Hey everyone, I’m dealing with a weird issue on my sports gear online store. For the past month, someone’s been messing with our prices. They sign up with fake info, log in, and somehow manage to buy expensive stuff for super cheap using cash on delivery.
Here’s what happens:
This person (let’s call them Alex) signs up and logs in
They find a high-end item, like a premium tennis racket worth $500
Alex adds it to their cart and goes through checkout
They choose cash on delivery
The order goes through, but in our system, it shows up as only $20!
I’m pretty sure Alex is tampering with our data somehow, but I can’t figure out where. We use session storage for order info. The site runs on ASP.NET 3.0.
I did some digging and found out we were using hidden fields in the cart, which might be the weak spot. Now I’m looking for a more secure way to handle this. Any ideas on how to protect our pricing data better in ASP.NET 3.0?
Wow, that’s a tricky situation you’ve got there! It sounds like Alex is quite the sneaky one, huh?
I’m no expert, but have you considered using some kind of server-side price verification? Like, maybe double-check the prices right before finalizing the order? That way, even if Alex manages to fiddle with the hidden fields, you’d catch it before it’s too late.
Oh, and speaking of hidden fields - those can be pretty risky. Maybe there’s a way to store that info more securely on the server? Just brainstorming here!
I’m curious, have you noticed any patterns in when these weird orders happen? Like, certain times of day or specific products? Might help narrow down what’s going on.
Good luck figuring this out! Let us know if you crack the case - I’m invested in this mystery now!
This is definitely a concerning issue. Based on your description, it seems the vulnerability lies in how order data is handled client-side. Session storage and hidden fields can be manipulated by savvy users.
A more secure approach would be to store all pricing information server-side and validate it there before processing orders. You could generate a unique order ID for each transaction and associate the correct prices with it in your database. Then verify those prices during checkout.
Additionally, implementing strong server-side validation checks and possibly adding encryption for sensitive data transmission could help. You might also want to log suspicious activity patterns to identify and block potential abusers.
Upgrading to a newer ASP.NET version with more robust security features could be worthwhile too. Regular security audits are crucial to stay ahead of exploits like this.
Hope this helps point you in the right direction. Good luck securing your site!
oof, that’s a tricky one! have you tried using server-side price checks? it might catch alex red-handed before the order goes through. also, maybe ditch those hidden fields and keep the important stuff on the server where its safer. good luck catching that sneaky alex!
