469,267 Members | 1,113 Online
Bytes | Developer Community
New Post

Home Posts Topics Members FAQ

Post your question to a community of 469,267 developers. It's quick & easy.

security problem with paypal form

tolkienarda
316 100+
hi all

most of you have seen this form, mostly it has hidden attributes some of which can be changed to select boxes. the part that seems to be a security flaw is that people can edit live html with the web developer toolbar on firefox. i've gone into one of my clients orderforms and bought an expensive item for only five dollars and paypal never caught on.

below is the code that now anyone with any knowldge of html can edit live and submit the page with a new cost value
Expand|Select|Wrap|Line Numbers
  1. <form target="paypal" action="https://www.paypal.com/cgi-bin/webscr" method="post">
  2. <input type="image" src="images/x-click-but21.gif" border="0" name="submit" alt="Make payments with PayPal - it's fast, free and secure!"></td>
  3. <img alt="" border="0" src="https://www.paypal.com/en_US/i/scr/pixel.gif" width="1" height="1">
  4. <input type="hidden" name="add" value="1">
  5. <input type="hidden" name="cmd" value="_cart">
  6. <input type="hidden" name="business" value="email@company.com">
  7. <input type="hidden" name="item_name" value="product description">
  8. <input type="hidden" name="item_number" value="123456">
  9. <input type="hidden" name="amount" value="25.00">   //This is the part you change to realy mess with people
  10. <input type="hidden" name="page_style" value="company">
  11. <input type="hidden" name="no_shipping" value="2">
  12. <input type="hidden" name="return" value="http://www.company.com/addedtocart.htm">
  13. <input type="hidden" name="cancel_return" value="http://www.company.com/cancled.htm">
  14. <input type="hidden" name="cn" value="Comments">
  15. <input type="hidden" name="currency_code" value="USD">
  16. <input type="hidden" name="lc" value="US">
  17. <input type="hidden" name="bn" value="PP-ShopCartBF">
  18. </form>
  19.  
now i was thinking i could somehow call an external js function to do this then encrypt it but my knowldge of js is limited and i don't even know if it has the ability to do what this form does. if anyone has any advice or comments html security issues posed by the web developer toolbar in firefox please post here

thanks
eric

ps : nothing against the toolbar or the people who wrote it, i love the toolbar and use it on an almost daily basis

thanks again
eric
Feb 2 '07 #1
0 1475

Post your reply

Sign in to post your reply or Sign up for a free account.

Similar topics

reply views Thread by PayPal | last post: by
3 posts views Thread by Stephane | last post: by
4 posts views Thread by Mark | last post: by
2 posts views Thread by codefragment | last post: by
reply views Thread by PayPal Security Measures! | last post: by
1 post views Thread by CARIGAR | last post: by
By using this site, you agree to our Privacy Policy and Terms of Use.