E-commerce websites are hot targets for cybercriminals because of the volume of sensitive data exchanged.
To stay on top of the ever-evolving methods hackers use and prevent your e-commerce website from being breached, you need to identify your system vulnerabilities – you need penetration testing.
Let’s take a step back and look at the types of e-commerce vulnerabilities first.
E-commerce specific vulnerabilities
1. Content management system (CMS)
Most e-commerce businesses use a CMS that updates new content and is integrated with various partners, providers, resellers and content providers. Being the central hub of e-commerce business with multiple integrations makes it a hotbed for security gaps.
Red flags to look out for:
- Unusual activities in Role-Based Access Control (RBAC) that should restrict system access to specific people/resources based on their role in the company.
- Security threats within the customer notification system
- Third-party API flaws
- Abuse of rich-text editor functionalities, i.e., the text on websites
2. Coupon and reward management
These vulnerabilities are particularly complex and can range from issues with coupon redemption, bypassing coupon T&Cs or using multiple coupons for one transaction. Early last year, systems that were used by McDonald’s to apply for free vouchers in Germany were affected by a software vulnerability that allowed hackers to order an endless number of hamburgers, or any other items on the menu, absolutely for free.
3. Order management
Because of the amount of personal information and validation needed, there’s a lot of cybercrime opportunities at the stage of order placement:
- Shipping address manipulation
- Issuing refunds after an order is placed
- Fake or absent mobile verification
- Bypassing validation requirements
4. Payment gateway integration
As expected, the most popular cyber-attacks take place at the payment stage: Examples:
- Price manipulation going to zero or even negative values
- Changing the contact URL
- Bypassing the checksum, which verifies data integrity
Other e-commerce website threats
In addition to e-commerce-specific threats that affect the business, other common threats that primarily target your customers are:
- Phishing: deceiving customers to share private and personal information like passwords and social security numbers through emails, text, or even redirecting to a fake lookalike website.
- Malware and ransomware: infected software or hardware that locks users out of their data and systems.
- E-skimming: stealing customers’ credit card details at the payment processing stage.
- Manipulating the e-commerce site’s invoices with alternate payment information and redirecting payments to fraudsters.
How to know if you need e-commerce pentesting
- Sell or ship physical or digital goods?
- Dealing with online payments?
- Storing sensitive data?
Just one of the above qualifies you for e-commerce-specific penetration testing. E-commerce threats evolve continuously, and hackers become savvier by the day; therefore, even the most cutting-edge systems are vulnerable to attack.
Penetration testing for e-commerce websites include:
Pentesting Methodology
1. Planning and reconnaissance
Being clear on the scope and goals of the test from the outset is crucial. This first stage requires identifying systems that will be tested and the methods used, and gathering intelligence regarding network and domain names and mail servers to identify unique vulnerabilities.
2. Scanning
Scanning tools are used to understand how the application will respond to intrusion attempts. This is typically done through static analysis (inspecting the code to estimate how it’ll behave) and dynamic analysis (inspecting the code while running for a real-time view).
3. Gaining access
Using web application attacks such as SQL injection and backdoors, testers try to exploit vulnerabilities. Actions such as accessing data or escalating privileges demonstrate the level of damage that can be done.
4. Maintaining access
So, the ‘hackers’ are in, but how long can they stay there? This stage imitates advanced persistent threats allowing an attacker lengthy, in-depth access to sensitive data. In some real-world examples, attackers have successfully maintained access and hidden it for months at a time.
5. Analysis
Once the tests are done, a report with the results show:
- Vulnerabilities that were exploited
- Sensitive data that was accessed
- Length of time the attacker was able to remain undetected in the system
Penetration Testing Methods
External Testing
External pentesting aims to gain access and extract valuable data from the company already freely visible online, e.g., the web application, company website and email and domain name servers.
Internal Testing
Internal testing mimics the attack by a malicious insider – someone already behind the firewall with access to the application. This person won’t necessarily be an employee but an outsider who used phishing to steal credentials.
Blind Testing
With a blind test, security staff have no prior knowledge of a simulated attack. The ethical hacker must figure out the company’s information using the same methods an unethical hacker uses, while SecOps can monitor the attack.
Double-blind Testing
Double-blind testing is the most life-like scenario as the ethical attacker has limited information, and the SecOps team is not pre-warned when the attack will happen. It shows how well the systems and incident response plans work.
Targeted Testing
During targeted testing, both the ethical hacker and the security team work together. This pentesting method gives the team real-time feedback from the hacker’s perspective as they continue to identify vulnerabilities.
Traffic light reporting
The report created at the end of penetration testing gives structured detail after the engagement has been completed.
The traffic light report outlines the maturity of the company and benchmarks against similar industries.
It provides senior executives with visibility to the company’s security posture and improvements needed, indicating different levels of urgency.
How often is penetration testing needed, and what’s the cost?
Pentesting should be performed at least once a year to allow e-commerce businesses and their websites to locate and remove vulnerabilities. In addition, pentesting should be done whenever a new system is set up, an existing one is upgraded, or end-user policies and processes have been changed. Learn the basics of Vulnerability Scans and Penetration Tests.
The cost of a pentesting varies widely from $4 000 to $100 000 depending on the project and scope, and site size. While this may sound like a huge financial outlay, the actual cost in loss of revenue, reputation, productivity, potential fines, and system fixes will be much more significant in the event of a security breach.
Best practice for e-commerce website security
Keep your e-commerce website as secure as possible in between penetration tests.
- Update anti-virus software and payment gateway software regularly to lower the risk of malicious code injected into your systems, leading to phishing or e-skimming.
- Implement proper network segmentation and segregation to limit network exposure and minimise lateral movement of cybercriminals.
- Install patches from payment platform vendors.
- Ensure the e-commerce platform you use maintains PCI compliance. Run PCI scans on your server to validate whether you are compliant or not.
The bottom line is that your customers must trust you to process their transactions and safeguard their personal information. Without specialised penetration testing tailored to functional e-commerce modules that identify issues specific to e-commerce design, including mobile payments and integrations with third-party vendors and products, you are exposing your business to bold and creative cybercriminals that will exploit your security weaknesses.
