Software Integrity Blog


Is conventional penetration testing enough to secure eCommerce applications?

Can your customers trust you to process their transactions and safeguard their personal information? Can you be sure online sales follow the business rules you’ve put in place?

If you are like most eCommerce companies, you’ve been pushing the envelope to create applications that are increasingly easy to use, accessible from any device, and personalized to your customers’ favorite content and buying habits. Your customers can browse a seemingly limitless menu of products and place orders anywhere, anytime, with the swipe of a finger.

Unfortunately, advances in eCommerce have also attracted a sophisticated invasion of new security threats. Online criminals are bolder and more creative than ever in how they exploit eCommerce weaknesses, stealing personal data, and disrupting sales. Just one successful attack can wreak havoc on your reputation and cost you money and customers.

Conventional penetration testing—which focuses mainly on OWASP or WASC standards such as SQL injection, XSS, and CSRF—often isn’t enough for the rapidly evolving world of eCommerce.

So, what can you do to protect your business?

Specialized penetration testing is tailored to eCommerce functional modules and can identify issues specific to eCommerce design, including mobile payments and integrations with third-party vendors and products. Let’s dig deeper.

4 types of eCommerce vulnerabilities you need to know

Four common categories of vulnerabilities or “flaws” related to eCommerce are:

  • Order management
  • Coupon and reward management
  • Payment gateway integration
  • Content management system integration

Make sure your penetration tests consider the scenarios outlined below so you can assess the impact a breach would have on your business.

Order management flaws

Order management flaws consist of misuse and abuse of the order placement process. For example:

  • Price manipulation during order placement
  • Shipping address manipulation after order placement
  • Absence of mobile verification for cash-on-delivery orders
  • Getting cash back/refunds even when the order is canceled
  • Non-deduction of discounts, even after order cancellation
  • Using automation techniques to perform illegitimate ticket blocking for a certain period of time
  • Client-side validation bypass for maximum seat limit on a single order
  • Bookings/reservations using fake information
  • Usage of burner (disposable) phones for verification

Coupon and reward management flaws

Coupon and reward management flaws are extremely complex in nature and include:

  • Coupon redemption, even after order cancellation
  • Bypass of a coupon’s terms and conditions
  • Bypass of a coupon’s validity
  • Use of multiple coupons for the same transaction
  • Predictable coupon codes
  • Failure of a re-computation in coupon value after partial order cancellation
  • Illegitimate use of coupons with other products

Payment gateway integration flaws

Some of the most popular attacks on eCommerce applications exploit insecure integration with third-party payment gateways. Examples include:

  • Price modification at client-side with zero or negative values
  • Price modification at client-side with varying price values
  • Manipulating the contact URL
  • Bypassing the third-party checksum
  • Changing the price before the transaction is completed

Content management system flaws

Most eCommerce applications have back-end content management systems to upload and update content. These systems are often integrated with those of re-sellers, content providers, and partners such as franchises or booking partners. Having more partners leads to more complexity, so it’s important to watch for the following red flags:

  • Flaws in transaction file management
  • Unusual activities involving role-based access control (RBAC), which regulates access to computer or network resources
  • Flaws within the customer notification system
  • Misuse of rich-text editor functionalities (which edit text within web browsers)
  • Flaws in third-party application program interfaces (APIs), which are used to create specialized web stores
  • Flaws in integration with point-of-sale (POS) devices

How do you know if you need eCommerce penetration testing?

Do you sell physical or digital items, handle money or payments, or store sensitive visitor information? Then you need eCommerce-specific penetration testing.

Your online business depends on secure management. As eCommerce threats evolve and hackers become even more savvy, even the most cutting-edge systems are vulnerable to attack.

Make sure your application testing team or any testing partner you use understands the importance of penetration testing in an eCommerce environment and can include ethical hacking scenarios that map to your business process.

Remember that finding the issues is only the first step in defending against hackers. Once your penetration tests identify the flaws, it’s time to put together a plan for secure design so you – and your customers – can fully trust in your eCommerce applications.

Protect your customer relationships and bottom line.

Get started


More by this author