WOT logo

Common Vulnerabilities in E-Commerce Systems and How to Identify Them

Top Risks In E-Commerce

We’ve looked at the scams that can hit online consumers while they’re enthusiastically dishing out their private details to unseen criminals whilst clothes shopping online, buying gifts, ordering groceries, and doing their banking, but what’s going on behind the scenes of these e-commerce websites? While we’re increasingly doing our transactions online and facing a rise in cybercrime, there’s a corresponding rise in the number of cyberattacks against online payment systems rendering them insecure and unreliable. Even Facebook is now an insecure social network, but at least in there are physical ways to take back your Facebook privacy.

As far as online payment systems go, criminals aren’t just attacking vulnerabilities that have been published in reusable third-party components used by websites, like shopping cart software (you know “add to your cart,” “proceed to checkout”), but vulnerabilities that exist in any web application (SQL injection, cross-site scripting etc.). So why do security vulnerabilities arise in shopping cart and online payment systems? Simply because of the wide exposure that an online site has and the financial nature of the transactions. Add to that the fact that web app developers are not very well versed with secure programming techniques, but more focused on meeting deadlines and beating the competition in the fast-moving e-commerce world. Additionally, most online systems are inherently intricate and users have ever-growing tough requirements from their e-commerce providers, which requires complex designs and programming logic.

Often, e-commerce sites flaunt their 128-bit SSL, Thawte or Verisign certificates as proof that their sites are well secured. However, customers are now less gullible and realize that no matter how strong they’ve even made their passwords, for example, it doesn’t take long for cyber-crime experts to crack them. It’s not the website’s fault, it’s just a competitive world in which cybercrime is on the rise (just Google internet security articles for a wakeup call).

Main Vulnerabilities Out There

Some attacks against the security of online payment systems originate with a set of known vulnerabilities, while others are only discovered by the authors during penetration testing. Regardless, there are a slew of different types of vulnerabilities. The results can have a massive impact from price manipulation to compromising confidentiality, crippling a website, or even causing an e-commerce business to go out of business. Here are the most common vulnerabilities.

SQL Injection

This malicious attack occurs when SQL meta-characters are inserted into user input, meaning the hacker’s queries are executed by the back-end database depending on what type is being used. The results on a vulnerable site may range from a detailed error message, which discloses the back-end technology in use, or it may allow the attacker to access restricted areas of the site, permit the execution of operating system commands, or give access to super sensitive data such as credit card numbers and transaction details.

Cross-site Scripting

Cross-site Scripting (XSS) attacks primarily target end-users and leverage: the web application’s lack of input and output validation; and the trust the end-user places in a URL that carries the vulnerable web site’s name — no matter how secure their password is.

The XSS attack requires a web form that admits user input, processes it, and prints out the results on a web page containing the user’s original input. If the user input is printed out without being scrutinized, an attacker can embed JavaScript by providing it as part of the input. By crafting a JavaScript-embedded URL, a victim can be “social engineered” — for example by receiving a spoof email seemingly originating from the official site asking them to click a link to verify their details. This directs them to an attacker’s fake site that looks like the official one. The user then enters sensitive information (credit card or social security number, etc.) in what is called a “phishing scam.” This is why it’s essential for users be know the HTTP rules (e.g. a website must begin with “https” not “http) and others, explaining how to know if a website is safe or not.

Price Manipulation

This vulnerability is virtually entirely exclusive to payment gateways and online shopping carts. Most commonly, the total price of the purchased goods to be paid is stored in a hidden HTML field of a dynamically generated web page. Attackers can use a web application proxy to modify the final amount payable to any value they choose. If the site has a huge amount of transactions, the manipulation will probably slip by unnoticed, or be discovered too late. Repeated attacks could cripple the provider’s viability.

How to Counter These Vulnerabilities

The be-all-and-end-all is to build security into the web application at the design stage and include a detailed risk assessment where the team plus security experts analyze the impact, vulnerabilities, and threat probabilities for the system. Once these risks are listed, system countermeasures must be designed. These should also include strict input validation procedures, the use of open-source cryptographic standards, a 3-tier modular architecture, and other secure coding practices.


The vulnerabilities mentioned don’t only apply to online payment systems or shopping carts, but to any type of web application. It’s just that with e-commerce systems they are more severe given the financial nature of transactions. Companies can lose money, their reputations, and face law suits for violating customer privacy. Security is prime in designing such websites to give customers a full safety assurance guarantee. Consumers, on the other hand, hold the responsibility to become au fait with tips for browsing safely!

Leave a Reply

Your email address will not be published. Required fields are marked *