Let’s say a security tester uses a proxy, say Fiddler, and records an HTTPS request using the administrator’s credentials– on replay of the entire request (including session and auth cookies) the security tester is able to succesfully (re)record transactions. The claim is that this is a sign of a CSRF vulnerability.
What would a malicious user have to do to intercept the HTTPS request and replay it? It this a task for script kiddies, well funded military hacking teams or time-traveling-alien technology? Is it really so easy to record the SSL sessions of users and replay them before the tickets expire?
No code in the application currently does anything interesting on HTTP GET, so AFAIK, tricking the admin into clicking a link or loading a image with a malicious URL isn’t an issue.
HTTPS is not replayable, the first server response in the handshake sequence includes a server-chosen random number.
What Fiddler does is act as a proxy, meaning it intercepts your browser’s requests, and then generates an identical request to the server, meaning it has access to the plaintext, which is what it will be replaying. Your browser lets you know this by telling you the certificate is from Fiddler – “DO_NOT_TRUST_FiddlerRoot”, which you have to agree to before it will send the message ignoring the certificate mismatch.