How to Apply the OWASP Top 10 to your eCommerce Solution

Let’s take it from the beginning. The Open Web Application Security Project, or OWASP for short, is an international nonprofit foundation that strives to enhance software and application security. The organization achieves their goals via community-headed open-source software projects, hundreds of local chapters globally, thousands of members, and top training and educational conferences. In short, the OWASP Foundation is THE authority on security online for developers and technologists. Therefore, it’s safe to say that the “top ten web application security risks” list that the organization revises and publishes every few years is a fantastic starting point for any online business that wants to assess their security standing.


The list depicts the comprehensive consensus between the top security experts of the most prevalent security threats facing web applications. The security experts in this case are composed of security vendors, security consultants, and security teams from organizations from all walks of life. The goal of OWASP Top 10 is to construct a culture around secure web development and web application security via shared awareness.


We’ve outlined the current list of vulnerabilities below to understand their impact and how to dodge them altogether.



Injection

Injection vulnerabilities take place when bad actors use a query or command to inject malicious data to the code interpreter through SQL, NoSQL, OS, or LDAP injection. The untrustworthy data dupes the interpreter to induce the application to perform actions that go against its programming, such as creating inadvertent commands or accessing data without the necessary authentication. Any web application that allows parameters as input can be an easy target for injection attacks. The degree of risk corresponds directly to the attention to detail paid to the application’s input validation measures.


Injection vulnerabilities are commonplace in the world of eCommerce; WordPress sites were put on high alert late last year with word of a PHP object-injection bug in Welcart, a shopping cart application. We also briefly touch on SQL injection in our list of Top Security Risks for your eCommerce Solution.


Examples of injections include SQL injections, CRLF injections, LDAP injections, and more.


An application may find itself in a pickle with an injection attack for a number of reasons, including the usage of insecure frameworks, non-parameterized queries, and inappropriate permissions and privileges. Allowing for unvalidated and un-sanitized user outputs is another way to open up your web shop to the threat of injection.


There are many ways to combat injection attacks, and often, they can be used in conjunction with one another:

  • Isolate commands from data to evade specific kinds of attacks that replace data with unintended command deployment.

  • Remove the interpreter entirely via the usage of a secure API.

  • Code SQL queries with parameters (parameterized queries) instead of composing the command from user input content alone.

  • Install positive server-side validation along with an intrusion detection system that alerts on suspicious user behavior, such as our Data Breach Monitoring.


Broken Authentication

Improperly configured authentication and session management are easily taken advantage of by bad actors, who utilize them to commit identity fraud, obtain passwords and keys, hijack sessions, or even assume control over the entire web shop by assuming the identities of authentic users. This vulnerability presents a severe threat to the safety of your eCommerce solution and the assets it accesses, and it can also seriously jeopardize other resources linked to the same network.


Broken authentication is most often caused by lackluster password policies, poor session management policies and practices, and issues with authentication mechanisms.


But fear not, fair merchant - remediation is at hand. There’s a number of actions you can take today to protect your business, such as installing multi-factor authentication, practicing good password hygiene, monitoring failed login attempts, and utilizing a secure session manager that creates time-limited and randomized session IDs. Be sure to avoid including session IDs in URLs. And finally, refrain from deploying with default credentials, particularly for users that hold admin rights.


Sensitive Data Exposure

Sensitive data exposure is certainly the most widespread vulnerability from the OWASP Top 10 list. Inadequate and inappropriate security processes, policies, and practices by applications and/or empower bad actors to gain entry and steal sensitive data that can be leveraged to commit credit card fraud, identity theft, and more.


As is the cause for many other vulnerabilities, poor data security policies and procedures are often the culprit for sensitive data exposure. Other causes include the caching of private data, and failing to encrypt both databases, and data that is in transit and at rest. Unencrypted data is a pot of gold for bad actors in particular, because it allows them to carry out a vast number of crimes, ranging from fraud to industrial espionage. Finally, the collecting and storing of unneeded data is another pitfall.


Data protection is critically important for any business or institution that stores personally identifiable information (PII) - and that includes eCommerce businesses.


To guard your business against sensitive data exposure, adopt a risk-based approach that calls for stringent controls to private data that falls under compliance requirements. For data in transit, install SSL certificates to launch secure encrypted links from the host server/firewall and the web browser. For data at rest, go ahead and encrypt all sensitive data that does not require storing. Avoid storing data that is unneeded, and disable caching for user responses that may include private data.


XML External Entities (XXE)

The XXE vulnerability stems from a scenario where XML external entities are parsed by badly configured and/or legacy XML parsers or processors. This means that the XML parser will be tricked into sending data to an unauthorized external destination, such as a hard drive. Bad actors can utilize XXE vulnerabilities to obtain access to classified data, external or backend systems, and server filesystems. From there, bad actors can dabble in remote code execution, data corruption, CSRF, and DoS attacks.


XXE vulnerabilities often happen when DTD and External Entities are left disabled. Out-of-date and improperly configured XML processors and libraries are other contributing factors, along with unvalidated and un-sanitized file uploads, URLs, and user inputs. Finally, unchecked configurations and dependencies may also cause XXE vulnerabilities.


Again, prevention is key here. Confirm that the XML/XSL file upload functionality validates incoming XML with XSD validation, and ensure that the XML libraries and processors are regularly upgraded when necessary and patched. Do not serialize sensitive data, and utilize simpler data formats like JSON.


