Reputation: 51
Can you modify the body of an outgoing HTTP request?
I am working on a web app that integrates with Stripe. I have a frontend which calculates a total price which I am sending to a middleware service over HTTP inside the body. I am worried about a security flaw, where someone can intercept the body of my HTTP request I am making to my middleware and change the total price to a lower amount. This would result in them paying less for a product. I've been playing around with Postman but I can only seem to intercept the request to see the data being passed, rather than being able to edit it. Is this even a possibility? If so, how can I guard against it? Thanks
Upvotes: 2
Views: 900
Answers (1)
Reputation: 99581
The main way to guard against this is to not let the client pass the price at all.
The client just needs to tell the server which products the client wants to buy. The server uses the product list and quantities to figure out the total price.
And to answer your main question:
Assume that users can fully control every HTTP request, including headers, body, url and method. You cannot trust any information inside of it, everything can be altered.
Upvotes: 3
Related Questions
- Is it possible and Edit an outgoing HTTP Request
- How to edit body of HTTP POST request in .net core?
- How to change body of API POST request with script?
- possible to send arbitrary data in httprequest outside body?
- Is it possible to modify the content of HttpRequest POST in an IIS HttpModule?
- Edit fields of outgoing HTTP request headers in C#
- Tamper with http requests programmatically
- Http post request-body
- HTTP POST Vunerable to change?
- HTTP MODIFY verb for REST?