In today’s world, where virtual lives are taking over the real ones, the only way for a business to thrive is by establishing an online presence. With more and more retail stores adopting digitization every day, the e-commerce industry has never been more successful and popular than it is in the current times.
According to the data provided by Statista, e-commerce revenue is projected to grow to a whopping $5.4 trillion by 2022.
These days, there are hundreds and thousands of e-commerce applications catering to a diverse customer base. While the use of these applications has significantly contributed to the success of several businesses and companies, they have also provided cyber criminals with a lucrative target. Most e-commerce applications are often riddled with various vulnerabilities that could lead to critical security and privacy issues.
After conducting web application security assessments for numerous e-commerce applications, Kratikal’s VAPT team has come across an array of unique and interesting vulnerabilities with the potential of disrupting a company’s business operations. So, here is a specially curated list of the top 5 high-risk vulnerabilities we found in various e-commerce applications.
#1 Parameter Tampering
Parameter tampering is a critical vulnerability, which can lead to price manipulation and is often found in an e-commerce application’s online payment gateways and shopping carts. An application is vulnerable to price manipulation or parameter tampering if its server places undue trust in client-side validation or does not validate user input on the server-side while processing an order.
Usually, the total payable amount for the order placed is stored in a hidden HTML field of a dynamically generated web page. For instance, an order is placed on an e-commerce application by clicking on the link that contains certain parameters related to the order like:
https://www.e-commerce-store.com/order/addTocart?productId=12345&qty=2&price=3200
Malicious actors can use direct request manipulation or a web application proxy like Achilles or CLI tool to modify the total payable amount when the order is processed. By exploiting this vulnerability, attackers can:
- purchase any item for ₹1 or any other value of yours
- get a refund of the full amount even if the item is purchased for just ₹1
#2 Insecure Direct Object Reference (IDOR)
Counted amongst the most serious vulnerabilities in e-commerce applications, IDOR takes place when an application accepts input from a user and uses that input to retrieve a database key or a file without sufficient authorization. When this happens, a malicious actor can make certain changes in the references and gain access to unauthorized data.
For example, while browsing an e-commerce application, an attacker notices that when they click on a link to place an order, there is a link in the form like:
https://www.e-commerce-store.com/order/addTocart?pmode=cod&qty=2&price=3200
Here, the mode of payment (pmode=cod) has been included as a parameter. In this case, the attacker can modify the mode of payment to prepaid (pmode=prepaid) like:
https://www.e-commerce-store.com/order/addTocart?pmode=prepaid&qty=2&price=3200
By doing this, anyone can place a COD order and pass it off as a prepaid order, essentially purchasing the goods for free.
Additionally, malicious actors can also misuse this vulnerability to cancel the order of other users and perform various other malicious activities.
#3 Unvalidated Redirects and Forwards
The possibility of unvalidated redirects and forwards arises when an e-commerce application accepts untrusted inputs that can cause the application to redirect a request to a URL included in the untrusted inputs. By modifying the untrusted URL input in a way where it takes users to a malicious site and attackers can launch sophisticated phishing attacks and successfully steal user credentials.
As the server link contained in the modified URL stays identical to the original site, these phishing attempts look legitimate and are more likely to succeed. This vulnerability can also be exploited to craft a malicious URL capable of passing the application’s access control check, which can enable attackers to access privileged functions.
#4 Local File Inclusion
Local File Inclusion (LFI) is the process of including files locally present on the server by exploiting the vulnerable inclusion procedures implemented in an e-commerce application. This vulnerability enables the attackers to trick an e-commerce application into either exposing or running files on a web server. LFI occurs due to the improper sanitization of the paths passed to “include” statements.
Attackers can exploit this vulnerability to pull any file from the server including password files, database files and sensitive user data. An LFI attack can result in information disclosure, cross-site scripting (XSS) or remote code execution.
For example, if an e-commerce application uses a code that includes a file’s name in the URL such as:
https://www.e-commerce-store.com/?module=contact.php
A malicious actor can change the URL to something like this:
https://www.e-commerce-store.com/?module=/etc/passwd
In the absence of proper filtering processes, the web server will expose the sensitive content of the /etc/passwd file.
#5 Cross-site Request Forgery
Using Cross-site Request Forgery (CSRF), malicious actors can send maliciously crafted requests to get users to unknowingly perform any action by getting them to simply click on the requests. Through CSRF attacks, malicious actors make a target system carry out a function via the target user’s browser without the user’s knowledge. The impact of successful CSRF attacks can vary based on the privileges held by victim users.
Also known as Session Riding, XSRF or Sea Surf, CSRF exploits the fact that an e-commerce application completely trusts a user once the identity of that user has been confirmed. These attacks can have devastating consequences such as unauthorized fund transfers, data theft and changed passwords.
In the case of e-commerce applications, attackers can also use CSRF attacks to cancel the delivery of another user. For example, a typical ‘cancel order’ request might look like:
https://www.e-commerce-store.com/myorder/cancel?orderid=3245&userid=1234
An attacker can disguise this URL in an email like:
<img src = “https://www.e-commerce-store.com/myorder/cancel?orderid=3245&userid=1234” width=“0” height= “0”>
Once a target user clicks on this disguised request, the order cancellation is carried out without the knowledge of the user.
Now that we have discussed the top 5 high-risk vulnerabilities found in e-commerce applications, you must understand how severely your business can be disrupted if an attacker decides to target your application.
To avoid some devastating consequences, it is highly advisable to make sure you detect any vulnerabilities in your e-commerce application before malicious actors have a chance to exploit them. You can do that by conducting periodic web application security testing and fixing all the vulnerabilities detected immediately.
Being proactive is the only way to keep your application secure!
WAIT!
It’s not over yet…
Here’s a chance to become a BUG BUSTER!
Leave the best recommendations for one or more of these vulnerabilities in the comments section below and win your BUG BUSTER certificate!
Leave a comment
Your email address will not be published. Required fields are marked *