Protecting brand reputation in the e-commerce space
Our client, a leading jewellery retailer selling famous brands online, was keen to ensure that the security on its e-commerce portals met the highest standards. We had already undertaken a security review for this client, but the company wanted to check it had successfully addressed the issues we had identified, and to make sure no new vulnerabilities had been introduced.
We assessed the applications' functionality from a number of security perspectives (unauthenticated and authenticated end-users) and found security to be good. However, our testing picked up a few medium- and low-risk issues. The most significant of these was the disclosure of very detailed, verbose error messages through the application. By forcing the application to generate an error message, an attacker would be able to retrieve parts of the source code used inside the applications, as well as some of the queries used between the applications and the information related to the database, architecture and software versions running on the application.
We also found that the applications allowed users to enter malicious scripts since no input validation was performed at the server end. In addition, the applications had no protection against Cross-site Request Forgery (CSRF), a class of attacks where a user can be tricked into performing an action that they did not intend to. Finally, we found that the server status page of the applications was publicly available. The server status page contains valuable information, including server-version information, installed software versions and internal IPs.
We provided detailed information about all the issues identified through our tests, along with recommendations for addressing them. Our work enabled our client to strengthen the security of its e-commerce portals, thereby protecting customer confidence in its brand.
If you are concerned about your website's security, contact one of our technical security specialists or find out more about our penetration testing services