Broken Access Controls

Security access controls for a web application act as digital barriers to users that only allow access to specific pages or sections of the website that have been deemed necessary for that user. For instance, the administrators of your eCommerce solution must be able to add new products or marketing promotional campaigns; these functions should not be available for other types of users.


Broken or misconfigured access controls allow bad actors to bypass authorization and perform actions that should be prohibited. Such actions may include changing or deleting data, altering access rights, and so on. Broken access control is often caused by missing or non-functioning control and restrictions, and by misconfigured policies. The least privilege principles are often not applied when broken access control is discovered, and often unneeded services, legacy functionalities, open ports, and dormant accounts are also to blame.


Keep your eCommerce solution safe by monitoring the activities on your website and server so you have a clear picture of who is logging in, and what they are doing during that time. Implement a least privileged approach, meaning that each user level is allowed the lowest possible level of access required to perform their duties. Ensure that user accounts that are no longer needed nor active are deleted promptly. Disable any access points that are not needed currently, and disable unnecessary services associated with your servers.


Security Misconfiguration

Security controls are meant to safeguard your web shop; unfortunately, when they are improperly implemented with errors, they give rise to security misconfigurations. These can include verbose error messages, legacy software, misconfigured HTTP headers, utilizing debug mode in the course of development, partial configurations, using default settings, unused pages, and more.


Security misconfiguration is most often caused by human error, the usage of default settings and configurations, and poor temporary configurations. Weak gateways in the application are another common cause.


Security misconfigurations can be found almost anywhere, such as databases, servers, containers, and devices linked to your network. Implement best practice when it comes to configuration, such as utilizing templates to launch test, development and production environments that are preconfigured to the security standards of your business. Remove any features or services that are not needed or in use by your platform. Use segmented application architectures which significantly decrease the possibility of a misconfigured element, and manage a library of sufficiently configured container images. Monitor your applications, cloud resources and servers routinely for security misconfigurations and immediately rectify any apparent issues with the help of automated workflow.


Cross-Site Scripting (XSS)

Bad actors utilize XSS vulnerabilities to inject malicious client-side JavaScript or HTML scripts into your application. Once the malicious code is in place, the bad actor uses the application to transmit the payload to their victims. XSS vulnerabilities allow bad actors to redirect users to different websites, hijack web sessions, and even deface websites.


Insecure coding practices, and unvalidated and un-sanitized user inputs and/or user-generated content are often the likely weaknesses that lead to cross-site scripting.


To protect your online store against cross-site scripting, use security headers to your advantage - specifically, Content Security Policy. Lokte’s Data Breach Monitoring is also a fantastic tool that alerts on suspicious behavior, including XSS attacks. Keep a strict eye on user input data by segregating active browser content from unvalidated data. Either train your developers, or ensure you hire developers that understand coding best practice, such as appropriate HTML/JavaScript encoding methods. Enforce code vulnerability testing at both the design and development stages, and ensure that coding is scanned in your production phase also.


Insecure Deserialization

Insecure deserialization is often aimed against applications that routinely serialize and deserialize data. Insecure deserialization breeds privilege escalation attacks, DDoS attacks, injection attacks, remote code execution, and more. The deserialization of data from untrustworthy sources is often the culprit in this case.


The best weapon against insecure deserialization is refusing to accept serialized objects from untrustworthy or unknown sources. If you cannot implement such a severe strategy, use digital signatures to verify the integrity of serialized objects. Ensure that your application code spots unexpected classes by running type constraints during deserialization, and hinder unauthorized actions by running deserialization code in low privilege environments.


Using Components with Known Vulnerabilities

Modern online shops, whether small or large, simple or complex, contain numerous components, such as libraries, frameworks, third-party widgets, open-source-code, etc. If an element is known to have a vulnerability, you can be sure that bad actors are well aware of this (often) publicly available knowledge. Don’t fall victim as a result of using a component with a known vulnerability - either fix the issue, or switch to another element altogether!


A fantastic remediation tool for detecting known vulnerabilities is constantly scanning the code components for known weaknesses and administering a patch immediately when a vulnerability is spotted.


​​Insufficient Logging & Monitoring

Routine and efficient logging and monitoring procedures are vital for more effective and agile security within your eCommerce store. Deficient processes along with a lack of incident response understandably heightens security risks. These poor practices practically hand bad actors a key to your kingdom by allowing them to easily deploy further attacks, move laterally across your system, obtain access to data, and more.


To efficiently avoid issues caused by insufficient logging and monitoring, put logging and audit software to use that will quickly recognize suspicious behavior and multiple failed access attempts. Even when an attack fails, the logging and monitoring will offer helpful tools that will help you examine the source of the attempt, and help you understand how to avoid similar threats in the future.


In Conclusion

The list above contains the most common and severe vulnerabilities found in web applications today, yet it’s astounding that many online businesses still fall victim as a result of one of these weaknesses. In addition to reviewing this list, consider a Penetration Test to help you understand exactly where the weak points are in your eCommerce solution. Lokte carries out both an automated and manual assessment on your web application and the infrastructure, and we detect and analyze any vulnerabilities present in your system to ensure they cannot be used against you. Keep your sensitive data safe - contact us today!





22 views