Security @ ecommerce sites are essential as hell, we are living in a a world with ethical and illegal hackers. This presentation will give you insights what we should do to prevent our ecommerce sites from external attacks.
2. Where We Are?
Recent Attacks on e-commerce sites shows the
vulnerability when the intruder was able to make
unauthorized calls to see and manipulate the data.
• Transaction system calls are open publicly.
• Some of Web API calls are still on HTTP.
• Same username/password are used across multiple
clients/channels.
• Most of internal applications are open publicly.
3. Top 10 OWASP Security
Guidelines
A1 Injection A2 Broken
Auth and
Session Mgmt
A3 Cross site
scripting -
XSS
A4 Insecure
Direct Object
References
A5 Security
Misconfigura
tion
A6 – Sensitive
Data
Exposure
A7 – Missing
Function
Level Access
Control
A8 – CSRF
A9 – Using
components
with known
vulnerabilities
A10 –
Unvalidated
Redirects and
Forwards
4. A1 - Injection
How ?
•
SQL Injection, LDAP query
Impact
•
Unintended commands are executed.
•
Data can be accessed without proper
authentication.
5. A2 – Broken Auth &
Session Mgmt.
How ?
•
Authentication and Session management not
implemented properly.
Impact
•
Assume user identities and gain access.
•
Get hold of password, token, session keys.
6. A3 – Cross Site Scripting
How ?
•
Application takes un-trusted data and sends it
to a web browser without proper validation or
escaping.
Impact
•
Hijack user sessions.
•
Redirect users to malicious sites.
7. A4 – Insecure Direct
Object References
How ?
•
Developer exposes references to files, XML
objects, DB keys.
Impact
•
Attackers can manipulate these references to
access unauthorized data.
8. A5 – Security
Misconfiguration
How ?
•
Web Servers and DB servers do not
implement adequate security policies
Impact
•
Unable to trace the origin of a command.
•
Cannot have good control to
9. A6 – Security Data
ExposureHow ?
•
Hashing and Encryption techniques not
adequate while storing Payment info such as
passwords, CC etc ..
•
Payment info transmitted over plain text.
Impact
•
Intruder can get access to Payment info and
there by cause brand damage.
10. A7 – Missing Function
Level Access Control
How ?
•
Function level access absent on the server at
the time of request.
•
Attackers forge request.
Impact
•
Unauthorized access.
11. A8 – Cross Site Request
Forgery
How ?
•
Authentication tokens or cookies are used to
forge HTTP requests from victims browser.
Impact
•
The forged requests come as legitimate and
there by compromising the application.
12. A9 – Components With
Vulnerabilities
How ?
•
Frameworks and components run on full
privileges.
Impact
•
Any issue on these will in turn cause issues on
the main application.
13. A10 – Unvalidated
Requests and Forwards
How ?
•
No validation in place while redirecting to
other pages and applications.
Impact
•
Phishing attacks will redirect to applications
through which sensitive information can be
captured.
14. Next Steps...
Proactive approach.
Its Better to beef-up rather than repent on later.
Security should be constantly reviewed and
during code reviews emphasis needs to provided.