Web Application Security and Guidelines

The e-commerce applications seem to be very secure from network, but   if application core or platform itself is vulnerable, then anyone can easily hack or compromise them.

Let us take an example of e-commerce portal. There are 3 ways to access this portal:

  1. User can just visit the website (Surf)
  2. User can visit and make a purchase(Commercial Transaction)
  3. User can modify the content of website (Administrate)

Let us analyze all of these scenarios one by one and check how a hacker could access the portal.

User can come and visit the site

In this scenario, the user (hacker) will try to exploit application by injecting either scripts or some SQL codes. This is very basic and in most of the cases, one of the very effective types of attack.

Script injection and Cross site request forgery will reduce the reputation of the website. More over, these days hackers try to inject malwares and other codes to application, which will lead to non-opening of websites in famous browsers like Opera and Firefox due to their associations with stopbadware.org

How to prevent your applications from such attacks?

  • If you are using any CMS then make sure it is updated
  • Use WAF (Web Application Firewalls) to protect application from known attacks
  • Sanitize user inputs

User can come and make a purchase(Commercial Transaction)

In this scenario an attacker can try to exploit the transaction system by injecting codes and using cross site scripting. Many times, the attacker can buy an online product by changing rates.

How to prevent your applications from such attacks?

  • Use Encode and Decode of data
  • Use URL Encryption

User can change the contents of website (Administrate)

In this scenario, an attacker will try to look for some common administration file paths with common username and password (Bruteforce Attack). For example in many of the custom / readymade CMS common administrator login file is admin.php and in majority of cases user name will be admin with password admin or admin123 or admin123#

To Prevent Such Scenario:

  • Try to not to use default admin page
  • Do not give weak username and password

Interested in our Testing Services?

Please enable JavaScript in your browser to complete this form.
Checkboxes
By submitting this form, you agree that you have read and understand Apexon’s Terms and Conditions. You can opt-out of communications at any time. We respect your privacy.

Other stories you may enjoy...

Healthcare Apps and the Need for Security

One of the most exciting areas in tech right now promises to be “the most personal” ever. A key aspect of making wearable devices like the Apple Watch personal is through...

Developing an App for the 2020 General Election?

Here is a thought: With the UK General Election having just finished, could the next one in 2020 be the first to use a mobile app to allow people to vote? The polling...

Be honest. Describe the state of your test cases.

“There’s some dead wood in there.” “Hmmm…. Someone really needs to clean them up.” “A little outdated.” For those reading this in the northern hemisphere,...