Page 77 - DCAP306_DCAP511_E-COMMERCE_AND_E-BUSINESS
P. 77
E-Commerce and E-Business
3D3 ShopFactory Shopping Cart experienced price manipulation vulnerability,
where product and price information stored in client-side cookies was easily
manipulated by an attacker.
Did you know? Smartwin Technology's CyberOffice Shopping Cart 2.0 was attacked by price
manipulation technique. It happened when an attacker downloaded the order form
from a local machine and resubmitted the form to the target server by modifying the
hidden fields to arbitrary values.
3. Buffer Overflow: This type of security vulnerability involves overloading a Web application by
sending data in larger volumes than its actual capacity. When this happens, the back-end of the
application may not be able to process the large data and hence, would display a fatal error
message showing the location of the functions. This would allow the attacker to access the
confidential information.
In PDGSoft Shopping Cart, multiple buffer overflows were discovered that
allowed the execution of attacker’s code by over-writing the saved return address.
Error pages act as a source for confidential information. The errors appearing in the
error pages can be added in Web applications that possess weak input validation
techniques. For example, an application that is designed to recognize the numeric
inputs would fail when alphabets or other special characters are provided as input.
4. Cross-site Scripting: This type of security vulnerability is also known as XSS attack. The XSS
attack targets a Web page that uses a ‘form’ field to input the data from the user, processes the
entered data and displays the result on the Web page along with the user input.
XSS attacks can be commonly found in 'search' option of a Web site. When a user enters a keyword
for search, the search option prints the result with a line - 'Results for <user_supplied_input>'. In
case the user input is not displayed within a quote, then an attacker can create a JavaScript as a
part of user input and embed it with the URL. This script begins to execute when a common user
who is not aware of the scripting language clicks on the link. This way an attacker can steal the
user’s cookies, which contains the session ID and other confidential information.
Consider a scenario where Citibank’s Web site was targeted by an attacker. The
attacker had created two windows to open on the user’s system. The first window
was the original Citibank Web site and the other was a pop up window that
requested the user’s debit card number, PIN number, and card expiration date.
When a user entered this information, the site redirected the Web page to the
attacker’s server and a tricked e-mail was sent to the Citibank account holders to
verify their details. Thus, the attacker gained access to users account and the money
was stolen.
5. Remote Command Execution: This type of security vulnerability takes place when there is a weak
input validation technique used in Web sites. If a Web site includes Common Gateway Interface
(CGI) scripts, an attacker can easily execute operating system commands. This vulnerability is
found in Web applications that are designed using Perl and PHP scripts that use the 'system' call
command.
70 LOVELY PROFESSIONAL UNIVERSITY
