9

I did an interesting experiment today.

I opened Amazon.com in my browser, logged in, brought up Fiddler, and tried to add a brand new credit card.

I typed in my credit card number, expiration, and card holder name. When I submitted the request I didn't see any POST to Amazon in Fiddler. The UI said there was a problem submitting my information, and that I should try again.

I repeated it and got the identical response.

I shut down Fiddler and hit submit. My information was accepted instantly.

I'd like to know how Amazon accomplished this feat. Is it common knowledge? Is there an HTTP header involving certificates that makes it easy?

duffymo
  • 305,152
  • 44
  • 369
  • 561
  • 2
    Did you got your error message from the browser or from Amazon? – The scion Apr 26 '16 at 18:30
  • The error message appeared in the Amazon app in the browser. It wasn't a popup; it looked like a validation message you'd expect from a web app if you typed bad values into a text box. – duffymo Apr 26 '16 at 18:32
  • @Pillar, I added the java tag b/c I'm interested in adding this to a Java app. I agree that it's not pertinent to the question. – duffymo Apr 26 '16 at 18:34
  • there are some possible solutions to preventing man-in-the-middle attacks as you attempted here: http://stackoverflow.com/questions/10808930/what-is-point-of-ssl-if-fiddler-2-can-decrypt-all-calls-over-https apparently Client-side certification for SSL authentication is a thing? Also did you enable ssl traffic in the settings for fiddler? – scrappedcola Apr 26 '16 at 18:36
  • Thank you. I'll give those a look. Yes, SSL traffic was enabled in Fiddler. – duffymo Apr 26 '16 at 18:37
  • 3
    You should consider asking this same question (or having it migrated to) [Security.SE](http://security.stackexchange.com). – esqew Apr 26 '16 at 18:40
  • Good suggestion, @esqew. How to migrate? – duffymo Apr 26 '16 at 18:41
  • @duffymo You can flag your question and explain to the moderators in the box provided that you feel it might be better suited for Security.SE. – esqew Apr 26 '16 at 18:42
  • Thanks so much; greatly appreciated. Sincerely.... – duffymo Apr 26 '16 at 18:42

1 Answers1

1

I think it is certificate pinning or something like it. Server certificate is pinned in application, so app accept only it, not any other certs even they are valid.

Dmitry
  • 864
  • 7
  • 15
  • Thank you Dmitry, I'll dig into that. – duffymo Apr 26 '16 at 18:40
  • 1
    It's unlikely to be HTTPS key pinning. Per a check on securityheaders.io, Amazon [doesn't actually send that header at all](https://securityheaders.io/?q=https%3A%2F%2Fwww.amazon.com). – Jules Apr 26 '16 at 18:40
  • You are right. What else it can be? – Dmitry Apr 26 '16 at 18:44
  • All things aside, I'm not sure how HPKP would really affect this; that header's mostly for the server to resist impersonation by other servers, not for the client to resist impersonation by other clients. – Jules Apr 26 '16 at 19:15