Products Web How-To Free Tools FAQ Contact Us Our Clients	You are here: Home > Articles > eShoplifting Sell Digital Goods Fast! Sell software, music, e-books and more! Stellar eVendor Basic - single item orders PayPal IPN System Store orders in your own MySQL database. eShoplifting - Shopping Cart Exploits Many electronic shopping cart programs or methods of integration into credit card processing services are at risk of what's called eShoplifting. e-Shoplifiting is the modification of product or service pricing by a malicious user between the shopping cart website and payment processing. For instance, websites that use PayPal commonly pass the hidden field amount when the user clicks a Buy Now or Pay Now button. Instead of just clicking that button, a malicious user could save the HTML for the page to their local computer and edit the HTML to change the price before proceeding with the payment. How can I tell if my website is at risk? Take a look at the HTML of the page where your payment is submitted to the payment processor. If you see price or amount information with the form HTML, your website is at risk. A typical PayPal payment looks like this: <form action="https://www.paypal.com/cgi-bin/webscr" method="post"> <input type="hidden" name="cmd" value="_xclick"> <input type="hidden" name="business" value="paid@yourdomain.com"> <input type="hidden" name="item_name" value="my product"> <input type="hidden" name="item_number" value="12345"> <input type="hidden" name="amount" value="9.99"> <input type="hidden" name="no_note" value="1"> <input type="hidden" name="currency_code" value="USD"> <input type="hidden" name="bn" value="PP-BuyNowBF"> <input type="image" src="https://www.paypal.com/en_US/i/btn/x-click-but23.gif" border="0" name="submit" alt="Make payments with PayPal - it's fast, free and secure!"> <img alt="" border="0" src="https://www.paypal.com/en_US/i/scr/pixel.gif" width="1" height="1"> </form> A malicious user could exploit the fact that the product's price is sent in plain text as a form hidden field: <form action="https://www.paypal.com/cgi-bin/webscr" method="post"> <input type="hidden" name="cmd" value="_xclick"> <input type="hidden" name="business" value="paid@yourdomain.com"> <input type="hidden" name="item_name" value="my product"> <input type="hidden" name="item_number" value="12345"> <input type="hidden" name="amount" value="1.00"> <input type="hidden" name="no_note" value="1"> <input type="hidden" name="currency_code" value="USD"> <input type="hidden" name="bn" value="PP-BuyNowBF"> <input type="image" src="https://www.paypal.com/en_US/i/btn/x-click-but23.gif" border="0" name="submit" alt="Make payments with PayPal - it's fast, free and secure!"> <img alt="" border="0" src="https://www.paypal.com/en_US/i/scr/pixel.gif" width="1" height="1"> </form> How do I prevent e-Shoplifting Start with your terms of use, if your website does not specifically prohibit this, you may have in issue taking any legal action - as long as they don't lower the price to 0, the courts might not interpret it as theft. Add a section to your terms of use prohibiting data modification. Use Encryption. PayPal and other vendors usually have some sort of encryption available to protect form data that's passed to the payment processor site from being modified. Remember using Javascript to click buttons for the user or encoding the data is not a solution, these methods are easily bypassed by a malicious user with the intent to get your products at rock bottom prices. PayPal allows the form data to be sent in an encrypted way, their ButtonBuilder code will create code like: <form action="https://www.paypal.com/cgi-bin/webscr" method="post"> <input type="hidden" name="cmd" value="_s-xclick"> <input type="image" src="https://www.paypal.com/en_US/i/btn/x-click-but23.gif" border="0" name="submit" alt="Make payments with PayPal - it's fast, free and secure!"