By Uladzislau Murashka, Certified Ethical Hacker at ScienceSoft
Discover how network vulnerability assessment can assist in reaching a proper security level of a complex eCommerce ecosystem.
Network vulnerability assessment for eCommerce solutions
Running a business online nowadays requires special attention from retailers to ensure the protection of business operations they carry out as they deal with customers’ bank account details, credit card numbers and other personal information. Even though e-commerce solutions are convenient in use, the complexity of their structure implies an extreme susceptibility to cyber threats that are evolving in volume and sophistication. Vulnerability assessment can help to maintain a secure network for the entire e-commerce ecosystem. However, there are specific features to take into account when evaluating network security for e-commerce.
The specifics of e-commerce ecosystem security
There are two ways to carry out network vulnerability assessment for an eCommerce solution: evaluating the security level ‘from the inside’ and assessing the protection ‘from the outside.’ While internal vulnerability assessment focuses on identifying security weaknesses accessible from the company’s network, external vulnerability assessment pursues the aim to find loopholes seen from the internet. The main reason why e-commerce ecosystems are so special from a network vulnerability assessment perspective is that they are accessed from different points, both internal and external. Thus, when turning to an appropriate vendor to get network vulnerability assessment services, maintain the focus on the following eCommerce ecosystem’s specifics:
- The employees of an online retail company reach the e-commerce portal from the corporate network.
- E-commerce customers access the online store via web and mobile apps.
- E-commerce solutions are integrated with payment gateways.
- E-commerce business implies the use of email marketing tools.
Taking each of the listed key points into the account by information security services vendors allows maximizing the value of the whole network vulnerability assessment process. The question now is what exactly to assess and how to do it? Let’s take a closer look at the specifics and find an answer.
Employees access an e-commerce web app from a corporate network
Company’s personnel reach an e-commerce ecosystem within the company’s network, which is related to the existence of the following problematic points:
- Company’s employees use weak passwords that can be easily cracked by hackers.
- Authorized company’s users are unaware of the existence of missing patches in workstations or servers within the eCommerce ecosystem.
- Users’ accounts are not audited and their permission level isn’t changed if the employees move to other positions or leave the company. Thus, they can access e-commerce databases with the same privileges.
When evaluating the security of internal access to e-commerce systems, the purpose is to imitate the behavior of the company’s employee. Thus, network vulnerability assessment should be conducted according to the white box approach, which implies providing the security testing team with administrative privileges to access the company’s infrastructure. In this case, security engineers not only determine the versions of IT solutions used in the e-commerce ecosystem and find out whether there are known vulnerabilities in these versions but also check configuration files and detect weaknesses (missing patches, security misconfigurations, etc.) there. To gather the necessary details, security testing team sends requests to the target systems (servers, web servers, web apps, etc.) and analyzes the system responses. Moreover, the team conducts brute force attacks to check the complexity of passwords the company’s employee’s use, as well as tries to use weak passwords in the web app registration form to evaluate the applied password policy.
Customers access an eCommerce website via web
Web browsers used by e-commerce customers is another entry point. Clients communicate with an e-commerce website when making purchases online. Within this area, the following security weaknesses may be found:
- Web authentication settings applied in the e-commerce website do not prohibit multiple login attempts. This security weakness allows an attacker to get a website user’s authorization credentials.
- Using malware, an attacker can extract e-commerce website users’ payment details and conduct e-commerce transactions with them. In this way, e-commerce websites can serve as the ‘points’ where hackers can get a user’s credit card information.
- The communication between a customer and an e-commerce web server may be vulnerable to man-in-the-middle attacks. This type of attack means that hijackers can tap a packet sniffer in the interaction between the customer and the server, forge network packets, modify them and send to the server. It may lead to the attacker accessing the user’s sensitive information (passwords, financial data, personal information, etc.).
