1

Could a Man-in-the-Middle (MITM) attack compromise the integrity of user-initiated transactions over HTTPS? Specifically, if a user selects an amount to donate on a website, is it possible for a hacker to intercept and modify the donation amount? If yes, what strategies can be implemented to safeguard against unauthorized alterations and ensure the security of transactions conducted over HTTPS?

Additionally, are there any built-in strategies, or features in Django that can mitigate the risk of such tampering?

user23570085
  • 13
  • 2

2 Answers2

1

A MitM attacker cannot manipulate HTTPS traffic undetected -- that's the whole point of HTTPS (besides protecting the confidentiality). Of course this is only true under the assumption that the server is correctly configured and that there are no vulnerabilities in the TLS implementation.

To manipulate data, an attacker has to either attack the client before encryption or the server after encryption. This is usually a much bigger threat than a MitM attacker messing with the traffic. Make sure to prevent common attacks like cross-site scripting, clickjacking, cross-site request forgery and SQL injections.

Ja1024
  • 5,769
  • 14
  • 21
0

The contents of HTTPS traffic cannot be seen or modified by a MITM attacker. So for your donation page, the donated amount is confidential, and cannot be changed by a MITM attacker.

The length of messages can be roughly determined. So if someone donates a really large amount with many zeroes, this could be determined. TLS 1.3 has padding support that is supposed to prevent this, but I am unsure whether it is enabled in practice.

The biggest security gain is to really make sure that HTTPS is always used. So redirect to HTTPS and set the HSTS header to enforce HTTPS for future requests. See the Django docs about this.

Sjoerd
  • 30,589
  • 13
  • 80
  • 107