Parameters can be tampered with before being encrypted and sent

Question

I want to pass a value say an amount to a payment Gateway. the gate way has given me functions to make the data secure and tamper proof. the problem is im taking this amount from a text box. By using fiddler and putting a breakpoint before the request the data can be changed even before it reaches the server and is encrypted by the functions.so now the tampered values is being sent to the payment gateway. Im using ASP.net The text box is used to take value that the customer wants to donate.

Answer 1

Anything that's on the client can be modified by the client. The fact that the value comes from text box does not matter.

HTTPS does not change the fact that the client can make any change to the data that it wants.

You either need to encrypt and authenticate the value on the server so that the client can't change it, or use server to server communication.

Answer 2

It depends what type of app your building.

If its something like a shopping cart (where you don't want the user to modify the value), store the total on the server and only display the value to the client. Don't use the client value to make the payment. HTTPS will not protect you here as the client can still modify the value before it's sent.

If its something that takes a user supplied value and charges it (say an invoicing system), then I assume you trust the user. In this scenario, it doesn't matter that the client can modify the data (that's what you want them to do). HTTPS will protect your data in transit between the client and your server in this case. Anyone listening in 'on the wire' will only see encrypted traffic.

You should be using HTTPS connections to your server (and from your server to the gateway), just be aware of the limitations.