Social Network For Security Executives: Network, Learn & Collaborate
Over the past decade, E-Commerce applications have grown both in terms of numbers and complexity. Currently, E-Commerce application are going forward becoming more personalized, more mobile friendly and rich in functionality. Complicated recommendation algorithms are constantly running at the back end to make content searching as personalized as possible. Here we will learn about the necessity of penetration testing for E-commerce Applications.
Why a conventional application penetration testing for E-commerce Applications is not enough?
E-Commerce applications are growing in complexity, as a result conventional application penetration is simply not enough. Conventional application penetration testing focus on vulnerability classes described in OWASP or WASC standards like SQL Injection, XSS, CSRF etc.
It is required to create specialized framework of penetration testing for E-Commerce applications which is tailored and should have following features:
(Read more: Can your SMART TV get hacked?)
Some of the vulnerability classes covered as part of E-commerce penetration testing are listed below.
Order management flaws primarily consists of misusing placing an order functionality. The exact vulnerabilities will depend on the kind of application, however some examples are listed below:
Possibility of Price manipulation during order placement.
Coupons and Reward management flaws are extremely complex in nature. Some examples are listed below:
Payment Gateway Integration (PG) Flaws
Many of the classical attacks on E-Commerce applications are because of Payment gateway integrations. Buying a pizza in 1$ is a classical example of misusing PG integration by an attacker.
Most E-Commerce applications have backend content management system to upload / update content. In most cases, CMS will be integrated with resellers, content providers and partners. For example, hotel E-Commerce application will be integrated with individuals hotels or with multiple partners. As a result of increased complexity, there are multiple sub vulnerability classes that need to testes, some of them are listed below:
Apart from business logic vulnerabilities, conventional vulnerabilities are also part of the penetration testing framework. Examples of conventional vulnerabilities are SQL Injection, Cross Site Scripting (XSS), CSRF and other vulnerabilities defined as part of OWASP.
This is a re-post of the blog originally published on CISO Platform
Link to original blog: http://www.cisoplatform.com/profiles/blogs/penetration-testing-e-co...