Get premium membership and access questions with answers, video lessons as well as revision papers.
1.? Buffer overflows
Attackers exploit buffer overflow issues by overwriting the memory of an application. This changes the execution path of the program, triggering a response that damages files or exposes private information. For example, an attacker may introduce extra code, sending new instructions to the application to gain access to IT systems.
If attackers know the memory layout of a program, they can intentionally feed input that the buffer cannot store, and overwrite areas that hold executable code, replacing it with their own code.
Buffer overflow vulnerabilities are not very common in shopping cart or other web applications using Perl, PHP, ASP, etc. However, sending in a large number of bytes to web applications that are not geared to deal with them can have unexpected consequences. In one of the author's penetration testing assignments, it was possible to disclose the path of the PHP functions being used by sending in a very large value in the input fields. As the sanitized snapshot below shows, when 6000 or more bytes were fed into a particular field, the back-end PHP script was unable to process them and the error that was displayed revealed the location of these PHP functions.
2.Price Manipulation
This is a vulnerability that is almost completely unique to online shopping carts and payment gateways. In the most common occurrence of this vulnerability, the total payable price of the purchased goods is stored in a hidden HTML field of a dynamically generated web page. An attacker can use a web application proxy such as Achilles [ref 5] to simply modify the amount that is payable, when this information flows from the user's browser to the web server. Shown below is a snapshot of just such a vulnerability that was discovered in one of the author's penetration testing assignments.
3.SQL injection is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker).[1] SQL injection must exploit a security vulnerability in an application's software,
A successful SQL injection attack can result in unauthorized access to sensitive data, such as passwords, credit card details, or personal user information. Many high-profile data breaches in recent years have been the result of SQL injection attacks, leading to reputational damage and regulatory fines. In some cases, an attacker can obtain a persistent backdoor into an organization's systems, leading to a long-term compromise that can go unnoticed for an extended period.
4.Cross-site scripting
The Cross-site Scripting (XSS) [ref 6] attack is primarily targeted against the end user and leverages two factors:
1.The lack of input and output validation being done by the web application
2.The trust placed by the end-user in a URL that carries the vulnerable web site's name.
5.Weak Authentication and Authorization
Authentication mechanisms that do not prohibit multiple failed logins can be attacked using tools such as Brutus [ref 8]. Similarly, if the web site uses HTTP Basic Authentication or does not pass session IDs over SSL (Secure Sockets Layer), an attacker can sniff the traffic to discover user's authentication and/or authorization credentials.
Since HTTP is a stateless protocol, web applications commonly maintain state using session IDs or transaction IDs stored in a cookie on the user's system. Thus this session ID becomes the only way that the web application can determine the online identity of the user. If the session ID is stolen (say through XSS), or it can be predicted, then an attacker can take over a genuine user's online identity vis-à-vis the vulnerable web site. Where the algorithm used to generate the session ID is weak, it is trivial to write a Perl script to enumerate through the possible session ID space and break the application's authentication and authorization schemes.
Titany answered the question on September 23, 2021 at 14:55
- Components of e-commerce software(Solved)
Components of e-commerce software
Date posted: September 23, 2021. Answers (1)
- Discuss five requirements of Ecommerce(Solved)
Discuss five requirements of Ecommerce
Date posted: September 23, 2021. Answers (1)
- Types of web hosting(Solved)
Types of web hosting
Date posted: September 23, 2021. Answers (1)
- Website & utility programs include(Solved)
Website & utility programs include
Date posted: September 23, 2021. Answers (1)
- Describe a Web Server (Solved)
Describe a Web Server
Date posted: September 23, 2021. Answers (1)
- Types of Web Portals(Solved)
Types of Web Portals
Date posted: September 23, 2021. Answers (1)
- Discuss the functions and features of portals(Solved)
Discuss the functions and features of portals
Date posted: September 23, 2021. Answers (1)
- Highlight the benefits of Online/Virtual Community(Solved)
Highlight the benefits of Online/Virtual Community
Date posted: September 23, 2021. Answers (1)
- Describe a web auction(Solved)
Describe a web auction
Date posted: September 23, 2021. Answers (1)
- Discuss five types of internet revenue model(Solved)
Discuss five types of internet revenue model
Date posted: September 23, 2021. Answers (1)
- Describe the G2B business model(Solved)
Describe the G2B business model
Date posted: September 23, 2021. Answers (1)
- Describe the G2C business model(Solved)
Describe the G2C business model
Date posted: September 23, 2021. Answers (1)
- Describe the C2C business model(Solved)
Describe the C2C business model
Date posted: September 23, 2021. Answers (1)
- Describe the B2G business model(Solved)
Describe the B2G business model
Date posted: September 23, 2021. Answers (1)
- Describe the C2B business model(Solved)
Describe the C2B business model
Date posted: September 23, 2021. Answers (1)
- Describe the B2C business model(Solved)
Describe the B2C business model
Date posted: September 23, 2021. Answers (1)
- Describe the B2B business model(Solved)
Describe the B2B business model
Date posted: September 23, 2021. Answers (1)
- State five types of E-commerce models(Solved)
State five types of E-commerce models
Date posted: September 23, 2021. Answers (1)
- Benefits of E-Commerce to Society(Solved)
Benefits of E-Commerce to Society
Date posted: September 23, 2021. Answers (1)
- Benefits of E-Commerce to Consumers(Solved)
Benefits of E-Commerce to Consumers
Date posted: September 23, 2021. Answers (1)