The increasing online transactions is followed by an equal rise in the number and types of attacks relating to the security of online payment systems. Some of these attacks have taken the advantage of vulnerabilities in the third-party plug in utilized by eCommerce websites, such as shopping cart software.
Other attacks have made use of the vulnerabilities that are common in any web applications, such as SQL injection or cross-site scripting. This article has been written referring to K.K Mookhey’s Paper on Security Focus, published in Security Community of Symantec Connect. The article gives you an overview on these vulnerabilities with examples, either from the set of known vulnerabilities, or those discovered during the original author’s penetration testing assignments.
The different types of vulnerabilities discussed here are:
- SQL injection
- Price Manipulation
- Buffer Overflows
- Cross-site scripting
- Weak authentication or authorization
Misuse of these vulnerabilities can lead to a wide range of negative results. SQL injection or price manipulation attacks can paralyze the website, harming confidentiality, and in some worst cases, they can also cause the e-commerce business to shut down completely.
A Background on Security Vulnerabilities
There are ‘n’ number of reasons why security vulnerabilities occur in shopping cart and online payment systems. The primary reasons for such vulnerabilities is the fact that web application developers are often unaware of secure programming techniques. As a result, security of the application will not be in the list of their development tasks at all.
Securing the eCommerce website becomes even of lesser priority due to the necessities to meet deadlines in the fast-moving e-commerce world. Even a day’s delay in publishing a brand new feature on the website can easily increase your risk of losing business to your competitor. We have typically found these in cases where eCommerce businesses need to regularly add functionality to their websites to stay on par with the rising demands of Customers and Industry trends.
In such a scenario, the primary goal will be to have the functionality in place; security can always be taken care of later, which will not be re-considered until a vulnerability misuse happens. Another reason why security vulnerabilities happen is because of the inherent complexity in most online systems. The demanding Customers are placing requirements on their e-commerce providers that requires complex designs and programming logic.
Let us now move on to the details of each vulnerability in an eCommerce website.
SQL Injection
SQL injection refers to the insertion of SQL meta-characters in user input, in such a manner that attacker’s queries are executed in the back-end database. Usually, attackers will first identify if a site is vulnerable to such an attack and they do so by sending in the single-quote (‘) character. The consequence of the SQL injection attack on a vulnerable eCommerce site can give the following access to the attacker:
- The back-end technology that is being used for the eCommerce website.
- Access to restricted areas of the site because he manipulated the query to an always-true Boolean value.
- Allows the execution of operating system commands.
One of the most popular of such attacks is when a 20 year old programmer, Jeremiah Jacks in Orange Country, California, found that it was possible to get access to the highly confidential data such as credit card numbers, transaction details, etc. through SQL injections.
Price Manipulation
This is another vulnerability that may sound unique to online shopping carts. During the occurrence of this vulnerability, as a common thing, the total payable price of the goods will be stored in a hidden HTML field of a website with dynamically generating pages. An attacker can use a web application proxy such as Achilles to change the amount that is payable, when this information flows from the User’s browser to the web server.
The final payable price can be manipulated by the attacker to a value of his choice. This information is then sent to the payment gateway with whom the online merchant has associated. If the volume of transactions is very high, the price manipulation may go completely unnoticed, or may get discovered when it is too late.
Buffer overflows
Although not very common in online shopping carts, Buffer overflow vulnerabilities should definitely not be ignored. Sending in a large number of bytes to web application that is technically not equipped to sustain the data load can lead to unexpected consequences. Your growing eCommerce business will come across such a scenario, moving forward. In one of the author’s penetration testing assignments, it was possible to disclose the path of the PHP functions being used by sending in a very large value in the input fields. When 6,000 or more bytes were fed into a particular field, the back-end PHP script was unable to process them and the error that was displayed revealed the location of these PHP functions. Using this error information, it was possible to access the restricted ‘admin’ folder.
Cross Site Scripting
The Cross-site Scripting attack is primarily targeted against the end user and takes advantages of two factors:
- The with little or no input validation by the web application
- The trust placed by the end-user in a URL that carries the vulnerable website’s name.
In most of the cases, the attacker will craft the URL in order to try and steal the user’s cookie, which will have session ID and other sensitive information. The JavaScript can also be coded for navigating the user to the attacker’s website, where malicious code can be pushed, using ActiveX controls or by taking advantage of browser vulnerabilities that are common in Internet Explorer or Netscape Navigator.
Weak Authentication or Authorization
Authentication protocol that does not allow multiple failed logins can be easily attacked using tools such as Brutus. Similarly, if the web site uses HTTP Basic Authentication or does not pass session IDs over SSL (Secure Sockets Layer), an attacker can easily sense the traffic to discover user’s authentication and/or authorization credentials.
How can NodeJS address Security Vulnerabilities in a better manner when compared with other Technologies
With eCommerce website built with NodeJS, you don’t have to think much about the security factor, especially the payment gateway feature in the e-commerce platform. Big Players like Walmart and PayPal have taken good benefit from moving their application to NodeJS. However, to prevent Security vulnerabilities, they have followed some of the best practices in NodeJS development that are listed below.
Use of TLS
If your Application’s work flow is subject to transmission of sensitive data, use Transport Layer Security (TLS) to secure the connection and the data. This technology encrypts data before it sends the data from the client to the server, thus preventing some common and easy attacks.
Use of Helmet
Helmet can help protect your app from some well-known security vulnerabilities by setting HTTP headers appropriately.
Helmet is actually just a collection of smaller middleware functions that sets security-related HTTP response headers.
Using cookies securely
To ensure cookies do not open your App to attacks, do not use the default session cookie name and set cookie security options appropriately.
Prevent brute-force attacks against authorisation
Make sure that the login end points are protected to make private data more secure.
A common and a powerful method is to block authorization attempts using two metrics:
- The first is number of consecutive failed attempts by the same user name and IP address.
- The second is number of failed attempts from an IP address over a period of time. For example, block an IP address if it makes 100 failed attempts in one day.
Ensure your dependencies are secure
Using npm to manage your Application’s dependencies is definitely worthwhile, since npm@6, npm automatically reviews every install request. In addition, you can use ‘npm audit’ to examine your dependency tree.
Avoid other known vulnerabilities
Have a detailed awareness on Node Security Project or Synk advisories that may affect Express or other modules that your Application uses. These databases serve as an excellent source for knowledge and tools about Node security.
Some further recommendations from the Node Security Checklist
- Use csurf middleware to protect against cross-site request forgery (CSRF).
- Always filter and clean user input to protect against cross-site scripting (XSS) and command injection attacks.
- Use parameterized queries or prepared statements to secure your App from SQL injection attacks.
- Use the open-source sqlmap tool to detect any SQL injection vulnerabilities in your App.
- Use the nmap and sslyze tools to test the configuration of your SSL and always stay alert on the expiry of the certificate.
- Use safe-regex to ensure your regular expressions are not prone to regular expression denial of service attacks.