We have designed MX Kart with security in mind. We have carefully analized all the weak spots in an e-commerce application, and we've decided to carefully implement the following two sections of the cart.
Adding products to the Kart
When adding products to the cart (by link or form), we don't send the product price in the URL, but we use a non-attackable approach. For each "add to cart" link, we save in the user session all the product essential properties, and we create the link with an unique session id.
In the Add to Cart page, we receive as parameter MXSessionId - the session id, and the product price and name and quantity is retrieved from the session to make sure the user will not be able to change a product price by changing an URL.
The payment gateway confirmation
This was the most important section of the e-commerce site, as this page can be attacked to randomly validate various orders.
To make sure this doesn't happen, we have implemented a second level check with the payment gateway, that reconfirms that the validation message received is exactly what the payment gateway confirmed.
The validation algorithms are custom per each payment gateway, and they guarantee that an order validation is correct.
