Is this data secure? Alexander Klimov (Jul 24)
- <Possible follow-ups>
- Re: Re: Are paypal buttons secure from e-lifting? Is this data secure? steingra (Jul 25)