30 Days of Ecommerce Testing Day 25: Security concerns

The question for Day 25 is: What security concerns do you associate with ecommerce and how would you test them?

The concerns I see would be:

  • account theft
  • credit card data theft or fraud
  • other payment fraud
  • data leaking out (of customers or the company)
  • data loss
  • malware in ads from advertising networks
  • phishing and other social engineering attacks
  • hijacking the second authentication factor
  • spam including malicious links in comments or reviews
  • malicious injections

There is probably more and I’m skipping the “how to test” part for now - security testing is an area I know very little about and I’d rather do decent research on it as part of the bonus challenge than wing it right now :slight_smile:

Some things I would definitely check for with my current knowledge are:

  • that there is clear information on security-relevant actions e.g. when confirming a transaction with an SMS code (insecure in itself), what transaction the confirmation refers to, so that the user has a chance to notice when a scam or hijacked confirmation request comes in,
  • that inputs are cleansed to avoid injections.

When i think in security on those e-commerces, my mais concerns are:

  • My personal data
  • My payment data

I think a good way to start is to perform a pentest on the application,

1 Like

About security concerns:

  • Fraud / Stolen Identities: this is really a big deal. Not only because it might affects the end user in a very bad way, but also the companies who has to fight this kind of crimes. Here is crucial to assure the maximum protection to the end user and many things could be done but the essential is to test the security assuring for example that cross sites scripting are not able to retrieve any personal / confidential data. Here I assume that fraud / Stolen identities involves a lot of fields like “account theft, credit card theft, credit card fraud”.
  • Malware adds in websites: this more than a trouble, is annoying. How many times you were surfing the web and you find out those annoying pop ups warning you that you have a virus and when you open them, TA-DA! is a virus itself! So the best practice here is to warn the end-users to DO NOT OPEN anything that is not related to the website itself. Besides, the website itself should be prepared against those kind of frauds and a way of testing it is to have anti-malwares active and assure that are working properly, creating fakes malwares and trying to break the security of the website.
  • Viruses / Scam : Installing minimal securities to your infrastructure should be fine. It would be great to have some knowledge on viruses and how to create them and prove the hardeness of the systems. This last thing could be very challenging as the system should be prepared to receive any attack. A way to test it is to do a performance, stress and load testing, and some scripting testing which includes x-sites scripting and so on.

I will keep reading the security concerns! This topic is really interesting! :slight_smile:


Most of the ones are covered by @maos

In short, these two are the ones which arises security concern from users end
Personal sensitive Data
Payment Data

The site should have proper authorization, authentication, encryption standards.


My Day 25 https://wp.me/p9EXXo-63

1 Like

There are entire books and careers that exist around penetration testing, and I don’t think I would do any justice to the topic writing about that. However, I found an interesting article “Is conventional penetration testing enough to secure eCommerce applications?

I think if you had a venn diagram with functional testing in one circle and security testing in another, then the list in this article would be in the intersection. A lot of these have to do with exploiting the websites functionality in order to get something for free. Some of the examples here are just functionality, some are shady, and some are downright fraud.

  • Shipping address manipulation after order placement

Just this weekend my bank called me because I ordered a washer and dryer ($1500 total) to be shipped to my new address. The new address didn’t match my billing address, so the system was alerted and the bank wanted to verify. GOOD BANK. However, if I’m able to change the ship to address to be different than billing without triggering the system, we have a problem.

  • Getting cash back/refunds even when the order is canceled

This is really a functional test, and this could go wrong without the buyer even intending to commit fraud. But if someone with less morals than say, myself, were to get wind of it, it becomes a security issue.

Coupon and reward management flaws

  • Coupon redemption, even after order cancellation
  • Bypass of a coupon’s terms and conditions
  • Bypass of a coupon’s validity
  • Use of multiple coupons for the same transaction
  • Predictable coupon codes
  • Failure of a re-computation in coupon value after partial order cancellation
  • Illegitimate use of coupons with other products

Again, some of these are functional. Creating tests around these should be pretty straight forward!

Check the article for more examples. It looks like a great starting point.

-Dave K


Also heard cases where people earned money by buying and filing the product as faulty - ended up using the product as well as earned the refund. Depends on how companies work.

From the Twitterverse: