i am working on security and other stuff about my web sites.
in my country online payments work like paypal.
mean you should pass some parameters such as Amount,MerchantID,ReturnURL,ResNum(OrderID) by post method to bank and bank will pass some parameters such as MID,Status,ResNum to you after payment.
during this requests and responses somebody can use the software below to sniff and tamper:
http://www.fiddler2.com/fiddler2/
please see this video:
http://www.fiddler2.com/fiddler/help/video/
i test it and it also works on https by using a certificate.
wow...
- how can i prevent this sniffing and tampering?
there is a function in bank site named VerifyTransaction that is called on Seller side after payment and this function returns amount.
this function is on a web service on bank side.
the main question is : - can somebody sniff and tamper web service between bank and seller?
mean can fiddler do that or the other tool?
if yes, how can we prevent this sniffing and tampering (web services)?
really appreciate for attention
Fiddler is running on the same client that the web browser runs on, both under the control of the same user, so it can't do anything that you couldn't do with just a browser (but maybe much more effort).
There is never a guarantee that data coming from clients to your server has been sent by the HTML/JavaScript/etc. that you served them. That is why you should never trust user input, e.g. always do data validation on the server side (and only additionally on the client side for improved usability). And that is the reason for the web service calls between the bank and the seller, to ensure that the transaction details are correct.
Tampering and sniffing of traffic between the seller-server and the bank-server can be prevented by proper TLS setup.
来源:https://stackoverflow.com/questions/10494952/sniffing-and-tampering-requests-and-responses-of-web-sites-how-prevent