Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
So I am implementing a payment system with 2co on my website. I am using their ‘Header Redirect’ which returns the customer to an ASPX page on my website with a bunch of querystrings after a successful payment.
Anyway, I was wondering. What is the proper way to secure this? What If a customer typed the parameters him/herself such as `Payment.aspx?params-here’ and added credits as they wish to their account.
How can I make sure that this is 100% authentic?
Suggestions? Thanks!
A solution approach to parameter tampering is usually mapping the query parameters to something that cannot be easily manipulated, e.g. by using a one-way hash function to create a digest to send along with the original parameter and limiting the duration during which a particular mapping/digest is valid. If the digest matches the query parameter you know the request has not been tampered with.
E.g. your URL
Payment.aspx?Amount=100could become
Payment.aspx?Amount=100&Digest=53e5e07397f7f01c2b276af813901c2Here’s an old but still relevant, detailed article on the topic: Passing Tamper-Proof QueryString Parameters
In ASP.NET you can use
Page.EnableEventValidationwhich uses a hidden textbox as part of a form to validate that a request was issued from the form: