I Spent Two Minutes Testing Amazon’s API. It Was Enough.
Source: Dev.to
There’s something oddly comforting about large tech companies. You assume that somewhere, deep in the labyrinth of their infrastructure, there are teams of very serious engineers making sure everything behaves exactly as it should.
So when I decided to test one Amazon endpoint, I picked the most boring one I could find—not payments, not checkout, not anything involving money.
Endpoint under test
PUT /custom/profilepickerserviceapicontracts/marketplaces/{id}/members/{memberId}All it does is update a child profile name. You send "name": "Kids3", and life goes on. Or at least, that’s the theory.
Testing methodology
I captured the real browser request, pasted it into Rentgen, pressed run, and went to make coffee. Two minutes later I had a certificate score: 16 out of 100.
- This wasn’t a penetration test.
- I didn’t try to break the system with SQL injections or exotic fuzzing.
- I just asked very boring questions about how the API behaves under edge cases.
Findings
| Question | Response |
|---|---|
| Missing authentication | Returns 400 Bad Request with a generic “Sorry, we are experiencing issues right now.” (not the expected 401). |
| Unsupported HTTP method | Returns 403 Forbidden – as if the method exists but you’re not important enough to use it. |
| Upper‑casing the path | Returns an HTML CloudFront “Website Temporarily Unavailable” page, even though the endpoint is a JSON API. |
| Sending a 10 MB payload | Instead of a clean 413 Payload Too Large, the request bubbles through the stack and ends up as a 404 Not Found. |
All of this from simply renaming a child profile.
Conclusion
This isn’t about “Amazon is broken.” It’s about what happens when systems grow faster than their contract discipline: status codes drift, edge layers leak, and validation happens too late. The scary part isn’t that these quirks exist—it’s how quickly they surface when you actually look.
Full breakdown:
Automation before automation. Find API bugs when you have no tests.