This document summarizes a presentation about data security in online commerce. It discusses: 1) An introduction about the presenter's experience in secure web services and open source contributions. 2) The main topics that will be covered, including data security discussions and tools to test security risks. 3) The most common web application security weakness is failing to validate input from clients, which can lead to vulnerabilities like cross-site scripting and SQL injection. 4) It emphasizes that external data should never be trusted and validations are important with many data input points in complex applications.

1. Data security in Online
Commerce
PRESENTATION BY ANAND NAIR FOR DATA
SECURITY MEET UP. 03/2008

2. Introduction
 About me:
 More than a decade experience as a researcher and
developer of secure web services for online infrastructure
 Contributor to open source projects
 Speaker in various meet ups for technology and approach
for highly scalable secure architecture.
 Recognized as technologist in gaming industry in
research and development of online infrastructure.
 What’s in presentation
 Data security discussion
 Tools to test security risk

3. Data vulnerability
The most common web application security weakness is
the failure to properly validate input coming from the
client or environment before using it. This weakness
leads to almost all of the major vulnerabilities in web
applications, such as cross site scripting, SQL injection,
interpreter injection, locale/Unicode attacks, file system
attacks and buffer overflows.

4. Data Security : Watch the input data
 Data from an external entity or client should never
be trusted, since it can be arbitrarily tampered with
by an attacker.
 Unfortunately, complex applications like often have
a large number of data input points, which makes it
difficult for a developer to enforce this rule.

5. Data Security : Types of Attack
 A MitM attack can be performed in two different
ways:
 The attacker is in control of a router along the normal point of
traffic communication between the victim and the server the
victim is communicating with.
 The attacker is located on the same broadcast domain (e.g.
subnet) as the victim.
 The attacker is located on the same broadcast domain (e.g.
subnet) as any of the routing devices used by the victim to
route traffic.

6. Data Security: Transport Protocol
 Attacker has the ability to view and modify any TCP
traffic sent to or from the victim machine.
 HTTP traffic is unencrypted and contains no
authentication. Therefore, all HTTP traffic can be
trivially monitored/modified by the attacker.

7. Data Security: Secure transport protocol
 Man in the middle enables the attacker to view most
exchanged data, but does not enable the attacker to intercept
data exchanged of protocols that implement their own
authentication and encryption (e.g. SSH, SSL/TLS).
 The purpose of HTTPS is to create a secure communication
over top of HTTP by the use of SSL or TLS. On its own
SSL/TLS can be very effective and secure. However, there are
significant problems
 The browsers handling of SSL/TLS can lead to issues when both HTTPS
and HTTP sites are visited by the user.
 Man in middle would present a certificate warning message in the user’s
browser and likely alert the user to the attack that most users would
ignore the warning and continue – thus exposing all of their data.
 Alternatively, the attacker could try and use tools such as SSLstrip to
leverage poor application design with regards to SSL/TLS.

8. Using Tools
 Toolkit:
 Platform to run the application
 Network switch to create a closed network environment
 Wireshark (www.wireshark.org)
 Burp Suite (www.portswigger.net/burp/download.html)

9. Using Tools: Wireshark

10. Using Tools: Burp Wire