Page 76 - DCAP306_DCAP511_E-COMMERCE_AND_E-BUSINESS
P. 76
Unit 6: Security Framework
5. Non-repudiability: The sender and the recipient should not deny about the transactions made
earlier. The communicated transaction information and its acknowledgement must synchronize
with the sender and receiver.
Consider that you make a call to a list of five people from your phone. When the
service provider sends the bill and you deny making any such calls, then it is
termed as non-repudiability.
6. Auditability: The information about the transactions made must be constantly reviewed to check
if they comply with the information confidentiality and integrity requirements.
6.1.1 Types of Security Vulnerabilities in E-Commerce Systems
Today, almost all transactions are carried out online. This has resulted in a sharp increase of virus
attacks and information hacking in online payment systems. The hackers utilize vulnerabilities
published in reusable third party components such as, shopping cart software commonly used by
online shopping Web sites. Other hackers make use of possible vulnerabilities that commonly occur in
Web applications like Structured Query Language (SQL) injection or cross-site scripting.
Following are some of the security vulnerabilities that occur in e-commerce systems:
1. SQL Injection: This is a type of security vulnerability wherein the attackers insert certain SQL
Meta characters in the user input. Generally, attackers check if a site’s security features are weak
enough to get affected. They perform this check by sending a single quote character (‘) embedded
in the user input. When the site responds, the attacker’s queries execute in the back-end database.
Then, the attackers modify the query to a Boolean value that is always true and thus, gain access to
the restricted areas of the site.
E-Commerce Web sites such as Guess.com and PetCo.com were found more
vulnerable to SQL injection attack. A 20-year old programmer in Orange County,
California, found that it is possible to access highly sensitive data such as, credit
card numbers and transaction details from these Web sites using specially created
URLs consisting of SQL Meta characters.
The Web sites are attacked using SQL injection technique depending on the type of back-end
database being used for the site. SQL injection technique on an Oracle database can be attacked
using the UNION keyword. Attacking an application that uses Oracle as back-end is very difficult
when compared to attacking an application that uses MS SQL Server as back-end. In MS SQL
server, the queries are terminated with a semicolon and hence, it makes easy for the attackers to
insert a Meta character in the query.
SQL injection vulnerabilities were discovered in shopping cart software like VP-
ASP Shopping Cart, iGeneric Free shopping cart, Web Merchant services, and
Storefront shopping cart. It was found that in Storefront shopping cart, the SQL
injection vulnerability was detected in login.asp page allowing the attacker to
execute malicious database queries without authenticating the Web site.
2. Price Manipulation: This type of security vulnerability is common in online shopping Web sites
and payment gateways. When a consumer purchases a commodity online, the price is stored
dynamically in a HTML hidden field. An attacker can modify the payable amount by using a Web
application proxy when information flows from the user's browser to the Web server. When the
number of transactions is more, the modification made to the price often goes unnoticed. Frequent
attacks of this type will reduce the credibility of online merchant.
LOVELY PROFESSIONAL UNIVERSITY 69
