Price Manipulation on E-Commerce Platform

A malicious user exploits our ASP.NET 3.0 store by tampering with hidden pricing data during COD checkouts. How can we secure transactions without using vulnerable fields?

I think you should re-calc prices on the server sid. relying on hidden filds is risky since they can easily be modiied before checkout. so always reconfirm transaction totals on the backend.

A possible solution is to completely avoid transmitting sensitive data to the client side. In my experience working on similar systems, ensuring that all pricing details are retrieved from your secure back-end during the final transaction calculation eliminates the possibility of client-side manipulation. One can also introduce a system of session-based tokens that correspond with the verified server data. This approach prevents unauthorized changes, as any deviation in the expected data invalidates the transaction. Revalidating order specifics on the server enhances both security and system integrity.

Hey everyone, diving into this price manipulation issue got me thinking – it feels like securing the data at every transactional step is key, right? I’ve been wondering if maybe using something like a digital signature on the pricing data might be overkill or if it could help ensure that prices can’t be tampered with even if hidden fields get exposed. Besides re-calculating everything on the server, could anyone share experiences dealing with scenarios where data stamps or encryption came into play for verifying data integrity? Also, how does everyone balance performance when doing these server-side checks without slowing down the system too much? Would love to hear other ideas or even challenges you’ve bumped into with similar setups. What are your thoughts on this approach or any alternative methods you’ve found effective in your projects?

hey i tink the best solutin is to solely use server-silde price calc. if u send anything to the client, it can be maniuplated. relying on encryption & tokens is cool but remember to double checks on server anyway…