How to pentest e-commerce website
Setting up an E-commerce system is a complex process. It is necessary to be protected and customer privacy at the top of your agenda as a Retailer. To maintain the integrity of the E-commerce system, Penetration Testing becomes compulsory.
Penetration Testing or Ethical Hacking is a necessary step in ensuring that ecommerce site is not accessible to the hackers. The Ethical Hackers intention is to find security weakness, They attack on server and find the loop holes. After the penetration testing, they make a report to enlist all the weakness in Application. This report helps to make Application completely secure and keep web assets safe.
The objective of pentesting is to ensure
- Software reliability
- Software quality
- System Assurance
- Optimum performance and capacity utilization
In essence, this article also includes many of the vulnerabilities that may help to understand the motivation and techniques that real attackers are actually using.
Why would someone attack an e-commerce site?
- Steal Credit Cards
- Purchase Things Cheaply
- Cause Reputational Damage of competitor
- Steal Personal Details for financial gain
- Discover Sensitive Information
Security Flaws in an e-commerce site
Here we have discussed about ecommerce application and some flaws which are possible to attack on ecommerce application.
E-Commerce Application Architecture
- Flaw related to Order Management
- manipulation of price during order placement.
- manipulating of the shipping address
- Getting refunds even after order has been cancelled .
- Even after cancellation of the order the discounts offered on that product wouldn’t deduct
- Bypass for max seat limit on a single order if it is Client side validation .
- Ticket Bookings using fake account info.
- Flaws related to Coupon and Reward Management
- Coupon Redemption possibility even after order cancellation.
- Able to bypass of coupon’s terms & conditions and validity.
- Usage of multiple coupons for the same transaction.
- Predictable Coupon codes.
- Failure of re-computation in coupon value after partial order cancellation.
- Bypass of coupon’s validity date.
- Illegitimate usage of coupons with other products.
- Payment Gateway Integration (PG) Flaws
- Many of the classical attacks on E-Commerce applications are because of Payment gateway integrations.
- Flaws related to Content Management System (CMS)
- Almost E-Commerce applications have content management system in backend which is responsible to upload or update content. CMS has to be integrated with Resellers, Content Providers and Partners. Makemytrip can be taken as example of E-Commerce application which is integrated with individual hotels or with multiple partners. As a result complexity is increased , there for multiple sub vulnerability also need to test, some of them are :
- Logical flaws of file management
- System Notification flaw
- 3rd Party APIs Flaws
- When integrate PoS (Point of Sales Devices) also have some flaws
How hackers typically hack into e-commerce websites?
By using vulnerabilities like SQL injection, CSRF and XSS hacker can compromise account or even server can get compromised in the worst cases. Hacker is able to change the http request generated on his computer before transferring to the server. He can change price of the things and able to generate new package as explained in below image.
They use SQL injection to steal credit card, crafting input to an application with the intention to break a SQL clause at server side executed code, manipulate the statement sent to the back end database.
Distributed denial of service (DDoS) attack is a serious threat to e-commerce business which can take the entire business temporarily offline.
They also use Cross Site Request Forgery, Sensitive Information Disclosure, Session Related Flaws, Weak Authorization Controls
Why those loopholes are easy to crack?
Let me share some of the encountered vulnerabilities which are easy to exploit.
- Ecommerce Applications might have weak passwords which are easy to guess.
- They might not have a Web Application Firewall.
- They might not have SSL certificate data can be read during Transport .
- If it has any system alert for suspicious activity which has not been tested.
- They might have vulnerable code that allows SQL injection
- If the company store your sensitive information in the database, especially without being encrypted then the data can be read from database .
- It may be possible to use stored credit cards if unauthorised access can be gained to an account.
so the vulnerability can exist anywhere on the site, It doesn’t need to be on the actual payment page.
Key points to look for, while Pentesting an e-commerce website
Have mentioned some of the important things which needs to be checked while Pentesting an e-commerce Application.
- Browser compatibility
- Session Management
- Shopping order processing and purchasing
- System Integration
- Login and Security
- Secure encryption should be used in transmission channel as well as in database
- Strong password policy
- There should be an intrusion detection system (IDS) & intrusion prevention system (IPS) in place
- Perform regular vulnerability scans.
- Implement a DDoS detection and mitigation service
- Use a fraud management service
- Transaction Integrity
- Session expiration & Session storage
- Layered Security approach
Pentesting CMS based e-commerce website (wordpress)
We already discussed flaws in CMS Application, Pentesting CMS is difficult, As in CMS the back-end codes are mostly pre-defined as CMS nature and behaviour, Everybody can download the CMS package and create their own website or blog in seconds without having knowledge of coding and extra skills. Our first approach should concentrate on version of the CMS and the installed plug-in. If the version is older then present and if it was vulnerable by some kind of vulnerabilities which can help you out to get some meal.
While Pentesting WordPress, below information needs to be kept in mind.
Default files: “readme.html”, “license.txt” Configuration file location: [testingsite.com]/wp-config.php Administrator login location: [testingsite.com]/wp-login.php Plugin location: [testingsite.com]/wp-content/plugins
Challenges of E-commerce PenTesting
- Observance with security guidelines to safeguard customer data and identity
- Observance with accessibility standards to support multi-lingual markets and business regions
- End to end testing for large e-commerce transformation programs
- Scalability, reliability and quality of applications
An attacker could obtain credit card details, credentials and other sensitive information by exploiting a number of vulnerabilities. They are all common, despite the security features of modern application frameworks. A good application penetration tester should uncover most of these issues.