> I just got this article today about how people are exploiting
> shopping cart logic to change prices and essentially stealing
> products. After some testing on my own carts I have been able
> to exploit some of them by building a form with all there
> required hidden fields and modifying there values. Of course
> this wouldn't be a problem if they weren't sending pricing
> information as a hidden variable but many of them do. Do you
> guys have any recommendation for preventing this on carts
> built this way? I've thought of checking the http_referer to
> make sure the request comes from the same domain the site is
> in but I'm not sure there isn't a better solution that I'm
> missing. I've attached the address to the article for you all
> to read.
No, there's no way to prevent this for carts built this way, except to
change the code so that it doesn't work this way.
Any data from the browser is subject to tampering. You can't rely on
HTTP_REFERER - that's sent by the browser, and thus subject to the same sort
of tampering as the form fields.
When I teach the Allaire Advanced CF Development class, I typically do a
demonstration of this exact thing using the sample (intentionally unsecure)
application, and it usually gets a big rise out of the class.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
voice: (202) 797-5496
fax: (202) 797-5444
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
