Application Web ECommerce

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

Technologies are built to achieve the highest security point to an eCommerce application or website. But these technologies do not solve the problem altogether, they are still missing important factors. These factors are not weaknesses in those technologies, but actually they complete them. Those factors are Organizational Policies and procedures such as the length of user password implemented within the organization. Also, Industry Standards and Government Laws are required to facilitate payment mechanisms, investigate and prosecute violators to those laws.

Every online web application and e-business, malicious hackers will be waiting to attack it, or taking advantage of its weaknesses. The popularity of web applications has made them a prime target for the world hackers.

From the technology point of view, there are three vulnerabilities when dealing with eCommerce:

  • The Client
  • The Server
  • The Communication Pipeline

In this chapter I will discuss the most common and damaging forms of security vulnerabilities appears in most of the eCommerce applications.

  • Malicious Code
  • Phishing
  • Cyber Vandalism
  • Credit Card Fraud
  • Spoofing
  • Denial of Services
  • Sniffing
  • Poorly Designed Server and Client Application
  • Malicious Code

It includes a number of threats such as Viruses, Worms, Trojan Horses, and Bot Programs. Malicious Code mainly steals email addresses, logon credentials, personal data, and financial information, plus the ability to harm installed programs and files.

Virus is a program able to replicate or duplicate itself and spread to other files across available network.

Trojan horse is a program appears like a regular program but it does something not expected when it finds the suitable time. The name came from Troy, and the way it was invaded.

Bot is a program gets installed in your computer, waiting for commands from external user through the internet.

  • Phishing

It is considered any act intent to obtain confidential information. The most common phishing attach is a scam mail got to your mail inbox informing you that you are the winner of a prize and it asks you to send your information to redeem the prize.

3.3 Cyber Vandalism

It is the act of hackers to gain access to any eCommerce website for disrupting, defacing, and / or destroying the site.

  • Credit Card Fraud

It is the attempt to steal credit card data, through the transfer time, or even form the storage media. Credit card data could be used again, and again.

  • Spoofing

It is the attempt to appear like someone else and hide the true identity with the intention of breach your privacy.

  • Denial of Service

It is the act of overwhelming your network infrastructure with high flow of communication packets, making your routers and web servers to exceed their limit and fail, finally shutdown the system and restarting it again.

  • Sniffing

A sniffer is a program sitting next to your pipeline, or network's wires, or wireless, and listing and reading all your transmitted data. By sniffing, hacker could get your information, and knows what he is not supposed to know and breaching your privacy.

  • Poorly Designed Server and Client Applications

I will split this point into two sub point

  • Poorly Designed Server Software
  • Poorly Designed Client Software

In addition, I am going to mention the countermeasures for each.

  • Poorly Designed Server Software

Server software is any software serving requests from clients and responding with the right resources in timely manner and in secure way

Web Server Hacking, refers to attackers taking advantage of existing vulnerabilities in the web server application itself. Those vulnerabilities are widely published and easy to find and detect. An attacker with the right set of tools and utilities, in the top of that some ready-made exploits, can take down a web server, and become out-of-order. Some of the worms that took advantage of the weaknesses of Microsoft's IIS is Code Red, and Nimda.

Through my searching to write this chapter, I found a lots of free offered examples (hacking) showing the reader and the curious how to.



This exploit is intended to view boot.ini file, and ready to be tried with any web server with IIS 4.0

This exploit is intended to brows server system file, with no exceptions

The example above known as Sample Code Vulnerabilities, and the problem is: there is no need at all to write code, just use the sample code comes with IIS installation and all are there in “IISSamples” directory.


  • Do not accept the installation default configuration.
  • Delete all sample codes from any production servers.


Appending “%70” to any Java Server Page's request will return the source code instead to run the page. This is typically with BEA's Weblogic Server or Apache. This known as Source Code Vulnerabilities.

Canonicalization Attacks

If you have file in you C: drive, you may reference it as (C:\text.txt, ..\text.txt, or \\\c$\text.txt).

The procedure of resolving a resource name is called canonicalization. By appending “::$DATA” to any active server page, you would download the page source code instead of the normal rendering of that page.


  • Download and install latest patches and hot fixes from your server's vendor.

Buffer Overflow

Any application or piece of code runs on any OS (Windows, UNIX, etc.) OS will assign a memory space for that code and its data (called Stack). let us look at how an attacker can abuse this capability. Consider the sample program offered by Aleph One in his “Smashing the Stack” paper.

