Help! My sports gear website is under attack!
I run an online shop selling sports stuff. For the past month, something fishy’s been going on. Someone’s signing up with fake info, placing cash-on-delivery orders for expensive items at crazy low prices, then vanishing.
Here’s what happens:
- This person (let’s call them X) makes an account
- X finds a pricey item (like an 11,000 Rs cricket bat)
- X adds it to cart and checks out with COD
- The order goes through, but the price in our system is only 99-200 Rs!
I’m pretty sure they’re messing with our data somehow. We use sessions for order info. The site’s built with ASP.NET 3.0.
Update: Thanks for the earlier advice! We found the problem - hidden fields in the cart were letting them change prices. Now I need a safer way to handle this. Any ideas for secure alternatives to hidden fields in ASP.NET 3.0?
Help me stop this before it ruins my business!
yo man, thats a serious problem! sounds like u need to validate prices server-side before finalizing orders. maybe try using encrypted session variables instead of hidden fields? also, implement a price check before processing COD orders. could help catch those sneaky fraudsters. good luck fixing it!
This is indeed a critical security issue. Server-side validation is crucial here. I’d recommend implementing a robust check that compares the submitted price against your database before processing any order. Additionally, consider using encrypted session variables or a secure token system instead of hidden fields. It’s also worth looking into implementing rate limiting and IP tracking to prevent bulk fraudulent orders. Have you considered switching to a more secure e-commerce platform? ASP.NET Core offers improved security features that might be worth exploring. Lastly, I’d strongly advise engaging a security professional to conduct a thorough audit of your system to identify and patch any other potential vulnerabilities.
Hey there, ExploringAtom! Man, that’s a tricky situation you’ve got there. 
Glad you found the hidden field issue, but yeah, we gotta find a better way to keep those prices locked down.
Have you thought about using ViewState in ASP.NET 3.0? It’s like a built-in way to store data between postbacks without relying on those pesky hidden fields. Could be worth a shot!
Also, curious - have you looked into any fraud detection tools? There are some pretty cool ones out there that can flag suspicious behavior. Might help catch these tricksters before they even place an order.
Oh, and random thought - have you considered adding a captcha to your checkout process? Could slow down any automated attacks if that’s what you’re dealing with.
Anyway, hope you get this sorted soon! Keep us posted on how it goes, yeah?