Case Study – Penetration Testing for Ecommerce Platform
Introduction :
SDET would like to state the success story of one of our clients who has an eCommerce cloud platform targeting locations like the USA, UK, and Australia. The platform was designed to have product descriptions and order management for different locations and currencies.
Challenge:
The client wanted to evaluate the security of the eCommerce website. They came to the SDET team looking for the required audit. They wanted to know all the vulnerabilities. It was very important to make their payment gateway secure from malware as well. As the multinational platform has to deal with the different currencies and tax values; these added functionalities had brought along the scope of the threat.
Solution:
The security testing team of SDET wanted to make sure that all levels of Pen testing is being done from Web to API, Cloud etc.. To attain the assurance, they conducted black box penetration testing on the platform. They used testing tools that are acquiescent to the methodology of ethical hacking. The team found more than 20 vulnerabilities and we are listing 04 vulnerable points with high potentiality and then they ranked them according to their severity.
– Weak Brute-force Protection : The SDET team had found a glitch on the login page of the website as it was not protected against the brute-force attack. They had attempted multiple unsuccessful logins To prevent it, the team has suggested limiting the number of unsuccessful attempts.
– Vulnerable Cross-Site Request Forgery : The CSRF threat can transmit unauthorized commands from the users. The SDET security team included additional tokens along with relevant requests to protect against the CSRF potential attacks. A cryptographic number generator generates a unique number associated with a particular session of the user.
– Secure flagless SSL Cookies : Generally, the browsers don’t submit the cookies to the encrypted HTTP connection so that the attackers don’t get the chance to interpret the cookies. However, the SDET team found many cookies that did not have the secured flag. The team recommended the client set a secure flag for every cookie transmitting sensitive website and user data.
– Cross-Site Scripting Attack Potentiality : The process of password recovery on that eCommerce platform was vulnerable for that particular website. The platform was not able to block the XSS attacks from some browsers; especially from Internet Explorer 9. SDET team of security testing recommended validating the customers’ data to ensure controlling of input data and filtering of output data.
Result
SDET Pentesting team delivered the evaluation of the eCommerce platform. The Pentesting helped the team to understand the vulnerable points with the risk of security threats. The clients received the report with corrective measures to strengthen the security of the eCommerce website.
Technologies used:
Nmap, DIBR, Metasploit, SQLmap, Burbsuit, Nikto, Zmap, and Nessus