Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Generate and submit a form from server

Status
Not open for further replies.

Glasgow

IS-IT--Management
Jul 30, 2001
1,669
GB
Hi

I am submitting data to a payment provider using an html form with hidden fields and SSL. However, it appears that this data can be intercepted and modified using a proxy tool. How can I achieve the equivalent within classic ASP alone - i.e. generate and submit the form from the server rather than from the browser?

The form currently looks something like this:
Code:
  <form action="[URL unfurl="true"]https://paymentprovider.com/purchase"[/URL] method=POST id=form1 name=PayForm>
  <input type=hidden name="instId"      value="1234">
  <input type=hidden name="amount"      value="100.00">
  <input type=hidden name="currency"    value="GBP">
  <input type=hidden name="country"     value="GB">
  <input type=hidden name="name"        value="Fred Bloggs">
  <input type=hidden name="email"       value="fred@bloggs.com">
  <input type=submit value="invisible" id=submit1 name=submit1 style="width:0">
  </form>
  <script type="text/javascript">document.WorldPayForm.submit()  </script>

If possible I'd prefer any solution to support older versions of IE but it's not essential.

Thanks in advance.
 


If the communication is over SSL the data being transferred is encrypted, so is unreadable by sniffers or interceptors

Chris.

Indifference will be the downfall of mankind, but who cares?
Time flies like an arrow, however, fruit flies like a banana.
Webmaster Forum
 
Thanks Chris.

I agree with you in principle but an external penetration testing company claim they managed to intercept and adjust payment to 0.01 GBP and there is evidence on the site to this effect. Perhaps they just tried a few changes to the encrypted text and got lucky. They advised submitting from server to avoid possibility of interception.

 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top