Codechef4u is a community for computer professionals,by computer professionals,just like you; who loves sharing and helping each others,Join them
Share your post

Common Security risks in e-commerce and Finance web application

Asp.net web application possible security risks:

In current e-commerce generation protecting from security risks is a challenging job for e-commerce industry and finance industry.  Because of the nature of their content, e-commerce sites are often subjected to attacks and exploits. The best way to prevent and combat these attacks is to know the common vulnerabilities that e-commerce systems often have.

Six possible common security risks E-commerce or any finance web application may face:

A.  Man-in-the-middle attack:

The man-in-the middle attack intercepts a communication between two systems.

Example:

Company created HR web application in asp.net in which employee can login and check his financial detail, application deployed using HTTPS protocol. When user login then application is downgraded to http protocol, Employee using shared network to access application now attacker (outside person) can easily access Employee finance details.

Prevention suggestion:

Use HTTP Strict Transport Security (HSTS) security policy mechanisms which provide better security  HTTPS websites against downgrade attacks, and which greatly simplifies protection against, Middleman attack, cookie hijacking. For more …http://www.codechef4u.com/post/2015/06/10/HSTS


B.  SQL Injection:

SQL injection is a code injection technique, used to attack database used application, in which malicious SQL statements are inserted into an entry field for execution. An SQL injection attack can range from minor errors to giving the attacker full access to restricted areas of your server.

Prevention suggestion:

1.  Avoid inline SQL scripts better use Stored procedure or LINQ to SQL or Entity Framework.
 2. Use of Prepared Statements (Parameterized Queries).
3.  Avoid all User Supplied Input.
4.  Apply security policies provided by your database.
5.  Input data validation.

 

C.  Price Manipulation:

One of the most common features of modern e-commerce systems is that they are completely automated, from the initial visit all the way to payment. Some e-commerce software may have a vulnerability that allows the cyber criminal to insert a lower price into the URL and essentially get away with practically stealing.

Prevention Suggestion:

Cryptography protection in the transport layer (SSL) in no way protects one from attacks like parameter manipulation in which data is mangled before it hits the wire. Parameter tampering can often be done with:
1.  Cookies
2.  Form Fields
3.  URL Query Strings
4.  HTTP Headers
The best way to prevent parameter tampering is to ensure that all parameters are validated before they are used. A centralized code library or repository is likely to be most effective which validates each and every input provided by user.

D.  Unsecured Authentication:

 Many e-commerce sites require users to use some type of authentication, usually to sign up for membership and login for each subsequent purchase. Ideally, these authentication sessions should pass through SSL encryption. Otherwise, an attacker could possibly glean sensitive user information over the web.

Prevention suggestion:

Apply proper authentication to Ecommerce and finance application or any important web application.
Recommended to use SSL Encryption.
Recommended to use HTTPS with HTTP Strict Transport Security (HSTS) security policy mechanisms.

E.  Cross-site scripting (XSS):

Like SQL injection, cross-site scripting is an attack method employed against all types of dynamic websites, but attacks on e-commerce sites can be especially damaging for a business. Using XSS, an attacker could setup a phishing scheme to steal sensitive user information, including credit card numbers.

Prevention Suggestion:

The two most important countermeasures to prevent cross-site scripting attacks are to:
1.  Constrain input.
2.  Encode output.
For more I recommend to check OWSAP XSS (Cross Site Scripting) Prevention Cheat Sheet.

 F.  Remote command execution:

 Poorly coded scripts (Perl and PHP) leas In asp.net and JSP may be vulnerable to attackers who will insert shell met characters into a shopping cart URL in order to execute commands using the web server’s credentials. This can be particularly damaging, even fatal, to an e-commerce site.

Prevention Suggestion:

1.  Good application design first suggestion.
2.  Firewall prevention.
3.  Validate external Files and provide privileges for that.