> <img alt="" border="0" src="https://www.paypal.com/en_US/i/scr/pixel.gif" width="1" height="1"> <input type="hidden" name="encrypted" value="-----BEGIN PKCS7-----MIIHRwYJKoZIhvcNAQcEoIIHODCCBzQCAQExggEwMIIBLAIBADCBlDCBjjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRQwEgYDVQQKEwtQYXlQYWwgSW5jLjETMBEGA1UECxQKbGl2ZV9jZXJ0czERMA8GA1UEAxQIbGl2ZV9hcGkxHDAaBgkqhkiG9w0BCQEWDXJlQHBheXBhbC5jb20CAQAwDQYJKoZIhvcNAQEBBQAEgYAlAEglEZ83ByKzWti7Ji6fzStyqOk4lMhwIAniDMH8wayk2CIpzGTgXWB11uhBciiAuREbJPapwrbjAbV8Q3x6UFq+8Diw2+mLuyH37i+BHTb6aq40f2RAS2aVxH+9oZBEkM7Bcw7rLFJXmpKJBNyogON29gk2/U73fVLcvZoLVjELMAkGBSsOAwIaBQAwgcQGCSqGSIb3DQEHATAUBggqhkiG9w0DBwQIcSvdoZTJGTuAgaA77JdP4RmxeBmdT/kj3KYJLqPK8FSMk1Q7JVL07mr4zbb30p6EFUFRDHWWML5B85EzUQEBgB2W4RRHOMhnFHxvxmZNgtYPU2V8CZMzpMAN9ljGCeUxPgBXRa/pF1/BS9I8yuG9wIxL1RDhR9pgyHTtJHiqkcLoFJPauxhZT7kPhq2jJKiEeDSkmSz7PL/Aorq6yqn+bvlAJi1dLlLqz6zGoIIDhzCCA4MwggLsoAMCAQICAQAwDQYJKoZIhvcNAQEFBQAwgY4xCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMNTW91bnRhaW4gVmlldzEUMBIGA1UEChMLUGF5UGFsIEluYy4xEzARBgNVBAsUCmxpdmVfY2VydHMxETAPBgNVBAMUCGxpdmVfYXBpMRwwGgYJKoZIhvcNAQkBFg1yZUBwYXlwYWwuY29tMB4XDTA0MDIxMzEwMTMxNVoXDTM1MDIxMzEwMTMxNVowgY4xCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMNTW91bnRhaW4gVmlldzEUMBIGA1UEChMLUGF5UGFsIEluYy4xEzARBgNVBAsUCmxpdmVfY2VydHMxETAPBgNVBAMUCGxpdmVfYXBpMRwwGgYJKoZIhvcNAQkBFg1yZUBwYXlwYWwuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDBR07d/ETMS1ycjtkpkvjXZe9k+6CieLuLsPumsJ7QC1odNz3sJiCbs2wC0nLE0uLGaEtXynIgRqIddYCHx88pb5HTXv4SZeuv0Rqq4+axW9PLAAATU8w04qqjaSXgbGLP3NmohqM6bV9kZZwZLR/klDaQGo1u9uDb9lr4Yn+rBQIDAQABo4HuMIHrMB0GA1UdDgQWBBSWn3y7xm8XvVk/UtcKG+wQ1mSUazCBuwYDVR0jBIGzMIGwgBSWn3y7xm8XvVk/UtcKG+wQ1mSUa6GBlKSBkTCBjjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRQwEgYDVQQKEwtQYXlQYWwgSW5jLjETMBEGA1UECxQKbGl2ZV9jZXJ0czERMA8GA1UEAxQIbGl2ZV9hcGkxHDAaBgkqhkiG9w0BCQEWDXJlQHBheXBhbC5jb22CAQAwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQCBXzpWmoBa5e9fo6ujionW1hUhPkOBakTr3YCDjbYfvJEiv/2P+IobhOGJr85+XHhN0v4gUkEDI8r2/rNk1m0GA8HKddvTjyGw/XqXa+LSTlDYkqI8OwR8GEYj4efEtcRpRYBxV8KxAW93YDWzFGvruKnnLbDAF6VR5w/cCMn5hzGCAZowggGWAgEBMIGUMIGOMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExFjAUBgNVBAcTDU1vdW50YWluIFZpZXcxFDASBgNVBAoTC1BheVBhbCBJbmMuMRMwEQYDVQQLFApsaXZlX2NlcnRzMREwDwYDVQQDFAhsaXZlX2FwaTEcMBoGCSqGSIb3DQEJARYNcmVAcGF5cGFsLmNvbQIBADAJBgUrDgMCGgUAoF0wGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMDYwNTEwMDMxMzM1WjAjBgkqhkiG9w0BCQQxFgQUOAQ2uF/uUqWhQiw/83ZSo1QjtykwDQYJKoZIhvcNAQEBBQAEgYBAgky/QK/8KklX5LLNYW6FOh59HIW+6P879ovhIWmeA78/a+/skrPPKg0lCbQwI+6kAqbv/MscxfIgbkcgXy4pXUxRCXGa7UWTu3YJwn1eK+njm8tdUji8pwcEDlHvmPvyEE+2O1abEF0yMnsNemIQnXpDLg28YjhHDmAk382lMg==-----END PKCS7----- "> </form> In the above example, all the form data - product info and pricing - are passed in the encrypted data. Note that you must ensure that you limit your PayPal account to only accept encypted payments to prevent malicious users from creating an entire form with tainted data. See out PayPal Integration Section for more information on making your own encrypted buttons Backend Validation of Sales Along with encryption, it is recommended that you also implement payment processing in the backend. Basically, this is just verifying the pricing information returned from the payment processor against your pricing catalog. If any differences are noted, flag the transaction for manual review and block access to any services or stop shipping of any actual products. This is also a good idea as it helps track credit card stop payments or other delayed failed payments. Free Security Evaluation of Your Ecommerce Application Contact us today for a free no obligation review of your eCommerce application or PayPal integration. While Stellar will not conduct penetration testing or an active evaluation of any website or application, we can review the concept or source code to provide an evaluation of problem areas. Stellar's eCommerce subject matter experts can help plan and implement changes to prevent shopping cart / e-Commerce tainting on your website.
About Us | Consulting Services | Contact Us | Partners | Privacy | User Agreement | Copyright