The question for Day 25 is: What security concerns do you associate with ecommerce and how would you test them?
The concerns I see would be:
- account theft
- credit card data theft or fraud
- other payment fraud
- data leaking out (of customers or the company)
- data loss
- malware in ads from advertising networks
- phishing and other social engineering attacks
- hijacking the second authentication factor
- spam including malicious links in comments or reviews
- malicious injections
There is probably more and I’m skipping the “how to test” part for now - security testing is an area I know very little about and I’d rather do decent research on it as part of the bonus challenge than wing it right now
Some things I would definitely check for with my current knowledge are:
- that there is clear information on security-relevant actions e.g. when confirming a transaction with an SMS code (insecure in itself), what transaction the confirmation refers to, so that the user has a chance to notice when a scam or hijacked confirmation request comes in,
- that inputs are cleansed to avoid injections.