Securing returning querystrings from third-party website

Question

So I am implementing a payment system with 2co on my website. I am using their 'Header Redirect' which returns the customer to an ASPX page on my website with a bunch of querystrings after a successful payment.

Anyway, I was wondering. What is the proper way to secure this? What If a customer typed the parameters him/herself such as `Payment.aspx?params-here' and added credits as they wish to their account.

How can I make sure that this is 100% authentic?

Suggestions? Thanks!

Answer 1

A solution approach to parameter tampering is usually mapping the query parameters to something that cannot be easily manipulated, e.g. by using a one-way hash function to create a digest to send along with the original parameter and limiting the duration during which a particular mapping/digest is valid. If the digest matches the query parameter you know the request has not been tampered with.

E.g. your URL

Payment.aspx?Amount=100

could become

Payment.aspx?Amount=100&Digest=53e5e07397f7f01c2b276af813901c2

Here's an old but still relevant, detailed article on the topic: Passing Tamper-Proof QueryString Parameters

In ASP.NET you can use Page.EnableEventValidation which uses a hidden textbox as part of a form to validate that a request was issued from the form:

When the EnableEventValidation property is set to true, ASP.NET validates that a control event originated from the user interface that was rendered by that control. A control registers its events during rendering and then validates the events during postback or callback handling. For example, if a list control includes options numbered 1, 2, or 3 when the page is rendered, and if a postback request is received specifying option number 4, ASP.NET raises an exception. All event-driven controls in ASP.NET use this feature by default.