web application possible security risks:
e-commerce generation protecting from security risks is a challenging job for e-commerce
industry and finance industry. Because
of the nature of their content, e-commerce sites are often subjected to attacks
and exploits. The best way to prevent and combat these attacks is to know the
common vulnerabilities that e-commerce systems often have.
common security risks E-commerce or any finance web application may face:
A. Man-in-the-middle attack:
man-in-the middle attack intercepts a communication between two systems.
HR web application in asp.net in which employee can login and check his
financial detail, application deployed using HTTPS protocol. When user login
then application is downgraded to http protocol, Employee using shared network
to access application now attacker (outside person) can easily access Employee
Strict Transport Security (HSTS) security policy mechanisms which provide
better security HTTPS websites against
downgrade attacks, and which greatly simplifies protection against, Middleman
attack, cookie hijacking. For more …http://www.codechef4u.com/post/2015/06/10/HSTS
B. SQL Injection:
is a code injection technique, used to attack database used application, in
which malicious SQL statements are inserted into an entry field for execution.
An SQL injection attack can range from minor errors to giving the attacker full
access to restricted areas of your server.
1. Avoid inline SQL scripts better use Stored
procedure or LINQ to SQL or Entity Framework.
2. Use of Prepared Statements (Parameterized
3. Avoid all User Supplied Input.
4. Apply security policies provided by your
5. Input data validation.
C. Price Manipulation:
One of the most common features of modern e-commerce systems
is that they are completely automated, from the initial visit all the way to
payment. Some e-commerce software may have a vulnerability that allows the
cyber criminal to insert a lower price into the URL and essentially get away
with practically stealing.
Cryptography protection in the transport layer (SSL) in
no way protects one from attacks like parameter manipulation in which data is
mangled before it hits the wire. Parameter tampering can often be done with:
2. Form Fields
3. URL Query
4. HTTP Headers
The best way to prevent parameter tampering is to ensure
that all parameters are validated before they are used. A centralized code
library or repository is likely to be most effective which validates each and
every input provided by user.
D. Unsecured Authentication:
sites require users to use some type of authentication, usually to sign up for
membership and login for each subsequent purchase. Ideally, these
authentication sessions should pass through SSL encryption. Otherwise, an
attacker could possibly glean sensitive user information over the web.
Apply proper authentication to Ecommerce and finance
application or any important web application.
Recommended to use SSL Encryption.
Recommended to use HTTPS with HTTP Strict Transport Security (HSTS)
security policy mechanisms.
E. Cross-site scripting (XSS):
Like SQL injection, cross-site scripting is an attack
method employed against all types of dynamic websites, but attacks on
e-commerce sites can be especially damaging for a business. Using XSS, an
attacker could setup a phishing scheme to steal sensitive user information,
including credit card numbers.
The two most important countermeasures to prevent
cross-site scripting attacks are to:
1. Constrain input.
2. Encode output.
For more I recommend to check OWSAP XSS (Cross Site
Scripting) Prevention Cheat Sheet.
Poorly coded scripts
(Perl and PHP) leas In asp.net and JSP may be vulnerable to attackers who will
insert shell met characters into a shopping cart URL in order to execute
commands using the web server’s credentials. This can be particularly damaging,
even fatal, to an e-commerce site.
1. Good application
design first suggestion.
2. Firewall prevention.
3. Validate external
Files and provide privileges for that.