0

I am triying to integrate HDFC payment gateway in my website. The gateway providers told me that it contains high-risk vulnerability (i.e. Amount Tampering) . Can anyone tell me, how to solve this?

This is my post page

    <html>
    <head>
    <title>Some title</title>
    </head>
    <body onLoad="document.payment.submit();">
    <h3>Please wait, redirecting to process payment..</h3>

        <form action="payment_page" name="payment" method="POST">

            <input type="hidden" value="500" name="amount"/>
            <input type="hidden" value="500" name="reference_no"/>

        </form>

These hidden values can be edited and redirected to bank's payment page

Lynda
  • 25
  • 6
  • 1
    Without any code or sample inputs it's hard to guess. But if you are passing the amount in URL as query string, it's possible to change the amount – Supriya Jan 12 '18 at 11:00
  • you can always save the amount to your database and then compare with what `$_GET` gives you. – Rotimi Jan 12 '18 at 11:11
  • Who receives the form data? You? or HDFC? If it's you, the solution is easy. If it's HDFC, they need to provide you with a mechanism to verify that data. – John Conde Jan 12 '18 at 12:51
  • Check this similar question. https://stackoverflow.com/questions/48147485/how-to-avoid-amount-tampering-while-integrating-payment-gateways/48160000#48160000 – Olufemi Israel Olanipekun Jan 12 '18 at 23:31

1 Answers1

0

HDFC have changed their hash algorithm, so you need to re-match this once you receive it on response page.

Harish Kumar
  • 74
  • 1
  • 10