A few people from http://www.roforum.net posted some information about a few websites that they saw and I have notice a vulnerability in each one of them. The vulnerability is posted on the forum at: http://www.roforum.net/threads/vulnerabilitate-in-forms.453/ in Romanian language. I thought I would be a good idea to provide some information about the findings, so others can have the advantage of avoiding them.
I've selected two websites in particular because they had different approaches, but they have the same problem. In first example I am going to present a website which offers marketing materials for sale, however you will not checkout with paypal or pay by card, as much as you will submit a form with your details and the order. In the second example i will submit a form in the second website and change its value to pay less then it's displayed. The checkout will happen over PayPal.
1. The image below will show how they display the order summary: 2. By pressing right click on the 2500 Flyers and selecting "Inspect Code" you will see something like this: 3. By changing the hidden fields I was able to submit the order on the price I wanted and the quantity I wanted.
Following the steps from first example I was able to checkout with paypal in a different currency and different price. To understand exactly in the was the following form:
As you might notice, again, I have hidden fields in a form and by changing a3 with 0.01 and currency_code to USD, on checkout I was displayed the following:
Instead of paying 500 EUR for a service, I was about to check out a 0.01 USD.
This type of vulnerabilities can be seen, usually, on e-commerce websites. At the end of the day, it doesn't count how smart is the framework you are using or how secure it is for implementing forms, as you only need to use a plugin/add-on/module which wasn't done by a professional developer or it hasn't been maintained by one.
I have seen the vulnerabilities mentioned in websites using all sort of frameworks, like WordPress, Drupal, Joomla, Custom MVC, .NET, Java, C# etc. . My recommendation for you is to make a research before using a technology, don't just select one because some said so.