topic HostedPayment token security issue in Integration and Testing https://community.developer.cybersource.com/t5/Integration-and-Testing/HostedPayment-token-security-issue/m-p/73426#M45476 <P>I am implementing HostedPayment using an embedded frame. while integrating I have noticed that the generated token is available on the parent page which can be easily manipulated with a different token. As the form and iframe are on the same page so anyone can manipulate the HTML through the inspect the element and inject another token instead of a real one with a different merchant id and all the payment will move to that merchant account. below is the form which your document says to implement. could you please look into it?</P><P>&nbsp;</P><P>&nbsp;</P><P>&lt;div id="iframeHolder" class="center-block" style="width:90%;max-width: 1000px"&gt;<BR />&lt;iframe id="loadPayment" class="embed-responsive-item" name="loadPayment" width="100%" height="650px" frameborder="0" scrolling="no" hidden="true"&gt;<BR />&lt;/iframe&gt;</P><P>&lt;form id="sendhptoken" name="sendhptoken" action="<A href="https://test.authorize.net/payment/payment" target="_blank" rel="noopener">https://test.authorize.net/payment/payment</A>" method="post" target="loadPayment"&gt;<BR />&lt;input type="text" name="token" value="{{token}}" /&gt;<BR />&lt;/form&gt;<BR />&lt;/div&gt;</P> Sun, 04 Oct 2020 09:22:19 GMT vishal15 2020-10-04T09:22:19Z HostedPayment token security issue https://community.developer.cybersource.com/t5/Integration-and-Testing/HostedPayment-token-security-issue/m-p/73426#M45476 <P>I am implementing HostedPayment using an embedded frame. while integrating I have noticed that the generated token is available on the parent page which can be easily manipulated with a different token. As the form and iframe are on the same page so anyone can manipulate the HTML through the inspect the element and inject another token instead of a real one with a different merchant id and all the payment will move to that merchant account. below is the form which your document says to implement. could you please look into it?</P><P>&nbsp;</P><P>&nbsp;</P><P>&lt;div id="iframeHolder" class="center-block" style="width:90%;max-width: 1000px"&gt;<BR />&lt;iframe id="loadPayment" class="embed-responsive-item" name="loadPayment" width="100%" height="650px" frameborder="0" scrolling="no" hidden="true"&gt;<BR />&lt;/iframe&gt;</P><P>&lt;form id="sendhptoken" name="sendhptoken" action="<A href="https://test.authorize.net/payment/payment" target="_blank" rel="noopener">https://test.authorize.net/payment/payment</A>" method="post" target="loadPayment"&gt;<BR />&lt;input type="text" name="token" value="{{token}}" /&gt;<BR />&lt;/form&gt;<BR />&lt;/div&gt;</P> Sun, 04 Oct 2020 09:22:19 GMT https://community.developer.cybersource.com/t5/Integration-and-Testing/HostedPayment-token-security-issue/m-p/73426#M45476 vishal15 2020-10-04T09:22:19Z