Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security of price #2

Open
phoenix741 opened this issue Nov 4, 2013 · 1 comment
Open

Security of price #2

phoenix741 opened this issue Nov 4, 2013 · 1 comment

Comments

@phoenix741
Copy link

Hi,

I have a little question about security. What about unsure user ?
For all process executed on the client side, we can't trust the user. The user can change executed Javascript with the help of greasemonkey script or manually. So if all the process is made by the client, this one can change price before sending it to paypal.

How this case can be resolving without calling paypal from the server side ?
@kenyee
Copy link
Owner

kenyee commented Nov 9, 2013

Because of the way Paypal's "Payflow Link" works, you can't prevent the attack you described because your form posts the price info to Paypal's server. You do get a confirmation# back from Paypal though, so you can save the final amount and order info on your web site and then verify the order amount is correct and reject it when you get the confirmation# back from Paypal.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kenyee @phoenix741