CheddarGetter Host Payment Page URL double encoding
I am sending my customers to the hosted payment page, and am passing the first name, last name, and email address. This is the URL (slightly munged for security)
http://example.chargevault.com/update?method=cc&key=CUST_KEY&code=CUST_CODE&firstName=Joe&lastName=Blow&email=joe%40example.com
Note the encoding of the @ symbol to
%40 near the very end. By default in my system, all
URL parameters are encoded as part of the URL creation process, as
part of standard security practices.
However the URL that the user actually ends up on looks like this...
http://example.chargevault.com/update?method=cc&key=CUST_KEY&code=CUST_CODE&firstName=Joe&lastName=Blow&email=joe%2540example.com
Note the double encoding of the @ symbol to
%2540. This is not translated properly by CG systems,
and the email address that gets populated in the input box reads as
joe%40example.com. The first layer of encoding is
pulled out, but not the second.
At first I thought it was my software, but after verifying that my URL was outputted properly, I pulled out my trusty Firebug and followed the URL trail. There I learned that the CG Hosted Payment Page system does an internal redirect that applies the second layer of encoding.
Request: http://example.chargevault.com/update?method=cc&key=CUST_KEY&code=CUST_CODE&firstName=Joe&lastName=Blow&email=joe%40example.com
Response: http://example.chargevault.com/update?method=cc&key=CUST_KEY&code=CUST_CODE&firstName=Joe&lastName=Blow&email=joe%2540example.com
(status code 302)
// content of email box
joe%40example.com
To confirm the behavior, I sent a different request, with a
plain % attached:
Request: http://example.chargevault.com/update?method=cc&key=CUST_KEY&code=CUST_CODE&firstName=Jo%e
Response: http://example.chargevault.com/update?method=cc&key=CUST_KEY&code=CUST_CODE&firstName=Jo%25e
(status code 302)
I understand why you perform a URL encoding yourselves, all user input is dangerous. However I cannot simply eliminate my own URL encoding process, as that introduces the possibility for a XSS attempt on my site, before the user leaves.
The correct solution is for the Hosted Payment Page to assume that all encoded content is double encoded, and require users to perform encoding before redirecting the user.
I understand this bug is kinda technical, so please re-read (and test!) if this doesn't make sense, or ask for clarification.
Discussions are closed to public comments.
If you need help with Cheddar please
start a new discussion.
Keyboard shortcuts
Generic
| ? | Show this help |
|---|---|
| ESC | Blurs the current field |
Comment Form
| r | Focus the comment reply box |
|---|---|
| ^ + ↩ | Submit the comment |
You can use Command ⌘ instead of Control ^ on Mac
Support Staff 1 Posted by Marc Guyer on 26 Nov, 2012 09:47 PM
This is the result of the redirect. Apache encodes by default when redirecting using mod_rewrite. I've fixed the rewrite rule to stop the double encoding. However, you can avoid that altogether by making your links go to https instead of http.
2 Posted by Frank Koehl on 26 Nov, 2012 09:52 PM
Bah, not sure how that non-SSL URL slipped past me, but you are absolutely right. URL formation now works as intended. Thanks.
Marc Guyer closed this discussion on 26 Nov, 2012 09:59 PM.