PayPal Hacks

Prevent code-tampering and price-spoofing with a hidden form post .

When deploying PayPal buttons on your web site, you should consider the risk of spoofed payments. PayPal buttons are normally created in plain HTML, with the variables and their values available for anyone to see (select View Source in your browser to see for yourself). This means that anyone can view your button source code, copy the HTML to her own system, make changes to the variables (such as the price), and make a payment with the modified button. You can manually review purchases to make sure no tampering has taken place, but in high-volume or automated systems, this might be a difficult or even impossible task.

This hack uses techniques covered in some of the other hacks in this book to create a hidden form post that sends the button information to PayPal without allowing the customer to see it. To use this technique to its fullest, you should already have deployed [Hack #54] .

4.10.1 The Code

The hack consists of two pages: link.asp and jump.asp . First, link.asp contains the product and selling information, as well as a link to the second page:

<html> <body> Widget<br> <a href="jump.asp?id=123">Click here to buy</a> </body> </html>

This first page mimics the Buy Now button, but instead of sending the customer to PayPal, it links to the jump page. Next, jump.asp queries your database for the product info and sends the purchase information to PayPal. This code is written in ASP:

<% 'Connect to database and create recordset 1. connStore = "DRIVER={Microsoft Access Driver (*.mdb)};DBQ="C:/InetPub/wwwroot/database/ dbPayPal.mdb") set rsJump= Server.CreateObject("ADODB.Recordset") rsJump.ActiveConnection = connStore 2. rsJump.Source = "SELECT tblProducts FROM tblProducts WHERE Id = " & Request("id") 3. rsJump.Open( ) %> <html> 4. <body onLoad="document.fmPost.submit( )"> <form action="https://www.paypal.com/cgi-bin/webscr" method="post" name="fmPost"> <input type="hidden" name="cmd" value="_xclick"> <input type="hidden" name="business" value="youremail@yourisp.com"> <input type="hidden" name="item_name" value= "<%=(rsJump("ItemName").Value)%>"> <input type="hidden" name="item_number" value= "<%=(rsJump("ItemID").Value)%>"> <input type="hidden" name="amount" value= "<%=(rsJump("ItemPrice").Value)%>"> </form> </body> </html> <% rsJump.Close( ) %>

The jump page queries the database (line 2) for the requested product information (based on the URL embedded in the link page) and then dynamically builds a PayPal form from this information. Finally, the page uses an onLoad function (line 4) to automatically submit the form as soon as the page loads, without the customer ever seeing the page.

4.10.2 Hacking the Hack

You don't necessarily have to use the database method described here. Instead, you can simply create a static jump page for each product, complete with all of the product information (name, price, etc.) embedded right in the code. Although this approach wouldn't make any sense for an online store that sells hundreds or thousands of items, it would ultimately be easier to implement than a full database if you sell only one or two products on your site.

4.10.3 Plan B: Obfuscate Your Button Code

If all this seems like too much trouble to guard against a remote possibility, there is an easier way to keep casual observers from seeing exactly what your button code contains and spoofing your button. (Isn't it handy that the word obfuscate is, itself, a rather cryptic term ?)

1. Create a Buy Now, Add to Cart, Subscription, or Donation button using PayPal's Merchant Tools.

2. Go to http://www.dynamicdrive.com/dynamicindex9/encrypter.htm. Copy and paste your button code into the text area window.

3. Click Encrypt. The HTML will be replaced with encoded text that is much harder for mere mortals to read, but the encoded text will easily be parsed and displayed by your customers' browsers.

4. Copy and paste this scrambled code into your web page.

This quick and easy obfuscator makes it harder for casual viewers to see how your button is coded and thus helps protect it from tampering. Additionally, it foils most web spiders looking for fresh email addresses to spam.

To illustrate , here's an ordinary payment button:

<h1>Plain button</h1> <form action="https://www.paypal.com/cgi-bin/webscr" method="post"> <input type="hidden" name="cmd" value="_xclick"> <input type="hidden" name="business" value="sales@wwjcd.biz"> <input type="hidden" name="item_name" value="Jackie Chan bobble head"> <input type="hidden" name="item_number" value="jc-bh"> <input type="hidden" name="amount" value="9.99"> <input type="hidden" name="currency_code" value="USD"> <input type="image" src="https://www.paypal.com/en_US/i/btn/x-click-but23.gif" border="0" name="submit" alt="Make payments with PayPal - it's fast, free and secure!"> </form>

And here's the obfuscated version of the same code:

<h1>Button obfuscated</h1> <script> <!-- document.write(unescape("%3Cform%20action%3D%22https%3A//www.paypal.com/cgi-bin/webscr%22% 20method%3D%22post%22%3E%0D%0A%3Cinput%20type%3D%22hidden%22%20 name%3D%22cmd%22%20value%3D%22_xclick%22%3E%0D%0A%3Cinput%20type%3D%22hidden %22%20name%3D%22business%22%20value%3D%22sales@wwjcd.biz%22%3E%0D%0A%3Cinpu %20type%3D%22hidden%22%20name%3D%22item_name%22%20value%3D%22Jackie%20Chan %20bobble%20head%22%3E%0D%0A%3Cinput%20type%3D%22hidden%22%20name%3D%22item_number%22 %20value%3D%22jc-bh%22%3E%0D%0A%3Cinput%20type%3D%22hidden%22%20name %3D%22amount%22%20value%3D%229.99%22%3E%0D%0A%3Cinput%20type%3D%22hidden %22%20name%3D%22currency_code%22%20value%3D%22USD%22%3E%0D%0A%3Cinput %20type%3D%22image%22%20src%3D%22https%3A//www.paypal.com/en_US/i/btn/x-click-but23.gif%22 %20border%3D%220%22%20name%3D%22submit%22%20alt%3D%22Make%20 payments%20with%20PayPal%20-%20it%27s%20fast%2C%20free%20and%20secure%21%22% 3E%0D%0A%3C/form%3E")); //--> </script>

While this hack can indeed be applied to an already-encrypted button (as detailed in [Hack #37] , encrypted buttons hardly need the added protection of obfuscation.