Question

LIST AND EXPLAIN SECURITY VULNERABILITIES IN E-COMMERCE AND THE SOLUTIONS TO MITIGATE SUCH VULNERABILITIES

Answer 1

Security Vulnerabilities in E-commerce:

1. Cross site scripting
2. Sql injection
3. Phishing attacks
4. Distributed denial of service or ddos attacks
5. Man in the middle attacks
6. Password attacks
7. Pharming
8. Price manipulation
9. Cross-site request forgery (csrf)

Cross side scripting :

Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it. An attacker can use XSS to send a malicious script to an unsuspecting user.

Mitigate the css attack

1. Escape Dynamic Content: Escaping data means taking the data an application has received and ensuring it’s secure before rendering it for the end user. By escaping user input, key characters in the data received by a web page will be prevented from being interpreted in any malicious way.
2. Sanitize HTML: Sanitizing data is a strong defense, but should not be used alone to battle XSS attacks. Sanitizing user input is especially helpful on sites that allow HTML markup, to ensure data received can do no harm to users as well as your database by scrubbing the data clean of potentially harmful markup, changing unacceptable user input to an acceptable format.
3. Validating input: it is the process of ensuring an application is rendering the correct data and preventing malicious data from doing harm to the site, database, and users. While whitelisting and input validation are more commonly associated with SQL injection, they can also be used as an additional method of prevention for XSS. whitelisting only allows known good characters and is a better method for preventing XSS attacks as well as others.

Sql Injection

SQL injection (SQLi) is a type of cybersecurity attack that targets these databases, using specifically crafted SQL statements to trick the systems into doing unexpected and undesired things.

Mitigation of this attack

1. Don't use dynamic SQL.
2. Sanitize user-provided inputs.
3. Don't leave sensitive data in plaintext.
4. Limit database permissions and privileges.
5. Avoid displaying database errors directly to the user.
6. Use a Web Application Firewall (WAF) for web applications that access databases

Phishing attacks

Phishing is a type of social engineering attack often used to steal user data, including login credentials and credit card numbers. It occurs when an attacker, masquerading as a trusted entity, dupes a victim into opening an email, instant message, or text message.

Avoiding or preventing or mitigating :

1. Use Firewalls
2. Be Wary of Pop-Ups
3. Keep Your Browser Up to Date
4. Check Your Online Accounts Regularly
5. Verify a Site’s Security
6. Install an Anti-Phishing Toolbar
7. Never Give Out Personal Information

DDOS attack

A Distributed Denial of Service (DDoS) attack is an attempt to make an online service unavailable by overwhelming it with traffic from multiple sources. They target a wide variety of important resources, from banks to news websites, and present a major challenge to making sure people can publish and access important information.

Mitigation of DDOS attack

The term ‘DDoS mitigation’ refers to the process of successfully protecting a target from a distributed denial of service (DDoS) attack.

A typical mitigation process can be broadly defined by these four stages

1. Detection – The identification of traffic flow deviations that may signal the buildup of a DDoS assault. Effectiveness is measured by your ability to recognize an attack as early as possible, with instantaneous detection being the ultimate goal.
2. Diversion – Traffic is rerouted away from its target, either to be filtered or completely discarded.
3. Filtering – DDoS traffic is weeded out, usually by identifying patterns that instantly distinguish between legitimate traffic (i.e., humans, API calls and search engine bots) and malicious visitors. Responsiveness is a function of your being able to block an attack without interfering with your users’ experience. The aim is for your solution to be completely transparent to site visitors.
4. Analysis – Security logs are reviewed to gather information about the attack, both to identify the offender(s) and to improve future resilience. The process’s effectiveness relies on the existence of detailed security logs that can offer granular visibility into the attack traffic.

Man in the middle attack

a man-in-the-middle attack (MITM) is an attack where the attacker secretly relays and possibly alters the communications between two parties who believe they are directly communicating with each other. One example of a MITM attack is active eavesdropping, in which the attacker makes independent connections with the victims and relays messages between them to make them believe they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker.

Mitigation

1. Employ Encryption
2. Verify TLS/SSL Setups.
3. Manage Enterprise-Wide Certificates.
4. Virtual Private Network
5. Strong WEP/WAP Encryption on Access Points

Password attacks

1. Password Guessing
2. Password Resetting
3. Password Cracking
4. Hash guessing
5. Rainbow tables
6. Password sniffing

Mitigation

1. Do not allow the same password to be used on multiple resources. If an attacker manages to get one password, he will then have them all if the same password is used on more than one resource.
2. Lockout a user account after a set number of failed login attempts. This defeats brute force password cracking attempts.
3. Do not allow cleartext storage of passwords. Self-explanatory.
4. Use strong passwords. Repeat: use strong passwords. Alternative: encourage passphrases. “mykittenpreferswhiskas” is very unguessable, but easily remembered.
5. NEVER, NEVER, NEVER allow default passwords to remain on devices on your network. “Admin/admin” is too easy and is one of the first things a cracker will try. On any new device, immediately change the default username and password

Cross-site request forgery (csrf)

Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated. CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker's choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application

Mitigation

1. Make sure your anti-virus software is up to date. Many malicious scripts can be blocked and quarantined by this software.
2. Do not open any emails, browse to other sites or perform any other social network communication while authenticated to your banking site or any site that performs financial transactions. This will prevent any malicious scripts from being executed while being authenticated to a financial site.
3. Whenever you finish a banking or financial transaction on a site always log off immediately. Don’t just minimize or close the browser. If you do, it will make you vulnerable to an attack.
4. Never save your login or password for a banking or financial institution site within your browser. Malicious code in CSRF attacks is usually written to take advantage of this information that is within your browser
5. Disable scripting in your browser. Firefox has a plugin that can prevent scripts from running.