INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Jobs

Some help please - asp/javascript security

Some help please - asp/javascript security

(OP)
Hi I'm after a bit of help and/or advice please

We have a very old (but stable) asp 3.0 website which uses JavaScript to do an auto forms submission to a 3rd party. They in turn do some processing then pass control back where based on the parameters received we trigger downstream processing (i.e a payment..)

We believe that someone may be "interfering" with this process by disabling JavaScript halting the forms submission and then submitting their own modified form back to us and triggering a successful transaction but bypassing the payment system...

Weve tried putting in checks for JavaScript enabled, validating http referrers etc but still no luck (as browsers such as FF can disable this)

Any suggestions as to how we may stop/block this sort of behaviour and enhance the protection of this site? (Please note changing from ASP is not currently an option and we'd prefer a zero cost option.....(I know but not my specifications..))

Thanks

RE: Some help please - asp/javascript security



one idea off the top of my head would be to deliver different javascripts scripts randomly that created a hidden field with different values, the server could store the code in a session variable and each javascript has a different algorithm to manipulate the code.

It is similar to how banks use card readers for online transaction, each card reader has a random algorithm that is determined when you initialise the card, they then send codes which you type in and send the readers response back to the bank system.

By sending a script with a random algorithm to the client and keeping the key on the server, you check that js is enabled and make it rather difficult to guess which algorithm and what key is going to be delivered.

Chris.

Indifference will be the downfall of mankind, but who cares?
Time flies like an arrow, however, fruit flies like a banana.
Webmaster Forum

RE: Some help please - asp/javascript security

Surely you get feedback direct from the payment system? I would think maybe you could hold up orders from one place (no matter what they said) that didn't have a corresponding payment from another place. Don't know enough to know your system- just brainstorming.

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members!

Resources

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close