[Gllug] OT: Online Payment Processing

Tim Gray timgray at numasters.com
Tue Jan 20 17:02:24 UTC 2004


Jason Clifford wrote:

  > How can any buy something via a form exploit - don't you get a 
callback to
> verify the transaction with?

SecPay used to 'let' site operators submit the callback location in 
clear text as a part of the pay form submission (you could submit 
directly to their processing script). To run the exploit all a user 
would have to do is save a copy of the final payment page locally and 
edit the total price field then submit the form directly.

 > If a transaction doesn't match what I expect the systems here do not
 > complete the transaction - the ones that I've finished properly also 
  > print an error message to the user.

Agreed. I also use crypted call back strings, referrer and price 
checking to catch folks doing this but a lazy admins may not.

> I get an email notification as well to let me know that the transaction is 
> dodgy so I can go and refund it.

Ditto. I know a friend who used a form exploit to get a room at the 
Hilton for half price. Apparently they didn't bother to check the 
transaction, and he only changed the price to half cos he felt guilty at 
getting the room for £1.


Tim.


-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug




More information about the GLLUG mailing list