PayPal has a method where we can post our transaction to PayPal via a form.
Isn't it possible for someone to construct our form and post to PayPal over and over again?
I know no real harm can happen as they would have to enter their CC information on PayPal to cont开发者_C百科inue, but they could cause a lot of trouble by posting hundreds of fake transactions.
Is there any way to prevent this type of situation?
Does PayPal have anything that tells it to only accept form posts from certain sites/pages?
If you mean their NVP API, then PayPal's documentation tells you how they avoid that problem (known as a "replay attack", because an attacker is replaying the same data sent by the legitimate user). The posting application must send a username, password and signature, which the developers must not disclose to anyone and which is sent over secure transport as part of the API procedure. An attacker trying to pose as the developer does not know the username, password or signature and cannot submit false requests to PayPal.
That doesn't stop the attacker from misusing the input of the application (i.e. the browser page seen by application users, which causes the application to make PayPal requests), that bit being up to you :-).
精彩评论