Insecure Paypal script

ole90 · 08-04-2008, 02:30 PM

Hey guys,

I use a premade script to allow users of my site to buy virtual credits. The only problem is(as i found out yesterday) users are able to hack it.

The problem arises when users edit the hidden form data in the html and make it so they spend only 0.01 for something that is worth $5.00

Script basics:

Code:

<form method="post" name="paypal_form" action="https://www.paypal.com/cgi-bin/webscr">
<input type="hidden" name="rm" value="2"/>
<input type="hidden" name="cmd" value="_xclick"/>
<input type="hidden" name="business" value="eviltyd@hotmail.com"/>
<input type="hidden" name="return" value="http://www.ichumon.com/ichu_cash5k.php?action=success"/>
<input type="hidden" name="cancel_return" value="http://www.ichumon.com/ichu_cash5k.php?action=cancel"/>
<input type="hidden" name="notify_url" value="http://www.ichumon.com/ichu_cash5k.php?action=ipn"/>
<input type="hidden" name="item_name" value="50 IchuCash"/>
<input type="hidden" name="amount" value="5.00"/>
<input type="hidden" name="custom" value="1"/>
<center><br/><br/>If you are not automatically redirected to paypal within 5 seconds...<br/><br/>

<input type="submit" value="Click Here"></center>
</form>

this is the code they are editting. What i want to know is if there is a way to make sure that it only allows to send $5.00 for the amount. or for that matter, any of the other values. I don't know how to get them sent to paypal without forms but all forms can be editted :X

I am using the premade script : PHP Paypal IPN Integration Class Demonstration File

Any help on how to fix this? thanks!

Fumigator · 08-04-2008, 03:24 PM

You should do a couple of things. The first is to go into Paypal, find their button builder, and make sure you choose "encrypted code". You get fewer features but the code on the button is encrypted and more difficult to alter.

The second choice is something you should be doing anyway, and that is verify all purchases using IPN (Instant Payment Notification). With IPN activated, Paypal sends you a POST request to a script you've written, with all the details of a payment. You can then check the product ID against the price actually paid for the product and make sure it matches your database. There's no way to hack this cross-check.

derzok · 08-04-2008, 03:27 PM

This is why you should look into an eCommerse solution - an app that's rather robust and actually built for this.

The best way to secure it is to use a database to store all of your products and prices. When you put the price inside of the HTML, you're essentially asking the user what the item's price is. You want to tell them. If you store the info in a database, you can simply send the product's ID number to the submit page. The submit page can look up the rest of the information with the ID from the database.

mlseim · 08-04-2008, 04:29 PM

Whichever PHP shopping cart system you use, OSCommerce, CubeCart, whatever ...
go to the PayPal Development Site and create a free "sandbox" where
you can test-out your scripts with a "real" PayPal transaction ... but the
buyer/seller and credit card is fake, so it's a good way to test it out.
Once you get it working, you switch account info to your REAL PayPal account.

https://developer.paypal.com/

derzok · 08-04-2008, 04:35 PM

Quote:

Originally Posted by mlseim

Whichever PHP shopping cart system you use, OSCommerce, CubeCart, whatever ...
go to the PayPal Development Site and create a free "sandbox" where
you can test-out your scripts with a "real" PayPal transaction ... but the
buyer/seller and credit card is fake, so it's a good way to test it out.
Once you get it working, you switch account info to your REAL PayPal account.

https://developer.paypal.com/

That's cool! I did not know they offered this feature. +1 for the good find.