[Gllug] OT: Online Payment Processing
Tim Gray
timgray at numasters.com
Tue Jan 20 17:02:24 UTC 2004
Jason Clifford wrote:
> How can any buy something via a form exploit - don't you get a
callback to
> verify the transaction with?
SecPay used to 'let' site operators submit the callback location in
clear text as a part of the pay form submission (you could submit
directly to their processing script). To run the exploit all a user
would have to do is save a copy of the final payment page locally and
edit the total price field then submit the form directly.
> If a transaction doesn't match what I expect the systems here do not
> complete the transaction - the ones that I've finished properly also
> print an error message to the user.
Agreed. I also use crypted call back strings, referrer and price
checking to catch folks doing this but a lazy admins may not.
> I get an email notification as well to let me know that the transaction is
> dodgy so I can go and refund it.
Ditto. I know a friend who used a form exploit to get a room at the
Hilton for half price. Apparently they didn't bother to check the
transaction, and he only changed the price to half cos he felt guilty at
getting the room for £1.
Tim.
--
Gllug mailing list - Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug
More information about the GLLUG
mailing list