Open Access Open Access  Restricted Access Subscription Access

Practical Security Testing of Electronic Commerce Web Applications


Affiliations
1 Assistant Professor, Department of Computer Science, Jaypee Institute of Information Technology, Noida, India
2 Solution Advisor, Delloitte USI, Gurugram, India
 

The availability of the internet and cheaper data tariffs made the effective use of Electronic Commerce (ecommerce) applications by the people for purchasing the daily needs and regular household items. The success of the e-commerce platforms is based on the trust and security that they maintain regarding users personal and payment data. However, the poor design and development, unnoticed mistakes in coding of the E-commerce websites and applications lead to many vulnerabilities and thereby becomes the simple target for the hackers. Along with conventional security testing methods, application dependent methods need to be applied on the ecommerce web applications which are built using various programming environments. To this end, this paper presents various possible practical security methods followed by penetration testers along with countermeasures that can be applicable for avoiding vulnerabilities in e-commerce websites.

Keywords

E-Commerce, Penetration Testing, Security, Testing, Trust, Vulnerability.
User
Notifications
Font Size

  • . Berryman, K., Harrington, L., Layton-Rodin, D., & Rerolle, V. (1998). Electronic commerce: Three emerging strategies. The McKinsey Quarterly, (1), 152-160.
  • . Kashif, M., Javed, M. K., & Pandey, D. (2020). A Surge in Cyber-Crime during COVID-19. Indonesian Journal of Social and Environmental Issues, 1(2), 4852.
  • . Lallie, H. S., Shepherd, L. A., Nurse, J. R., Erola, A., Epiphaniou, G., Maple, C., & Bellekens, X. (2020). Cyber Security in the Age of COVID-19: A Timeline and Analysis of Cyber-Crime and Cyber-Attacks during the Pandemic. arXiv preprint arXiv:2006.11929.
  • . Foregenix Survey: https://www.foregenix.com/blog/over-75-of-global-magento-websites-at-high-riskfromhackers-due-to-a-simple-security-oversight (Last visited 09/07/2020).
  • . Baptist, M. R. R., Raj, M. N., Banerjee, P., & Kumar (2020), B. An Empirical Study on Usability and Security of E-Commerce Websites. International Journal of Computer science engineering Techniques, 5(3), 1-10.
  • . Seng, L. K., Ithnin, N., & Said, S. Z. M. (2018). The approaches to quantify web application security scanners quality: a review. International Journal of Advanced Computer Research, 8(38), 285-312.
  • . Toch, E., Bettini, C., Shmueli, E., Radaelli, L., Lanzi, A., Riboni, D., & Lepri, B. (2018). The privacy implications of cyber security systems: A technological survey. ACM Computing Surveys (CSUR), 51(2), 1-27.
  • . Thomas, T. W., Tabassum, M., Chu, B., & Lipford, H. (2018, April). Security during application development: An application security expert perspective. In Proceedings of the 2018 CHI Conference on Human Factors in Computing Systems (pp. 1-12).
  • . Humayun, M., Niazi, M., Jhanjhi, N. Z., Alshayeb, M., & Mahmood, S. (2020). Cyber Security Threats and Vulnerabilities: A Systematic Mapping Study. Arabian Journal for Science and Engineering, 1-19.
  • . Toapanta, S. M. T., Caicedo, H. A. M., Sanchez, B. A. N., & Gallegos, L. E. M. (2020, March). Analysis of Security Mechanisms to Mitigate Hacker Attacks to Improve e-Commerce Management in Ecuador. In 2020 3rd International Conference on Information and Computer Technologies (ICICT) (pp. 242-250). IEEE.
  • . Khera, Y., Kumar, D., & Garg, N. (2019, February). Analysis and Impact of Vulnerability Assessment and Penetration Testing. In 2019 International Conference on Machine Learning, Big Data, Cloud and Parallel Computing (COMITCon) (pp. 525-530). IEEE.
  • . Rahman, M. A., Amjad, M., Ahmed, B., & Siddik, M. S. (2020, January). Analyzing Web Application Vulnerabilities: An Empirical Study on E-Commerce Sector in Bangladesh. In Proceedings of the International Conference on Computing Advancements (pp. 1-6).
  • . Lis, A. (2019). Comparison and analysis of web vulnerability scanners (Bachelor's thesis).
  • . Makino, Y., & Klyuev, V. (2015, September). Evaluation of web vulnerability scanners. In 2015 IEEE 8th International Conference on Intelligent Data Acquisition and Advanced Computing Systems: Technology and Applications (IDAACS) (Vol. 1, pp. 399-402). IEEE.
  • . Amankwah, R., Chen, J., Kudjo, P. K., & Towey, D. An empirical comparison of commercial and open‐source web vulnerability scanners. Software: Practice and Experience.
  • . Pan, Y. (2019, August). Interactive Application Security Testing. In 2019 International Conference on Smart Grid and Electrical Automation (ICSGEA) (pp. 558-561). IEEE.
  • . Asaduzzaman, M. (2020). Security Aspects of ePayment System and Improper Access Control in Microtransactions (No. 3717). EasyChair.
