External web site payment system

External web site payment system

  

Hi there.

We're developing a system where you can make payments using an external web site (NewTek.com solution).


The problem is that you are able to see the URL and so that you can change the parameters. I saw I few posts about hiding URL with post request, etc but we would still have the problem if someone uses the developer tools.


Anyway, I'm thinking if it's possible to use Modal to show their website and avoid these problems.


Thank you.

Hi Denis,

I would think think that NewTek has a very crappy solution if the API depends on parameters passed in the URL. That will always be unsafe, and always be visible when using the devtools. On the other hand, what could a user have to gain by altering the parameters?

Kilian Hekhuis wrote:

Hi Denis,

I would think think that NewTek has a very crappy solution if the API depends on parameters passed in the URL. That will always be unsafe, and always be visible when using the devtools. On the other hand, what could a user have to gain by altering the parameters?

A user could have the register of have paid $4 on our system but have paid $3 for NewTek, once the payment is successfully done we change the record status to paid because we can use only the reference number and not the amount paid. 


Solution

Hi Denis,

I Agree with Kilian that parameters passed in URL and header's are always unsafe .Better way is if NewTek provides Rest api then better consume them in server side and from your UI encrypt/decrypt the data or before sending to NewTek validate it again 

Regards

Devendra

 


Solution