Upload
we-secure-app
View
67
Download
0
Embed Size (px)
Citation preview
www.wesecureapp.com
HIDDEN THREATS IN E-COMMERCE APPLICATIONS
www.wesecureapp.com
HIDDEN THREATS IN E-COMMERCE APPLICATIONS
WHY A CONVENTIONAL APPLICATION PENETRATION TESTING IS
NOT ENOUGH FOR E-COMMERCE APPLICATIONS?
-Commerce applications are growing in complexity, as a result conventional application
penetration is simply not enough. Conventional application penetration testing focus on
vulnerability classes described in OWASP or WASC standards like SQL Injection, CSRF etc.
It is required to create specialized penetration testing framework tailored towards E-Commerce
applications that should have following features:
1. Comprehensive Business Logic Vulnerabilities for various functional modules related to
E - Commerce Applications.
2. Comprehensive flaws related to various Integrations with various 3rd party products
HERE ARE SOME STATS ABOUT WEB ATTACKS
E
1% ATM
4% DATA CENTERS/CORPORATE INFRASTRUCTURE
47% POINT OF SALE/PAYMENT PROCESSING
48% E-COMMERCE/WEBSITE
TOP TARGET ASSETS
www.wesecureapp.com
HIDDEN THREATS IN E-COMMERCE APPLICATIONS
Thorough Understanding of the Business
Zero False Positives
Domain Expertise
Customer-Centric Approach
Thought Leadership
Embracing Latest Technological Trends
Why
WSA?
Some of the vulnerability classes covered as part of our E-commerce Web Application oriented
Penetration Testing are listed below
Order Management Flaws
Coupon and Reward Management Flaws
Payment Gateway Integration (PG) Flaws
Content Management System (CMS) Flaws
Conventional Vulnerabilities
Note: All the above mentioned categories are classified under Business Logical Vulnerabilities
(except Conventional Vulnerabilities).
ORDER MANAGEMENT FLAWS
Order management flaws primarily consists of misusing placing an order functionality. The exact
vulnerabilities will depend on the kind of application, however some examples are listed below:
Possibility of manipulating the shipping address after order placement.
Absence of Mobile Verification for Cash-on-Delivery orders.
Obtaining cash-back/refunds even after order cancellation.
Non deduction of discounts offered even after order cancellation.
Possibility of illegitimate ticket blocking for certain time using automation techniques.
Client side validation bypass for max seat limit on a single order.
Bookings/Reservations using fake a/c info.
Usage of Burner (Disposable) phones for verification.
www.wesecureapp.com
HIDDEN THREATS IN E-COMMERCE APPLICATIONS
COUPON AND REWARD MANAGEMENT FLAWS
Coupons and Reward management flaws are extremely complex in nature. Some examples are
listed below:
Coupon Redemption possibility even after order cancellation.
Bypass of coupon’s terms & conditions.
Bypass of coupon’s validity.
Usage of multiple coupons for the same transaction.
Predictable Coupon codes.
Bypass of coupon’s validity date.
Illegitimate usage of coupons with other products.
Failure of re-computation in coupon value after partial order cancellation.
PAYMENT GATEWAY INTEGRATION (PG) FLAWS
Many of the classical attacks on E-Commerce applications are because of Payment gateway
integrations. Buying a pizza for 1$ is a classic example of misusing PG integration by an attacker.
Price modification at client side with zero or negative values.
Price modification at client side with varying price values.
Call back URL manipulation.
Checksum bypass.
Possibility of price manipulation at Run Time.
CONTENT MANAGEMENT SYSTEM (CMS) FLAWS
Most E-Commerce applications have backend content management system to upload / update
content. In most cases, CMS will be integrated with resellers, content providers and partners. For
example, hotel E-Commerce application will be integrated with individuals’ hotels or with multiple
partners. As a result of increased complexity, there are multiple sub vulnerability classes that need
to testes, some of them are listed
File management logical flaws
RBAC Flaws
Notification System Flaws
Misusing Rich Editor Functionalities
3rd Party APIs Flaws
Flaws in Integration with PoS (Point of Sales Devices)
www.wesecureapp.com
HIDDEN THREATS IN E-COMMERCE APPLICATIONS
CONVENTIONAL VULNERABILITIES
Apart from business logic vulnerabilities, conventional vulnerabilities are also part of our
penetration testing framework.
Examples of conventional vulnerabilities are SQL Injection, Cross Site Scripting (XSS), CSRF and
other vulnerabilities defined as part of OWASP.
About Us WeSecureApp is a niche cyber security company, established by a group of highly motivated
technologists. We offer unparalleled
Security Consulting
Compliance Management
Penetration Testing Services
Auditing
Ou
r S
erv
ice
s Web Application Penetration Testing
PCI DSS Compliance
Cloud Application Testing
Firewall Auditing
Mobile Application Testing
Code Auditing
VoIP Penetration Testing
OAUTH/API Testing
Website Malware Removal
Social Engineering
Fuelled by a passion to offer excellent solutions, quickly and efficiently, WeSecureApp was
conceptualized and founded to identify and cure the pain points of the customers in the field of
Security Testing.
With over 40 years of combined experience in the field of internet security, we are a dedicated group
of certified security personnel offering high-class consulting, auditing and testing in various
domains and industry segments.
Babu Khan Rasheed Plaza
Road No #36, Jubilee Hills
Hyd, TS, IND, 500033
11239 Grapevine Ln
Frisco, Texas
USA, 75035