  • . Goutam, A., & Tiwari, V. (2019, November). Vulnerability Assessment and Penetration Testing to Enhance the Security of Web Application. In 2019 4th International Conference on Information Systems and Computer Networks (ISCON) (pp. 601-605). IEEE.
  • . Felderer, M., Büchler, M., Johns, M., Brucker, A. D., Breu, R., & Pretschner, A. (2016). Security testing: A survey. In Advances in Computers (Vol. 101, pp. 151). Elsevier.
  • . Mahajan, A. (2014). Burp Suite Essentials. Packt Publishing Ltd.
  • . GitHub, I. (2016). GitHub. URl: https://github. com/ (visited on 25/06/2021).
  • . Kali Linux. URl: https://kali.org/ (last visited on 25/06/2020).
  • . Parrot Security. URl: https://parrotlinux.org/ (last visited on 25/06/2021).
  • . Security Onion. URl: https://securityonion.net/ (last visited on 25/07/2021).
  • . Sy, E., Mueller, T., Burkert, C., Federrath, H., & Fischer, M. (2020). Enhanced performance and privacy for TLS over TCP fast open. Proceedings on Privacy Enhancing Technologies, 2020(2), 271-287.
  • . Mendez, X. Wfuzz—The Web Fuzzer. Available online: https://github.com/xmendez/wfuzz (last accessed on 25/06/2021).
  • . Exploit database. Available online: https://www.exploit-db.com/ (last accessed on 05/07/2020).
  • . Common Vulnerabilities and Exposures. Available online: https://cve.mitre.org/ (last accessed on 05/07/2020).
  • . Halfond, W. G., Viegas, J., & Orso, A. (2006, March). A classification of SQL-injection attacks and countermeasures. In Proceedings of the IEEE international symposium on secure software engineering (Vol. 1, pp. 13-15). IEEE.
  • . Turner, S. (2014). Transport layer security. IEEE Internet Computing, 18(6), 60-63.
  • . Klein, A. (2008). Attacks on the RC4 stream cipher. Designs, codes and cryptography, 48(3), 269286.
  • . Burrows, J. H. (1995). Secure hash standard. Department of Commerce Washington DC.
  • . Viega, J., Messier, M., & Chandra, P. (2002). Network security with openSSL: cryptography for secure communications. " O'Reilly Media, Inc."
  • . Pentest monkey. http://pentestmonkey.net/ (last accessed on 05/07/2020).
  • . Pentester Land. https://pentester.land/ (last accessed on 05/07/2020).
  • . Durumeric, Z., Li, F., Kasten, J., Amann, J., Beekman, J., Payer, M., ... & Halderman, J. A. (2014, November). The matter of heartbleed. In Proceedings of the 2014 conference on internet measurement conference (pp. 475-488).
  • . Campesato, O. (2020). Angular and Machine Learning Pocket Primer. Stylus Publishing, LLC.
  • . AngularJS. Url. https://angularjs.org/ (last accessed on 05/07/2020).
  • . Calzavara, S., Roth, S., Rabitti, A., Backes, M., & Stock, B. (2020). A Tale of Two Headers: A Formal Analysis of Inconsistent Click-Jacking Protection on the Web. In 29th {USENIX} Security Symposium ({USENIX} Security 20).
  • . Sołtysik-Piorunkiewicz, A., & Krysiak, M. (2020). The Cyber Threats Analysis for Web Applications Security in Industry 4.0. In Towards Industry 4.0— Current Challenges in Information Systems (pp. 127141). Springer, Cham.
  • . Ramesh Kumar, "A Reliable Authentication Protocol For Peer To Peer Based Applications", International Journalof Advanced Networking and Applications, Vol. 12, Issue 05, Pages 4714-4718, 2021.
  • . Harikrishna Bommala, S. Kiran, T.Venkateswarlu, M. Asha Aruna Sheela, "Fibonacci Technique For Privacy And Security To Sensitive Data On Cloud Environment", International Journalof Advanced Networking and Applications , Vol 11, Issue 04, Pages 4374-4377, 2020.

Abstract Views: 200

PDF Views: 1




  • Practical Security Testing of Electronic Commerce Web Applications

Abstract Views: 200  |  PDF Views: 1

Authors

P. Raghu Vamsi
Assistant Professor, Department of Computer Science, Jaypee Institute of Information Technology, Noida, India
Agrah Jain
Solution Advisor, Delloitte USI, Gurugram, India

Abstract


The availability of the internet and cheaper data tariffs made the effective use of Electronic Commerce (ecommerce) applications by the people for purchasing the daily needs and regular household items. The success of the e-commerce platforms is based on the trust and security that they maintain regarding users personal and payment data. However, the poor design and development, unnoticed mistakes in coding of the E-commerce websites and applications lead to many vulnerabilities and thereby becomes the simple target for the hackers. Along with conventional security testing methods, application dependent methods need to be applied on the ecommerce web applications which are built using various programming environments. To this end, this paper presents various possible practical security methods followed by penetration testers along with countermeasures that can be applicable for avoiding vulnerabilities in e-commerce websites.

Keywords


E-Commerce, Penetration Testing, Security, Testing, Trust, Vulnerability.

References