By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
437,986 Members | 1,522 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 437,986 IT Pros & Developers. It's quick & easy.

security problem with paypal form

tolkienarda
100+
P: 316
hi all

most of you have seen this form, mostly it has hidden attributes some of which can be changed to select boxes. the part that seems to be a security flaw is that people can edit live html with the web developer toolbar on firefox. i've gone into one of my clients orderforms and bought an expensive item for only five dollars and paypal never caught on.

below is the code that now anyone with any knowldge of html can edit live and submit the page with a new cost value
Expand|Select|Wrap|Line Numbers
  1. <form target="paypal" action="https://www.paypal.com/cgi-bin/webscr" method="post">
  2. <input type="image" src="images/x-click-but21.gif" border="0" name="submit" alt="Make payments with PayPal - it's fast, free and secure!"></td>
  3. <img alt="" border="0" src="https://www.paypal.com/en_US/i/scr/pixel.gif" width="1" height="1">
  4. <input type="hidden" name="add" value="1">
  5. <input type="hidden" name="cmd" value="_cart">
  6. <input type="hidden" name="business" value="email@company.com">
  7. <input type="hidden" name="item_name" value="product description">
  8. <input type="hidden" name="item_number" value="123456">
  9. <input type="hidden" name="amount" value="25.00">   //This is the part you change to realy mess with people
  10. <input type="hidden" name="page_style" value="company">
  11. <input type="hidden" name="no_shipping" value="2">
  12. <input type="hidden" name="return" value="http://www.company.com/addedtocart.htm">
  13. <input type="hidden" name="cancel_return" value="http://www.company.com/cancled.htm">
  14. <input type="hidden" name="cn" value="Comments">
  15. <input type="hidden" name="currency_code" value="USD">
  16. <input type="hidden" name="lc" value="US">
  17. <input type="hidden" name="bn" value="PP-ShopCartBF">
  18. </form>
  19.  
now i was thinking i could somehow call an external js function to do this then encrypt it but my knowldge of js is limited and i don't even know if it has the ability to do what this form does. if anyone has any advice or comments html security issues posed by the web developer toolbar in firefox please post here

thanks
eric

ps : nothing against the toolbar or the people who wrote it, i love the toolbar and use it on an almost daily basis

thanks again
eric
Feb 2 '07 #1
Share this question for a faster answer!
Share on Google+

Post your reply

Sign in to post your reply or Sign up for a free account.