Void sample_function(char *string)


char buffer[16];

strcpy(buffer, string);



void main()


char buffer[256];

int i;

for (i = 0; i < 255; i++)

big_buffer[i] = ‘A';



For this program, the main routine creates a big buffer containing 255 copies of the character A, which it passes to sample_function. In sample_function, the big_buffer is referred to as “string”, and a local variable called “buffer” is allocated space on the stack to hold 16 characters. Next, we encounter the strcpy routine. This routine is used to copy information from one string of characters to another. In our program strcpy will move characters from string to buffer. Unfortunately, strcpy is very sloppy, because it does not check the size of either string, or happily copies from one string to the other until it encounters a null character in the source string. A null character, which consists of a bunch of zero bits, usually indicates the end of a string. This sloppiness if strcpy is a well-known limitation found in many of the normal C language library functions particularly string functions. When we create big_buffer, we did not put a null character at the end, and we also built the string (255 characters) to be far larger than the buffer (16 characters). This is bad news, because the system will allow strcpy to write far beyond where it is supposed to. What happens to the stack when we do this? The A character will spill over the end of buffer, running into the saved frame pointer, and even into return pointer. The return pointer on the stack will be filled with a bunch of A's. When the program finishes executing the function, it will pop the local variables and saved frame pointer off the stack, as well as the return pointer (with all A's). The return pointer is copied into the processor's instruction pointer, and the machine tries to fetch the next instruction from the memory location that is the binary equivalent of a bunch of A's. Most likely this a bogus memory location and the program will crash. So, after all this discussion, we have learned how to write a program that can crash. Although loading bunch of A's into the return pointer made the program crash, what if we could overflow out buffer with something more meaningful? We could insert actual machine language code into the buffer with commands that we want to get executed. But how can we get the system to execute these commands? When we run off the end of the local variables, we can modify the return pointer. By overflowing a buffer, we could overwrite the return pointer with a value that points back into the buffer, which contains the commands we want to execute. The result is a stack-based buffer overflow attack and will allow us to execute an arbitrary command on the system. The attacker forces a program to fill one of its local variables (a buffer) with data that is longer than the space allocated with machine language code. But the system does not stop at end of the local variables. It keeps writing data over the end of the buffer, even overwriting the return pointer with a value that points back to machine language instructions we have loaded into the stack. When the function call finishes, the local buffers containing the instructions will be popped off the stack, but the information we place in those memory locations will not be cleared. The system then loads the return pointer into the processor, and starts executing instructions where the return pointer tells it to. The processor will then start executing the instructions the attacker had put into the buffer on the stack. The attacker just made the program execute arbitrary instructions from the sack. Now that we understand how and attacker puts code on the stack and gets it to execute, let's analyze the kind of instructions that an attacker will place in the stack. In UNIX, probably the most useful thing to force the machine to run is a command shell, because a command shell (such as /bin/sh) can be fed any other command to run. This can be achieved by placing the machine language code for executing (using the execve system call) /bin/sh on the stack. After spawning a command shell, the attacker can then automatically feed a few specific system commands into the shell, running by any program or system call on the target machine. Buffer overflow attacks are very processor and operating system dependent, because the raw machine code will run only on a specific processor, and the techniques for executing commands differ on various operating systems. Therefore, a buffer overflow exploit against a Linux machine with x86 processor will not run on a Windows NT box on Alpha processor or Solaris system with a SPARC processor, even if same buggy program is used on all of these systems. The attack must be tailored to the target processor and operating system type.

Exploiting Stack-Based Buffer Overflow

To exploit a buffer overflow, an attacker will enter data into the program by typing characters into a GUI or command line, or sending specially formatted packets across the network. In this input to the program the attacker will include the machine language code and return pointer in a single package. If the attacker sends just the right code with formatted the right way to overflow a buffer of a vulnerable program, a function in the program will copy the buffer to the stack and ultimately execute the attacker's code. Because everything has to be formatted extremely carefully for the target program, creating new buffer overflow exploits is not easy.

The Makeup of a Buffer Overflow

What does the attacker send to the target to trigger the overflow? Clearly, the attacker must send the machine language code for the commands to be executed. Furthermore the attacker must send information to write over the return pointer so that it points back into the stack, where the attacker's machine language code awaits to be executed. Setting this return pointer to just the right value is extremely important. If it jumps to the wrong area of memory, the program might crash, or the attacker's code may not be properly executed. Making the task even more difficult for the attacker, the particular location on memory where the stack is working at a given instant is dynamic. Therefore the attacker often has to guess the proper place in memory to jump to execute the machine language code on the stack. Attacker will often add a series of NOP instructions to their machine language code. The processor takes command, does nothing, and then loads the next command. The attacker will put a bunch of NOPs in front of their code on the stack. Several hundred or even a thousand or more NOPs will be included, depending on the buffer side. These NOPs in a buffer overflow exploit are sometimes calling a NOP slide or sled. The data components that made up the buffer overflow then consist of the NOP sled, which is located on the stack first, followed by the machine language code of the instructions the attacker wants to execute, and finally the return pointer.


