I Spent Two Minutes Testing Amazon’s API. It Was Enough.
There’s something oddly comforting about large tech companies. You assume that somewhere, deep in the labyrinth of their infrastructure, there are teams of very serious engineers making sure everything behaves exactly as it should. So when I decided to test one Amazon endpoint, I picked the most boring one I could find. Not payments. Not checkout. Not anything involving money. Just this: PUT /custom/profilepickerserviceapicontracts/marketplaces/{id}/members/{memberId} All it does is update a child profile name. You send "name": "Kids3", and life goes on. Or at least, that’s the theory. I captured the real browser request, pasted it into Rentgen, pressed run, and went to make coffee. Two minutes later I had a certificate score: 16 out of 100. Sixteen. Now, this wasn’t a penetration test. I didn’t try to break the system. I didn’t throw SQL injections at it. I didn’t spin up some exotic fuzzing setup. I just asked very boring questions. What happens if authentication is missing? Apparent
Continue reading on Dev.to
Opens in a new tab
