[thelist] I can't believe what I just read....

Anthony Baratta Anthony at Baratta.com
Thu Oct 19 13:33:35 CDT 2000


Lumir G Janku wrote:
> 
> Actually, VeriSign/Signio use the same method for merchant id, except you
> don't need to pass the amount as hidden varieble, but you certainly can.
> However, when the merchant sets up the gateway parameters on the VeriSign
> end, they specify the url that the form is accepted from. So, it you try to
> spoof the form and send it from an untrusted server, you are SOL. I assume
> these guys have a similar setup.

Do you know how easy it is to spoof HTTP Headers??? There are perl and other scripts
as well as custom browsers (hell grab a copy of Mozilla source and build your own)
out there that allow you to hack the HTTP headers.

-- 
Anthony Baratta
President
KeyBoard Jockeys
                    South Park Speaks Version 3 is here!!!
                       http://www.baratta.com/southpark
                              Powered by Tsunami




More information about the thelist mailing list