On Apr 10, 2013, at 10:16 AM, Andy McKay wrote: > > On 2013-04-09, at 5:13 PM, Andy McKay <[email protected]> wrote: >> If the item was for something that can be repeatedly purchased (say a new >> life in a game). Can I MITM it, then just keep replaying the request? I >> guess the developer will checking for things like transaction id or id? Can >> I just change that and keep replaying it? > > Ah no, because its signed, so can't tamper with it.
But what about not changing anything, and just replaying it (e.g. buy one month worth of access to a service, replay to get many months worth of access) Again though, if you are an attacker who has the ability to MITM all traffic to a non-ssl website, you pretty much already win (sessions ids, passwords, inject scripts etc etc) > _______________________________________________ > dev-webapps mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-webapps _______________________________________________ dev-webapps mailing list [email protected] https://lists.mozilla.org/listinfo/dev-webapps
