The e-commerce applications seem to be very secure from network, but if application core or platform itself is vulnerable, then anyone can easily hack or compromise them.
Let us take an example of e-commerce portal. There are 3 ways to access this portal:
- User can just visit the website (Surf)
- User can visit and make a purchase(Commercial Transaction)
- User can modify the content of website (Administrate)
Let us analyze all of these scenarios one by one and check how a hacker could access the portal.
User can come and visit the site
In this scenario, the user (hacker) will try to exploit application by injecting either scripts or some SQL codes. This is very basic and in most of the cases, one of the very effective types of attack.
Script injection and Cross site request forgery will reduce the reputation of the website. More over, these days hackers try to inject malwares and other codes to application, which will lead to non-opening of websites in famous browsers like Opera and Firefox due to their associations with stopbadware.org
How to prevent your applications from such attacks?
- If you are using any CMS then make sure it is updated
- Use WAF (Web Application Firewalls) to protect application from known attacks
- Sanitize user inputs
User can come and make a purchase(Commercial Transaction)
In this scenario an attacker can try to exploit the transaction system by injecting codes and using cross site scripting. Many times, the attacker can buy an online product by changing rates.
How to prevent your applications from such attacks?
- Use Encode and Decode of data
- Use URL Encryption
User can change the contents of website (Administrate)
In this scenario, an attacker will try to look for some common administration file paths with common username and password (Bruteforce Attack). For example in many of the custom / readymade CMS common administrator login file is admin.php and in majority of cases user name will be admin with password admin or admin123 or admin123#
To Prevent Such Scenario:
- Try to not to use default admin page
- Do not give weak username and password
