I want to pass a value say an amount to a payment Gateway. the gate way has given me functions to make the data secure and tamper proof. the problem is im taking this amount from a text box. By using fiddler and putting a breakpoint before the request the data can be changed even before it reaches the server and is encrypted by the functions.so now the tampered values is being sent to the payment gateway. Im using ASP.net The text box is used to take value that the customer wants to donate.
-
The main problem is that you appear to be storing an amount in a field that can be edited. Your best option is to no use a textbox for this! Perhaps you can clarify what details are being sent to the Gateway and why you need to put it in a textbox? – Russ Clarke Oct 06 '15 at 11:55
-
Considered using https? ^^ – K.J. Oct 06 '15 at 11:55
-
That's like saying editing the text box is tampering. Your connection to the Gateway will be HTTPS which provides the security during transport. – Crowcoder Oct 06 '15 at 11:57
2 Answers
Anything that's on the client can be modified by the client. The fact that the value comes from text box does not matter.
HTTPS does not change the fact that the client can make any change to the data that it wants.
You either need to encrypt and authenticate the value on the server so that the client can't change it, or use server to server communication.

- 168,620
- 35
- 240
- 369
It depends what type of app your building.
If its something like a shopping cart (where you don't want the user to modify the value), store the total on the server and only display the value to the client. Don't use the client value to make the payment. HTTPS will not protect you here as the client can still modify the value before it's sent.
If its something that takes a user supplied value and charges it (say an invoicing system), then I assume you trust the user. In this scenario, it doesn't matter that the client can modify the data (that's what you want them to do). HTTPS will protect your data in transit between the client and your server in this case. Anyone listening in 'on the wire' will only see encrypted traffic.
You should be using HTTPS connections to your server (and from your server to the gateway), just be aware of the limitations.

- 2,077
- 5
- 24
- 39