Codechef4u is a community for computer professionals,by computer professionals,just like you; who loves sharing and helping each others,Join them
Share your post

Price manipulation OR Web parameter tampering

Price manipulation OR Web parameter tempering:

Mostly ecommerce web application has risk of price manipulation or web parameter tempering attack.

Defination:

The Web Parameter Tampering attack is based on the editing or modification of parameters exchanged between client and server in order to modify application data, such as user credentials and permissions, price and quantity of products, orders, etc. Usually, this information is stored in cookies, hidden form fields, or URL Query Strings, and is used to increase application functionality and control.

Example with URL tempering:

 Hackers in week day or on offer day edit price information products and orders bulk products using eCommerce application. Shopping carts will often pass on price data in HTTP headers or through cookies. For example, the header might say something like “www.mayecomapp.com\orders.aspx?price=200.50&orderid=nk138530&custname=nagnathkendre.” The first variable being passed along is the price.
With above URL attacker can easily change price value, lowering price value and pass order for payments, such kind of attacks is called as price manipulation or web parameter tempering.

Example with Hidden fields:

With following example in coding programmer used hidden field to store order total item cost data.
Now hacker can easily tamper with the value stored on his browser and change the total cost price and proceed to submit order for payment.
<input type="hidden" id="TotalitesmCost" name="TotalCost" value="5000.25">

Example with Form fields:

Asp.net or other web programming languages also support Form and form fields like combo, checkbox, listbox.When user selects these form fields data submit form, for hacker manipulating or editing these form fields value is easy task.

Example with cookies:

An attacker or hacker can steal the cookies and gain access to restricted area, and manipulate financial data.

Prevention:

1.  Always use SSL certificates (https) for all pages on finance based web application, use
HTTS to enforce all pages from http to https. More info..http://codechef4u.com/post/2015/06/10/HSTS
2.  Don’t trust user data, validate user input data.
3.   Use proper encryption for URL or Encode URL.
4.   Set ValidateRequest=true in asp.net web config.
5.     Don’t use persistent cookies for storing authentication tokens (session ids) and don’t select “Remember password” option in Logon screen in a public computer. 
6. We recommend to avoid using HiddenField,  if you are using ViewState or HiddenField Data encrypt it or encode it with best industry standards.
 

 

Anti-Cross Site Scripting Library(Antixss library)

Writing weak code means blindly providing security holes to attacker, most security problems come from trusting user input data too much. Such one common attack from trusting user input is Cross Site Scripting (often abbreviated as XSS). Microsoft created powerful tool that mitigates XSS risks called Anti-Cross Site Scripting Library.

Cross Site Scripting:

Cross Site Scripting (often abbreviated as XSS) when attacker uses web application send or injects malicious code like browser script, to different user. This malicious script executes and access user resources, trusted website data, website critical information.

Anti-Cross Site Scripting Library:

Anti-XSS helps you to protect your current applications from cross-site scripting attacks, at the same time helping you to protect your legacy application with its Security run time engine. 

Points to remember with Anti-XSS:

      1.  Secure Globalization: Anti-XSS protects against XSS attacks coded in dozens of languages or multiple languages called Secure Globalization. If your application is available in multiple languages this is very important protection.
2.  Performance: Anti-XSS code is written with performance in mind, code provides real time protection data protection with improved performance.
3.  Standards Compliance: Anti-XSS is written to comply with modern web standards. You can protect your web application without adversely affecting its UI.

Code Example using Anti-XSS:

    /// <summary>
    /// Returns safe input text and html fragment.
    /// added this considering prevention from xss attcks.
    /// </summary>
    public class SafeInputDataForApp
    {
        /// <summary>
        /// to prevent XSS, used Anti-XSS, returns safe data
        /// </summary>
        public void CheckValidInputs(string url,string htmlInput,string XmlInput,string item)
        {
 
          AntiXss.UrlEncode(url)
 
          AntiXss.HtmlAttributeEncode(htmlInput)
 
          AntiXss.XmlEncode(XmlInput)
 
