Ecommerce business has grown in terms of numbers as well as complexity over the past decade. At present, ecommerce applications are becoming more mobile friendly, more personalized, and rich in functionality. In order to make content searching for user more personalized, complicated algorithms are constantly running at the back end of ecommerce site.
With increasing complexity in ecommerce application, a conventional application penetration testing is not enough. Because, the conventional application penetration testing generally focus on vulnerability classes described in WASC or OWASP standards such as XSS, SQL Injection, CSRF etc. It is required to use the specialized penetration testing framework that is customized towards these complex ecommerce applications.
For effective result, the specialized penetration testing framework should cover comprehensive business logic vulnerabilities for various functional modules related to the complex ecommerce applications. It should also cover comprehensive flaws that are related to the various integrations with various third party products. Some of the flaws that should be covered as part of ecommerce penetration testing are listed below:
- Flaws Related to Reward and Coupon Management
Flaw related to reward and coupon management is extremely complex in nature. Some examples are as follows:
- Bypass the terms and conditions of coupons
- Coupon redemption possibility even after order cancellation
- Bypass the validity of coupons
- Multiple coupons usage for the same transaction
- Predictable codes of coupons
- Re-computation failure in coupon value after the partial order cancellation
- Bypass the validity date of coupons
- Illicit usage of the coupons with other products
- Flaws Related to Order Management
Flaws related to order management consist of misusing ‘placing the order’ functionality. The exact vulnerabilities depend on the type of application, however some examples related to this are as follows:
- Price manipulation possibility during the order placement
- After order placement, possibility of manipulating the shipping address
- Absence of mobile verification for the cash-on-delivery orders
- Obtaining refunds/cash-back even after the order cancellation
- Non deduction of discounts even after cancellation of order
- Possibility of illegitimate ticket blocking for certain time using automation techniques
- Client side validation bypass for max seat limit on a single order
- Usage of burner (disposable) phones for verification
- Reservations/bookings using fake A/c info
- Flaws Related to Payment Gateway Integration (PG)
Many classical attacks on ecommerce applications happen due to payment gateway integrations. Some example related to this flaw is as follows:
- Modification of price at client side with varying price values
- Modification of price at client side with zero or negative values
- Checksum bypass
- Call back URL manipulation
- Possibility of price manipulation at Run Time
- Flaws Related to Ecommerce Content Management System (CMS)
Almost every application of ecommerce has backend content management system (CMS) in order to update/upload content. In maximum cases, this CMS will be integrated with the content providers, resellers, and partners. Due to increased complexity, there are some multiple subvulner abilities that need to tested, some of these are given below:
- RBAC Flaws
- File management logical flaws
- Notification System Flaws
- Flaws in Integration with PoS (Point of Sales Devices)
- Misusing Rich Editor Functionalities
- 3rd Party APIs Flaws
Apart from these flaws, ecommerce companies should also focus on securing their mobile apps. Now these days, almost every ecommerce website has their mobile app and maximum customers are using these apps for shopping. Therefore, mobile security testing is also an important area that needs to be focused. There are various security companies that are providing special penetration testing services. Ecommerce companies should take help from these companies to make their entire process secure and smooth.
Author Bio –Neha is an info-sec expert, serving the industry since more than half a decade. She has been working with an information security company in India. Neha is an expertise in penetration testing services and like to share her testing experience with the world through articles and blogs.