As web applications face the internet and are publicly accessed, external vulnerability assessment may help to detect almost all existing vulnerabilities within it. To do this, security engineers carry out the following actions:
- Send the requests to the web app and analyze the headings in the responses to check the types of HTTP headers.
- Simulate brute force attacks or try to set weak passwords to check authentication parameters.
Customers access an eCommerce website via mobile
When using smartphones to make purchases online, a customer reaches a mobile version of an e-commerce website. The main problem with mobile versions of online stores is that they usually have fewer security restrictions applied than the web versions do.
For example, when authorizing on an e-commerce website, the users have to enter their login details and pass CAPTCHA protection. The mobile version of the website may lack this security measure, thus allowing potential intruders to carry out brute force attacks. This security weakness means that attackers get a chance to crack e-commerce customers’ passwords, access their personal data and later use it with malicious intent.
Mobile versions may also fail to behave properly when filtering and validating input and output data. This vulnerability makes them highly susceptible to SQL injections and XSS attacks.
The mobile access assessment method is the same as in case of evaluating the security of the web access described above. Thus, the assessment implies checking the types of HTTP headers, servers’ configurations, and authentication parameters.
However, keep in mind that the absence of certain security weaknesses in the e-commerce web application does not necessarily guarantee a similar protection level of the mobile version of the same online store.
Integration with payment gateways
Payment gateways used in the e-commerce transaction process are responsible for storing customers’ credit card information in the encrypted form.
The vulnerability unique for payment gateways is price manipulation. This security weakness means that an attacker can modify an amount of money to be paid for the goods placed in the e-commerce marketplace when the price information is transferred from the e-commerce customer’s browser to the e-commerce web server and then to the payment gateway.
In this case, network vulnerability assessment implies evaluating the security of e-commerce platform communication with the payment gateway by analyzing whether the secured (HTTPS) or unsecured (HTTP) communication protocol is used.
Integration with email marketing tools
When authorizing on the e-commerce website, customers enter their email addresses that can be later used by an online retailer with the purpose of mass emailing (sending advertisements, special offers, online surveys, etc.). This process is done with the help of email marketing tools.
The services used for email marketing may have the following weak points:
- Susceptibility to phishing attacks. This type of network security threats implies that attackers may use fake messages or websites spread via email services to trick an e-commerce company’s employees into giving them such sensitive data as passwords, clients’ credit card numbers, and bank account details, etc. This may lead to data theft, the loss of customers’ loyalty and severe reputational damage.
- Improper protection from malware spreading. Existing in various forms – spyware, ransomware, viruses, Trojan horses, etc. – malicious software may get inside the network through email marketing services. The susceptibility of email marketing tools to this type of attack may lead to data loss, hardware failure and other consequences harmful for e-commerce business operations.
Using scanning tools, security engineers check whether the email marketing software has the right configurations and settings following two possible approaches:
- Conducting source code review, if a customer decides on white box vulnerability assessment.
- Trying to inject the form used to send data (user names, simple texts, etc.) with malicious scripts to check the protection of this form.
Being complex in structure, e-commerce ecosystems are rather difficult to protect. Network security threats may come both from the inside (when an e-commerce platform is accessed from an office by company employees) and from the outside (when accessed by customers via web or mobile). What’s more, the integration of e-commerce platforms with a variety of external systems (payment gateways, email marketing software, etc.) makes the entire e-commerce ecosystem even more susceptible to cyber attacks.When deciding to get network vulnerability assessment services, ensure the coverage of all the mentioned areas. The wider range of the integrated e-commerce systems are covered, the fewer entry point’s attackers have to get inside the network.
About the Author
Uladzislau Murashka, Certified Ethical Hacker at ScienceSoft. Certified Ethical Hacker at ScienceSoft with 5+ years of experience in penetration testing. Uladzislau’s spheres of competence include reverse engineering, black box, white box and gray box penetration testing of web and mobile applications, bug hunting and research work in the area of Information Security.Uladzislau can be reached online at (firstname.lastname@example.org) and at our company website https://www.scnsoft.com.