I know that a POST can be spoofed in terms of originating domain, but what about being able to change the variables of the hidden POST variables in my HTML? I am concerned that someone could alter the “amount” value in my PayPal form from this:
<input type="hidden" name="amount" value="1.00">
<input type="hidden" name="amount" value="0.01">
or something similar. Thanks.
Yes, it is trivially easy for anyone to modify your form variables. Whether they are GET or POST doesn’t matter at all.
Web security rule #1: Never trust any user input. Also stated as “All users are malicious hackers” or some variant thereof.
You shouldn’t rely on the
amount field being what you’d initially transmitted in the response to the client. A more secure approach would be to rely on an identifier for an item, which you can map to a price on the server (a more controlled environment).
Infact this is one of the main reason to don’t rely on user input.
Please realize that I can send ANY cookie, POST and GET argument (key and value pairs) I want, regardless of whether this is a form for them. (See cURL)
Frank said “At the store, you would very rarely see clients fill their shopping carts, and then tell the cashier how much they have to pay.”
Try to think of it like that. The browser (not user) is the client and the server is the cashier.
Any information that flows from the browser to the server can be anything I want.
Yes. It gets worse because they don’t even have to alter your page to do it. A user could use any text editor to construct an html page with a form full of text boxes, load it from local disk, fill them with whatever they want and hit submit. OTOH, that will show up in some header values.
Or if they are really determined, that can connect to port 80 on your server via telnet and forge the entire HTTP request including headers.
There is not a single byte of the incoming request that you can trust.
That said, there are known solutions to these problems that are generally implemented in terms of hashes, signatures and cryptography, but I don’t know enough to suggest where to look for them.
In this case let them change the value if they want to, and let them pay you the $0.01. But then, when you get the Paypal IPN (Instant Payment Notification) it will include the price they paid; check that against your item database to make sure that it’s the correct price.
If it’s not the correct price, do not send/give the item. You earned $0.01!