There are a number of reasons why security vulnerabilities arise in shopping cart and online payment systems, these vulnerabilities are increased by the increase in the advanced functionality adding in the day by day basis in the ecommerce System.
One of the main reasons for such vulnerabilities is the fact that web application developers are often not very well versed with secure programming techniques. Every developer when working with the projects looks for completing the project in the given deadlines and thinks to implement the security later. There is no security model implemented before starting the project which is the main cause.
The website losing its importance even though it has the good look and feel and good modules in an website because of proper vulnerabilities techniques not implemented in the website. Another reason why security vulnerabilities appear is because of the inherent complexity in most online systems.
Nowadays, users are placing very demanding requirements on their ecommerce providers, and this requires complex designs and programming logic below are some of the security vulnerabilities that have been discovered in shopping cart and online payment systems.
SQL Injection
SQL injection refers to the insertion of SQL meta-characters in user input, which allows attacker’s queries, are executed by the back-end database. Attackers will first determine if a site is vulnerable to such an attack by sending in the single-quote (‘) character. The results from an SQL injection attack on a vulnerable site may range from a detailed error message, which discloses the back-end technology being used, or allowing the attacker to access restricted areas of the site because he manipulated the query to an always-true Boolean value, or it may even allow the execution of operating system commands.
SQL injection varies from database to database, for example in Oracle database, this is done by using the UNION keyword and is much more difficult than on the MS SQL Server, where multiple queries can be executed by separating them with the semi-colon.
In its default configuration, MS SQL server runs with Local System privileges and has the ‘xp_cmdshell’ extended procedure, which allows execution of operating system commands.
Manipulating price at Run Time
This is one of the most unique vulnerabilities seen in the online shopping carts and payment gateways. In this vulnerability the total payable price of the purchased goods is stored in a hidden HTML field of a dynamically generated web page.
An attacker can use a web application proxy such as Achilles to simply modify the amount that is payable, when this information flows from the user’s browser to the web server The final payable price can be manipulated by the attacker to a value of his choice.
This information is eventually sent to the payment gateway with whom the online merchant has partnered. If the number of transactions is very high, the price manipulation may go completely unnoticed. Repeated attacks of this nature could destroy the number of users to the website
Cross-site scripting
The Cross-site Scripting (XSS) attack are targeted against the end user and leverages two factors: 1.The lack of input and output validation being done by the web application 2.The trust placed by the end-user in a URL that carries the vulnerable web site’s name. The XSS attack requires a web form that takes in user input, processes it, and prints out the results on a web page, which also contains the user’s original input. It is most commonly found in ‘search’ features, where the search logic will print out the results along with a line such as ‘Results for user_supplied_input’.
Suppose if we write the JavaScript function also with the search elements then the result page of the search will the output of the search results along with the JavaScript result, which is not good in any website.
In another scenario we can use JavaScript to redirect the user to a site that looks similar to the original web site and requests the user to enter sensitive information such as his authentication details for that web site, or his credit card number or social security number which should not happen in the real time scenarios.
Weak Authentication and Authorization
Since HTTP is a stateless protocol, web applications commonly maintain state using session IDs or transaction IDs stored in a cookie on the user’s system. Thus session ID is the only way that the web application can determine the online identity of the user.
If the session ID is stolen (say through XSS), or it can be predicted, then an attacker can take over a genuine user’s online identity. Hence we need to take care of the session id by providing the necessary algorithms.
The other cause is providing the week passwords, which can be broken very easily. When providing the password option to the user we need to have some passwords policy like in the given passwords we need to have a 1 capital letters, 1 numeric and passwords length should be 4 – 10 characters. Such policies will strength the user passwords.