Well it is data that is posted by the user, so they could send whatever they want. I think the easiest way would be to use Firebug to change the value of "checkOutPaymentId" to a different value, click on that radio input, and submit the form. They could also use Curl, or write a simple program to post values after logging in and fetching the cookie.
On Sat, Apr 20, 2013 at 8:03 AM, Jacques Le Roux < [email protected]> wrote: > Reversing the question: how would the user change it? > > Jacques > > From: "Mason Harding" <[email protected]> > > Hello. I am looking at the page > > /ecommerce/control/updateCheckoutOptions/quickcheckout, and see that you > > can set a "checkOutPaymentId" that is posted to > /ecommerce/control/checkout. > > I've followed the code all the way to the payment gateway, but don't see > > any security verifying that the user didn't change the checkOutPaymentId > to > > one that is not their own before posting. I assume I am missing > > something? > > > > Thanks, > > Mason > > >