           AntiXss.JavaScriptEncode(item)
        }
 
        /// <summary>
        /// Returns a sanitized html string
        /// </summary>
        public static string GetSafeHtml(string InputText)
        {
             return AntiXss.GetSafeHtmlFragment(InputText);
 
              //I recommends using below code, reson more safe
             //return Sanitizer.GetSafeHtmlFragment(InputText);
           }
    
    }
 

Common Security risks in e-commerce and Finance web application

Asp.net web application possible security risks:

In current e-commerce generation protecting from security risks is a challenging job for e-commerce industry and finance industry.  Because of the nature of their content, e-commerce sites are often subjected to attacks and exploits. The best way to prevent and combat these attacks is to know the common vulnerabilities that e-commerce systems often have.

Six possible common security risks E-commerce or any finance web application may face:

A.  Man-in-the-middle attack:

The man-in-the middle attack intercepts a communication between two systems.

Example:

Company created HR web application in asp.net in which employee can login and check his financial detail, application deployed using HTTPS protocol. When user login then application is downgraded to http protocol, Employee using shared network to access application now attacker (outside person) can easily access Employee finance details.

Prevention suggestion:

Use HTTP Strict Transport Security (HSTS) security policy mechanisms which provide better security  HTTPS websites against downgrade attacks, and which greatly simplifies protection against, Middleman attack, cookie hijacking. For more …http://www.codechef4u.com/post/2015/06/10/HSTS


B.  SQL Injection:

SQL injection is a code injection technique, used to attack database used application, in which malicious SQL statements are inserted into an entry field for execution. An SQL injection attack can range from minor errors to giving the attacker full access to restricted areas of your server.

Prevention suggestion:

1.  Avoid inline SQL scripts better use Stored procedure or LINQ to SQL or Entity Framework.
 2. Use of Prepared Statements (Parameterized Queries).
3.  Avoid all User Supplied Input.
4.  Apply security policies provided by your database.
5.  Input data validation.

 

C.  Price Manipulation:

One of the most common features of modern e-commerce systems is that they are completely automated, from the initial visit all the way to payment. Some e-commerce software may have a vulnerability that allows the cyber criminal to insert a lower price into the URL and essentially get away with practically stealing.

Prevention Suggestion:

Cryptography protection in the transport layer (SSL) in no way protects one from attacks like parameter manipulation in which data is mangled before it hits the wire. Parameter tampering can often be done with:
1.  Cookies
2.  Form Fields
3.  URL Query Strings
4.  HTTP Headers
The best way to prevent parameter tampering is to ensure that all parameters are validated before they are used. A centralized code library or repository is likely to be most effective which validates each and every input provided by user.

D.  Unsecured Authentication:

 Many e-commerce sites require users to use some type of authentication, usually to sign up for membership and login for each subsequent purchase. Ideally, these authentication sessions should pass through SSL encryption. Otherwise, an attacker could possibly glean sensitive user information over the web.

Prevention suggestion:

Apply proper authentication to Ecommerce and finance application or any important web application.
Recommended to use SSL Encryption.
Recommended to use HTTPS with HTTP Strict Transport Security (HSTS) security policy mechanisms.

E.  Cross-site scripting (XSS):

Like SQL injection, cross-site scripting is an attack method employed against all types of dynamic websites, but attacks on e-commerce sites can be especially damaging for a business. Using XSS, an attacker could setup a phishing scheme to steal sensitive user information, including credit card numbers.

Prevention Suggestion:

The two most important countermeasures to prevent cross-site scripting attacks are to:
1.  Constrain input.
2.  Encode output.
For more I recommend to check OWSAP XSS (Cross Site Scripting) Prevention Cheat Sheet.

 F.  Remote command execution:

 Poorly coded scripts (Perl and PHP) leas In asp.net and JSP may be vulnerable to attackers who will insert shell met characters into a shopping cart URL in order to execute commands using the web server’s credentials. This can be particularly damaging, even fatal, to an e-commerce site.

Prevention Suggestion:

1.  Good application design first suggestion.
2.  Firewall prevention.
3.  Validate external Files and provide privileges for that.