30 Days of Security Testing – Day Twenty-Eight

The challenge for Day Twenty-Eight is – Share security testing ideas for specific domains

For this challenge I thought I’d look at E-Commerce as a domain, as there are plenty of opportunities to test for security vulnerabilities.

Some items to check if you were looking at testing the security of an e-commerce application:

  • Authentication – is there a lockout function on too many failed attempts?  Is there 2 factor authentication? Password complexity policy? Are login attempts encrypted?
  • Interception – Are requests sent securely? Is it possible to capture a user cookie and hijack a session?
  • Access – Once authorised, is it possible to change your own user rights?  Can you change your user ID and access another users records?
  • Injection – Is it possible to run SQL injection attacks on input fields?  If there are sections where you can add comments, can you run XXS attacks?
  • Payment – how are payments handled? How and where is payment information stored – how secure is this?

 


 

Thanks for reading my post and following my progress through the 30 Days of Security Testing.

For more on Security Testing please visit here  or any of my other ramblings visit here

Feel like joining in? Sign into the WeTest Slack group and get involved!

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Blog at WordPress.com.

Up ↑

%d bloggers like this: