Software Integrity Blog

 

Is conventional penetration testing enough to secure e-commerce applications?

To secure e-commerce applications, you need more than conventional penetration testing. Learn how to secure your retail apps against the most common threats.

Can your customers trust you to process their transactions and safeguard their personal information? Can you be sure online sales follow the business rules you’ve put in place?

If you are like most e-commerce companies, you’ve been pushing the envelope to create applications that are increasingly easy to use, accessible from any device, and personalized to your customers’ favorite content and buying habits. Your customers can browse a seemingly limitless menu of products and place orders anywhere, anytime, with the swipe of a finger.

Unfortunately, advances in e-commerce have also attracted a sophisticated invasion of new security threats. Online criminals are bolder and more creative than ever in how they exploit e-commerce weaknesses, stealing personal data, and disrupting sales. Just one successful attack can wreak havoc on your reputation and cost you money and customers.

Conventional penetration testing—which focuses mainly on OWASP or WASC standards such as SQL injection, XSS, and CSRF—often isn’t enough to secure e-commerce applications in the rapidly evolving threat environment.

So what can you do to protect your business?

Specialized penetration testing is tailored to e-commerce functional modules and can identify issues specific to e-commerce design, including mobile payments and integrations with third-party vendors and products. Let’s dig deeper.

4 types of e-commerce vulnerabilities

Four common categories of vulnerabilities or “flaws” related to e-commerce are:

  • Order management
  • Coupon and reward management
  • Payment gateway integration
  • Content management system integration

Make sure your penetration tests consider the scenarios outlined below so you can assess the impact a breach would have on your business.

Order management flaws

Order management flaws consist of misuse and abuse of the order placement process. For example:

  • Price manipulation during order placement
  • Shipping address manipulation after order placement
  • Absence of mobile verification for cash-on-delivery orders
  • Getting cash back/refunds even when the order is canceled
  • Non-deduction of discounts, even after order cancellation
  • Using automation techniques to perform illegitimate ticket blocking for a certain period of time
  • Client-side validation bypass for maximum seat limit on a single order
  • Bookings/reservations using fake information
  • Usage of burner (disposable) phones for verification

Coupon and reward management flaws

Coupon and reward management flaws are extremely complex in nature and include:

  • Coupon redemption, even after order cancellation
  • Bypass of a coupon’s terms and conditions
  • Bypass of a coupon’s validity
  • Use of multiple coupons for the same transaction
  • Predictable coupon codes
  • Failure of a recomputation in coupon value after partial order cancellation
  • Illegitimate use of coupons with other products

Payment gateway integration flaws

Some of the most popular attacks on e-commerce applications exploit insecure integration with third-party payment gateways. Examples include:

  • Price modification at client-side with zero or negative values
  • Price modification at client-side with varying price values
  • Manipulating the contact URL
  • Bypassing the third-party checksum
  • Changing the price before the transaction is completed

Content management system flaws

Most e-commerce applications have back-end content management systems to upload and update content. These systems are often integrated with those of resellers, content providers, and partners such as franchises or booking partners. Having more partners leads to more complexity, so it’s important to watch for the following red flags:

  • Flaws in transaction file management
  • Unusual activities involving role-based access control (RBAC), which regulates access to computer or network resources
  • Flaws within the customer notification system
  • Misuse of rich-text editor functionalities (which edit text within web browsers)
  • Flaws in third-party application program interfaces (APIs), which are used to create specialized web stores
  • Flaws in integration with point-of-sale (POS) devices

How to know if you need e-commerce penetration testing

Do you sell physical or digital items, handle money or payments, or store sensitive visitor information? Then you need e-commerce-specific penetration testing.

Your online business depends on secure management. As e-commerce threats evolve and hackers become even more savvy, even the most cutting-edge systems are vulnerable to attack.

Make sure your application testing team or any testing partner you use understands the importance of penetration testing in an e-commerce environment and can include ethical hacking scenarios that map to your business process.

Remember that finding the issues is only the first step in defending against hackers. Once your penetration tests identify the flaws, it’s time to put together a plan for secure design so you—and your customers—can fully trust in your secure e-commerce applications.

Secure my retail apps

 

More by this author