Search code examples
phppaypalticket-system

Ticket system in php vulnerabilities

I am building a ticket system for some website from which the user can book tickets for some event. My mechanism of booking goes like that:

  1. User clicks the buy now button.
  2. PayPal handles the payment.
  3. PayPal redirects the user, after successful checkout, to some "generate_ticket.php" page which generates the ticket number.
  4. The user gets redirected to the first page with the ticket number shown to them.

Here is the problem: any malicious user could know the url to which the successful checkout gets redirected, by observing the network tap in the developer tools, and send requests to this page "generate_ticket.php" and get free tickets.

Here is what I thought of to fix this problem:

  • check the $_SERVER['HTTP_REFERER'] variable for the referer URL and compare it with the URL from paypal. But the problem is that, as mentioned in the manual.

The address of the page (if any) which referred the user agent to the current page. This is set by the user agent. Not all user agents will set this, and some provide the ability to modify HTTP_REFERER as a feature. In short, it cannot really be trusted.

This variable can be modified. So, it is not reliable, at least not alone.

  • When the user clicks the buy now button, I stop the form from submitting and generate a token in some "token.php" file, attach it to the form, using a PayPal feature of attaching custom variables to the url from the form, and also store it in some session, then submit the form. And when the "generate_ticket.php" page gets requested, it compares the token in the session with that from the URL. But again, any user can click the button, make the "token.php" file generate token and attach it to the form. Then take that token, attach it to the url, and request a ticket using the first vulnerability.

So, does anybody have any solution to fix these vulnerabilities or prevent the user from requesting free tickets?

Solution

  • Paypal has a feature called IPN, basically you will not directly send tickets to user once u get data on generate_ticket.php, Once a transaction is created u might inserting a record in db with Pending state and update it on response of paypal, here IPN comes into play, after the transaction gets completed paypal will send a post request you provide as notify_url where you will handle the script of sending user his tickets.