Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Some help please - asp/javascript security

Status
Not open for further replies.

PaulSc

MIS
Aug 21, 2000
148
GB
Hi I'm after a bit of help and/or advice please

We have a very old (but stable) asp 3.0 website which uses JavaScript to do an auto forms submission to a 3rd party. They in turn do some processing then pass control back where based on the parameters received we trigger downstream processing (i.e a payment..)

We believe that someone may be "interfering" with this process by disabling JavaScript halting the forms submission and then submitting their own modified form back to us and triggering a successful transaction but bypassing the payment system...

Weve tried putting in checks for JavaScript enabled, validating http referrers etc but still no luck (as browsers such as FF can disable this)

Any suggestions as to how we may stop/block this sort of behaviour and enhance the protection of this site? (Please note changing from ASP is not currently an option and we'd prefer a zero cost option.....(I know but not my specifications..))

Thanks
 


one idea off the top of my head would be to deliver different javascripts scripts randomly that created a hidden field with different values, the server could store the code in a session variable and each javascript has a different algorithm to manipulate the code.

It is similar to how banks use card readers for online transaction, each card reader has a random algorithm that is determined when you initialise the card, they then send codes which you type in and send the readers response back to the bank system.

By sending a script with a random algorithm to the client and keeping the key on the server, you check that js is enabled and make it rather difficult to guess which algorithm and what key is going to be delivered.

Chris.

Indifference will be the downfall of mankind, but who cares?
Time flies like an arrow, however, fruit flies like a banana.
Webmaster Forum
 
Surely you get feedback direct from the payment system? I would think maybe you could hold up orders from one place (no matter what they said) that didn't have a corresponding payment from another place. Don't know enough to know your system- just brainstorming.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top