Very interesting article, thank you for sharing it!
I have only few questions.
When you say "The application itself is protected using SSL certificates on both ends" do you mean that you have 2 certificata one for the client and one for the server? Does the client identify itself during the SSL hand-shake?
Your solution, to me, looks like a sort of SSL pinning, did you thing about it when you were searching for a solution? In case, why didn't you opt-in for it?
I mean both the frontend and backend applications are accessible only through the HTTPS protocol. They're in different domains, and each have it's own certificate.
I have not heard of it before, however, I just looked what it is, and I'm not sure if it would solve the problem. The hacker has access to the certificate his browser would trust, and he somehow imported it into his tool. He is not sending a fake certificate, he is sending a trusted certificate (as far as I understood his explanation).
I think that the hacker would need to "compromise" in some way the user's browser, for example the hacker could install a fake CA root certificare in the user's browser otherwise he would not be able to tamper the request/response.
The SSL pinning does just that, in fact even if the hacker is able to compromise user's browser, given that the server SSL certificate Is pinned inside your application then response can't be tampered without your application noticing it.
Think of this attack as a malicious user trying to break things to his advantage (the tool is used by the company to calculate a yearly bonus paid to each employee based on their performance, so there is motivation to try). In this case, the user's browser is the hackers browser.
In a sense it is not a "man in the middle", because it is not a third-party, it's the user himself trying to mess around.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
Very interesting article, thank you for sharing it!
I have only few questions.
I mean both the frontend and backend applications are accessible only through the HTTPS protocol. They're in different domains, and each have it's own certificate.
I have not heard of it before, however, I just looked what it is, and I'm not sure if it would solve the problem. The hacker has access to the certificate his browser would trust, and he somehow imported it into his tool. He is not sending a fake certificate, he is sending a trusted certificate (as far as I understood his explanation).
I think that the hacker would need to "compromise" in some way the user's browser, for example the hacker could install a fake CA root certificare in the user's browser otherwise he would not be able to tamper the request/response.
The SSL pinning does just that, in fact even if the hacker is able to compromise user's browser, given that the server SSL certificate Is pinned inside your application then response can't be tampered without your application noticing it.
Think of this attack as a malicious user trying to break things to his advantage (the tool is used by the company to calculate a yearly bonus paid to each employee based on their performance, so there is motivation to try). In this case, the user's browser is the hackers browser.
In a sense it is not a "man in the middle", because it is not a third-party, it's the user himself trying to mess around.