The challenge for Day Twenty-Eight is – Share security testing ideas for specific domains
For this challenge I thought I’d look at E-Commerce as a domain, as there are plenty of opportunities to test for security vulnerabilities.
Some items to check if you were looking at testing the security of an e-commerce application:
- Authentication – is there a lockout function on too many failed attempts? Is there 2 factor authentication? Password complexity policy? Are login attempts encrypted?
- Interception – Are requests sent securely? Is it possible to capture a user cookie and hijack a session?
- Access – Once authorised, is it possible to change your own user rights? Can you change your user ID and access another users records?
- Injection – Is it possible to run SQL injection attacks on input fields? If there are sections where you can add comments, can you run XXS attacks?
- Payment – how are payments handled? How and where is payment information stored – how secure is this?
Thanks for reading my post and following my progress through the 30 Days of Security Testing.
Feel like joining in? Sign into the WeTest Slack group and get involved!