  • Do not accept the installation default configuration.
  • Delete all sample codes from any production servers.
  • As a programmer, pay attention to your input length and type.
  • Download and Install the latest patches and hot fix to your server, IIS 5.0 is known for this vulnerability: SP2 has fixed the problem.
  • Poorly Designed Client Software

Finding Vulnerable Web Applications with Google

Yes, I can find vulnerable applications by searching Google, and trying going further if I want to. At least I got some rich information about some preys out there.

To find unprotected /admin, /password, /mail directories and their content:

Type “Index of /admin”

Type “Index of /password”

Type “Index of /mail”

Type “Index of /” password.txt


  • Do not leave stored static password on your server, without any strong encryption: 3Des is one of the known strong encryption algorithms.

SQL Injection Attack

Imagine a Web page in a Web Application, you may find a text box called for example: Enter Address. What will happened if I typed inside this text box the following:

‘; shutdown with nowait; --


‘; delete from users; --

Let us think about the select statement, the page programmer done to work well with the normal use of that page.

Update users set address = ‘ + textBoxAddress.Text + ' where userid = 5;

That means the value of that text box will be inserted in, and the normal flow will continue. When you type “123 ABC” in, so the normal look of the statement will look like:

Update users set address = ‘ 123ABC ' where userid = 5;

And this will make the statement correct and legitiamate. But, life not always good.

We will type in our own sql

Update users set address = ‘‘; shutdown with no wait; -- ' where userid = 5;

I will have two bad statements plus a comment. VIOLA

Simply, these will Shutdown the SQL Server immediately, making in out of service, and administrator has to start it back again.


  • Validate your input before you accept it.
  • Check for [ % ‘ _ characters. And surround them with [] before you construct your SQL string.
  • Use Stored Procedures as much as you could in your code, instead of ad-hoc queries.
  • Check for any injected weird SQL statement other than what the normal procedure should do.
  • Technology Solutions

Thanks to technology for not leaving us facing all of that kind of threats and vulnerabilities without any solution could protect the beautiful invention from hackers and breaches. The first line of defense against all threats is a set of tools that would make it hard to hackers to invade or destroy a website. In this section I will describe some of these tools.

  • Protecting Internet communication

To protect the communication from intruders and eavesdroppers, encrytption is playing an important role. There are many different ways for encryption. Let's talk first about what is encryption

Encryption is the process of transforming plain text message into cipher text message cannot be read by anyone other than the sender and the receiver of the message. This cipher is done by using a key to encrypt and decrypt the message. I mean by that the sender and the receiver has to have the key to be able to communicate thoroughly. Now we have a new concept called cipher key. In turn this key falls into two types:

Symmetric Key Encryption

Both sender and receiver share the same key, to be able to encrypt and decrypt the transmitted message.

Asymmetric Key Encryption (Public Key)

Both sender and receiver have pair of keys, pubic key and private key. Therefore, sender is holding one public key and one private key, and the sender is holding one public key and one private key. Both of them publish their public key to the globe, anyone can have it. Now if the sender wants to send a message he gets the public key and encrypts the message using it. Then, send it to the receiver, and the later will decrypt the message using his own secret private key. This is the idea of public and private key.

The management the exchange of public key is very complex task with the increasing number of internet user and eCommerce websites. This complexity introduced new kid of business called digital certificate authority and key management solutions such as VeriSign, eTrust, and EnTrust.

  • Digital Signature

It is the opposite way of encryption. If you want to sign a message so the receiver is sure that it came from you, not from someone else. You will encrypt the message by your private key, and the receiver will decrypt it using your public key. Only your public key can decrypt the message. The receiver once he is able to decipher the message, he knew it is from you.

  • Digital Certificate

It is the public key part of any pair of public / private key. Simply if you want to open a secured channel between you and the receiver you just requesting his digital certificate from someone like Very Sign.

Everyone from the mentioned above companies (Certificate Authority) they have distributed their own digital certificate to all browsers makers like Microsoft and Netscape.

Now if I want to open a secure channel with let's say Bank of America. And BOA has made an agreement with VeriSign to hold his public key (digital certificate), when I contact BOA, BOA tells me to open a secure channel with me go and get my public key form VeriSign. My turn then is to ask VeriSign to hand me BOA's public key. VeriSign will tell me I am going to send you BOA's public key signed by my public key (VeriSign Private Key) so you will know that it is from me not from someone else. My turn is to verify that VeriSign signature is on the message. Well, I have VeriSign public key installed in my browser, now I have the public key for sure of BOA.

According to this mentioned above concepts, Secure Socket Layer (SSL) Protocol had been developed and gained a lot of use and success in the world of internet, communication, and eCommerce.

The communication is using HTTPS instead of HTTP that mean it is HTTP mixed with SSL and you can see the Golden Lock on the top.