1, case
1 min money with a computer. Buy computers, before calling the payment interface, using a similar Fiddler and other packet capture tool, navigate to the payment interface, the parameters (amount) revised to 0.01 yuan. The result: a computer purchase is successful, the success of jail a month later.
2, how to avoid let others modify the parameters with the capture tool?
token hide the parameters.
3, code implementation
@RestController public class PayController the extends BaseApiService { @Autowired Private BaseRedisService baseRedisService; Private static Long timeToken 15 * = 60L ; @RequestMapping ( "/ Pay" ) public ResponseBase Pay (String token) { // Get database stores parameters submitted,. IF ( StringUtils.isEmpty (token)) { return setResultError ( "token can not be empty!" ); } String reuslt = (String) baseRedisService.getString (token); IF(StringUtils.isEmpty (reuslt)) { return setResultError ( "parameter is not null!" ); } System.out.println ( "filed reuslt acquisition parameters:" + reuslt); return setResultSuccess ( "filed reuslt acquisition parameters:" + reuslt); } @RequestMapping ( "/ getToken to" ) public String Pay (the userId Long, Long Money) { String payToken = UUID.randomUUID () toString ();. baseRedisService.setString (payToken, the userId + "-" + Money , timeToken); return payToken; } }