Is conventional penetration testing enough to secure e-commerce applications?

Can your customers trust you to process their transactions and safeguard their personal information? Can you be sure online sales follow the business rules you’ve put in place?

If you are like most e-commerce companies, you’ve been pushing the envelope to create applications that are increasingly easy to use, accessible from any device, and personalized to your customers’ favorite content and buying habits. Your customers can browse a seemingly limitless menu of products and place orders anywhere, anytime, with the swipe of a finger.

Unfortunately, advances in e-commerce have also attracted a sophisticated invasion of new security threats. Online criminals are bolder and more creative than ever in how they exploit e-commerce weaknesses, stealing personal data, and disrupting sales. Just one successful attack can wreak havoc on your reputation and cost you money and customers.

Conventional penetration testing—which focuses mainly on OWASP or WASC standards such as SQL injection, XSS, and CSRF—often isn’t enough to secure e-commerce applications in the rapidly evolving threat environment.

So what can you do to protect your business?

Specialized penetration testing is tailored to e-commerce functional modules and can identify issues specific to e-commerce design, including mobile payments and integrations with third-party vendors and products. Let’s dig deeper.

4 types of e-commerce vulnerabilities

Four common categories of vulnerabilities or “flaws” related to e-commerce are:

• Order management
• Coupon and reward management
• Payment gateway integration
• Content management system integration

Make sure your penetration tests consider the scenarios outlined below so you can assess the impact a breach would have on your business.

Order management flaws

Order management flaws consist of misuse and abuse of the order placement process. For example:

• Price manipulation during order placement
• Shipping address manipulation after order placement
• Absence of mobile verification for cash-on-delivery orders
• Getting cash back/refunds even when the order is canceled
• Non-deduction of discounts, even after order cancellation
• Using automation techniques to perform illegitimate ticket blocking for a certain period of time
• Client-side validation bypass for maximum seat limit on a single order
• Bookings/reservations using fake information
• Usage of burner (disposable) phones for verification

Coupon and reward management flaws

Coupon and reward management flaws are extremely complex in nature and include:

• Coupon redemption, even after order cancellation
• Bypass of a coupon’s terms and conditions
• Bypass of a coupon’s validity
• Use of multiple coupons for the same transaction
• Predictable coupon codes
• Failure of a recomputation in coupon value after partial order cancellation
• Illegitimate use of coupons with other products

Payment gateway integration flaws

Some of the most popular attacks on e-commerce applications exploit insecure integration with third-party payment gateways. Examples include:

• Price modification at client-side with zero or negative values
• Price modification at client-side with varying price values
• Manipulating the contact URL
• Bypassing the third-party checksum
• Changing the price before the transaction is completed

Content management system flaws

Most e-commerce applications have back-end content management systems to upload and update content. These systems are often integrated with those of resellers, content providers, and partners such as franchises or booking partners. Having more partners leads to more complexity, so it’s important to watch for the following red flags:

• Flaws in transaction file management
• Unusual activities involving role-based access control (RBAC), which regulates access to computer or network resources
• Flaws within the customer notification system
• Misuse of rich-text editor functionalities (which edit text within web browsers)
• Flaws in third-party application program interfaces (APIs), which are used to create specialized web stores
• Flaws in integration with point-of-sale (POS) devices