0

So I have a MVC5 web application and I'm trying to integrate with payment gateway, and I must do the following HTTP POST to the payment gateway url.

@Html.BeginForm(null, null, FormMethod.Post, new { @action = "https://l33tpaymentgateway.com" })
{
    <input id="MerchantCode" name="MerchantCode" type="hidden" value="12345" />
    <input id="RefNo" name="RefNo" type="hidden" value="ABCDE" />
    <input id="Amount" name="Amount" type="hidden" value="300" />
    <input id="Currency" name="Currency" type="hidden" value="USD" />
    <input id="UserEmail" name="UserEmail" type="hidden" value="warheat1990@warheat1990.com" />
    <input id="Signature" name="Signature" type="hidden" value="1234567890" />
    <input id="ResponseURL" name="ResponseURL" type="hidden" value="http://warheat1990.com" />

    <input type="submit" value="submit"/>
}

As you can see data can easily be edited by user (for example Inspect element with chrome and they can just change the value of the hidden input) which means I need to do bunch of validation, is it possible to do a HTTP POST in my server side instead and redirect the user after? Or is there any other way to prevent user to tamper HTML value?

tickwave
  • 3,335
  • 6
  • 41
  • 82

2 Answers2

0

You can do everything on server:

public async Task<ActionResult> SubmitPayment()
{
        using (var client = new HttpClient())
        {
            client.BaseAddress = new Uri("https://l33tpaymentgateway.com");
            var content = new FormUrlEncodedContent(new[] 
            {
                new KeyValuePair<string, string>("MerchantCode", "12345"),
                new KeyValuePair<string, string>("RefNo", "ABCDE"),
                //add other properties here
            });
            var result = await client.PostAsync("", content);
            if(result.IsSuccessStatusCode)
            {
                //Payment successfull 
                if you need to read response content:
                var responseContent = await result.Content.ReadAsStringAsync();                 
            }
            else
            { 
                you got error
            } 

        }
}

This action can be triggered from client either by AJAX or by 

@Html.BeginForm("SubmitPayment", "ControllerName", FormMethod.Post)
{
   <input type="submit" value="submit"/>
}
Alex Art.
  • 8,711
  • 3
  • 29
  • 47
  • one question, how do I redirect user to the payment gateway page if `IsSuccessStatusCode == true`? Because `responseContent` is just a HTML string. – tickwave Oct 21 '15 at 10:18
  • You need to redirect user if payment was successful? If so just return `Redirect("redirect url");` – Alex Art. Oct 21 '15 at 11:03
  • no I need to redirect to whatever link `l33tpaymentgateway` provided after a success POST. I open another thread for this but no luck so far. http://stackoverflow.com/questions/33257254/how-to-perform-http-post-and-redirect-to-external-site-from-the-post-result – tickwave Oct 21 '15 at 11:25
0

You should not submit request to payment gateway directly from user browser. Request to payment gateway is revealing too much information to user.Just by looking at the request data, user can manipulate any thing.

Instead you should store all payment gateway related information securely in your server and user should submit the request to your server and let your server to post the request to payment gateway. Other than boosting security this approach you will encourage you to send minimum information to your server because you might already have user's details (e.g email address ) in your system and will provide abstraction around payment gateway.

Gurmit Teotia
  • 179
  • 2
  • 7