Hi,
We are currently using the Moneris Hosted Pay Page and are sending the values within the header so the HPP can be populated. We are running a pentest and they found that the user is able to modify the charge total within the header and can pay $1.00 instead of the $100.00 that should be passed through.
Is there a way to avoid the charge total from being updated through the header?
Also, another question that came to mind is if the user is able to pay a negative amount so they receive a refund on their credit card? So if they manipulate the charge total and change it to -$1.00, they receive a refund of $1.00 onto their card.