Preventing Bad Grease Monkeys from changing your prices in eCommerce sites

I spoke with Gina Trapani on Wednesday about my concerns on this issue. The problem is that many online shops are using hidden fields in forms to pass information such as pricing, shipping, and quantity to their online checkout systems. Now I love Google Checkout for its sheer simple integration methods, but there is also an option to auto approve the payment and this concerns me. So I am writing to you today to illustrate some of the methods I have came up with which will hopefully prevent this sort of attack. Here are three ways you can circumvent this little flaw in many online stores.

1. Only store sensitive information such as payments, pricing, shipping charges etc. in session variables or other non JavaScript controlled variables. What the heck is a session variable? Well if you are not sure you should consult your server side scripting languages online documentation. Below I have listed links to some of the more popular ones out there.

• PHP Session Variables
• ASP Session Variables
• Cold Fusion Session Variables
• Sessions with Perl and Apache
• JSP Session Variables

2. Encrypt your source code of your pages and prevent bad monkeys from seeing the code in the first place. This is probably not a failsafe way to prevent this sort of attack but it will detour most attackers.There is software available online to encrypt your pages and I won’t get into it here but you can find HTML Guardian here. Encrypting your source code is about the only other way you could prevent this attack beyond using only Session variables. Keep in mind that any pages that do not carry sensitive information in hidden form fields do not need encrypting and shouldn’t be unless there is a reason. Encrypting web pages means your Crypto engine needs to work each time a page is served up by Apache, IIS and the like.

3.So do I have to totally quit using hidden fields in my forms to pass information? The answer is no, you don’t, but before those values are set you should have the information stored in a session variable too and upon sending information use a script to compare all information to see if it is correct and valid. I recommend setting up online web applications, ecommerce sites and other systems using a three tiered system. I have made an attempt to illustrate this in the image below.

This is more of an eye opener than a complete tutorial on how to secure your site from malicious users. I am sure there are a lot of other great ways to prevent this method of attacks and would love to hear your insights in the comments section.