Critique on : All Your Shops Are Belong to Us: Security

Weaknesses in E-commerce Platforms

Written by : Fabiha Jalal

Introduction
Checkout flow and payment integration are two operational processes in E-commerce platform that if not
logic bug free can result into a financial crisis. For instance “Store takeover” implies that an adversary
must have the capability to conduct a full takeover of a store and “shopping for free” describes the ability
to acquire something without spending any money. This paper presents a framework to evaluate the
security vulnerabilities associated with different operations including the web services for 24 commercial
SaaS platforms, 15 Android mobile applications, and 8 sites; these platforms own an estimate of over
10 million stores as per Google Dorks. This framework gathers some new vulnerabilities including store
turnover taking over 12 platforms, and illegal adding of products in the list with those issues above, that
increase the risk of account hijacking with customer info expose. The study’s findings are significant,
leading to the request for four Common Vulnerabilities and Exposures (CVEs) based on these critical
discoveries. The above-mentioned framework helps develop improved security standards, given that
high-risk weaknesses can be identified. in many popular E-commerce platforms.

Strength
• Develop a robust experimental framework for security vulnerability evaluation in E-commerce plat-
forms, addressing both customer-facing storefronts and merchant-facing store dashboards, a struc-
tured approach is essential. This framework will assess traditional web vulnerabilities and also
evaluate GraphQL API security, given the best modern platforms are implementing it.
• Besides checkout, see if there is any other operation that allows shopping for free, and identify which
common patterns these vulnerabilities follow. Also, check whether these vulnerabilities affect any
other operations.
• Then worked on unauthorized access in GraphQL APIs began with studying known vulnerabilities
in popular e-commerce platforms, the OWASP API top 10 vulnerabilities, and specific GraphQL
vulnerabilities. Based on this analysis, 13 vulnerability patterns and 6 security issues were identified
and defined for further investigation.
• The experimental framework revealed 37 serious vulnerabilities across the tested E-commerce plat-
forms. Notably, all stores on 12 of these platforms were found to be vulnerable to attacks exploiting
these issues. On certain platforms, attackers need only the URL of a public store to initiate an
attack.
• The analysis identified that 12 platforms exhibit critical security weaknesses in store administration
functions, primarily due to access control flaws, improper input validation, and Cross-Site Request
Forgery vulnerabilities. These issues allow attackers to bypass intended security measures, gaining
unauthorized access to sensitive areas of the platform.
• The evaluation revealed that 6 platforms lack adequate protection for essential E-commerce oper-
ations. This security gap allows attackers to exploit the system, potentially enabling unauthorized
purchases or ”free shopping” by bypassing payment requirements.
• In the analysis, it was found that an attacker could exploit improper access control in nopCommerce
to modify any customer’s address within a store. In response, the vendor released a new version

1
 of nopCommerce that resolved this issue. A CVE (Common Vulnerabilities and Exposures) was
requested to document this vulnerability formally, recognizing it as a security concern.
• A vulnerability was identified in WooGraphql, where a specific GraphQL query allowed an attacker
to collect all available coupon codes from a store without authorization. By exploiting this flaw,
attackers could use the collected coupons to shop for free or at reduced prices. This security issue
was formally acknowledged, and a CVE ID was assigned to document the vulnerability.
• AbanteCart was found to be vulnerable to reflected cross-site scripting (XSS) and SQL injection
(SQLi). An attacker could exploit the XSS vulnerability by crafting a malicious URL that, if
clicked by a victim, allowing the attacker to take over the victim’s session. Additionally, the SQLi
vulnerability enabled the attacker to access and potentially dump the backend database, exposing
sensitive information stored within.

Weakness
• This paper focuses solely on ethical hacking, without covering any non-ethical hacking policies.
• Testing has been conducted on whitelisted sites on the SaaS platform. Sites created through layered
whitelisting (e.g., illegal or blocklisted sites) are not discussed.
• Vulnerabilities related to card fraud during payment are not checked.
• A manual approach is used to detect injection attacks and mass assignment vulnerabilities for
ethical reasons.
• Predefined keywords are set up to detect specific API requests that generate errors after multiple
calls. New keywords cannot be added on the fly.
• Flaws in the payment system and checkout process are not examined. Other vulnerabilities outlined
in the OWASP testing guide are not analyzed.
• Free or trial versions are used for evaluation. No paid-only or merchant-verified platforms are used
where vulnerabilities could be discovered.

Probable Improvements
• Besides testing through APIs, e-commerce fraud can be detected in customer datasets using ma-
chine learning. Transactional and customer data are analyzed, and algorithms such as logistic
regression, random forest, gradient boosting, and support vector classifiers are used to detect fraud
and enhance transaction security.
• The framework should include vulnerability detection measures for any third-party in-app payment
systems within the payment methods.
• Static analysis should be used to enable automated detection of injection attacks, ensuring minimal
ethical concerns.
• By leveraging OpenAPI specifications and clustering, the framework identifies read-only fields that
may be susceptible to mass assignment attacks.
• Instead of relying on predefined keywords, the framework dynamically identifies anomalies in API
requests using unsupervised learning to detect unusual patterns in request behavior, which can
indicate new types of errors or failures. Text mining and contextual analysis are employed to detect
errors in API responses by dynamically extracting keywords and error patterns. This approach
uses semantic analysis to identify errors, even if they do not match existing keywords, allowing for
the dynamic update of the error keyword list.
• Analyzing the structure and content of API calls helps to identify new error-prone requests by
learning patterns from historical data, eliminating the need for a manually updated keyword list.
• API payloads and parameters are encrypted, and this framework is used to conduct vulnerability
testing.
 • To detect unethical activities, a credit card detection system should be implemented, focusing
primarily on machine learning techniques. Unsupervised learning algorithms will be employed.
• A credit score fraud detection device should be installed to identify fraudulent activities. This
system primarily uses machine learning algorithms such as the online random forest and AdaBoost.
The results of these algorithms are evaluated based on accuracy, precision, recall, and F1 score.
The ROC curve is created based on the confusion matrix (CM), comparing the online random
forest and AdaBoost to determine the algorithm with the highest accuracy, precision, recall, and
F1 score for fraud detection.
• An automated approach can be used to test GraphQL APIs. A comprehensive analysis is performed
by first outlining the concept and structure of GraphQL, followed by organized mapping.
• Fraudulent transactions can be detected using a stacked autoencoder kernel ELM optimized by
the dandelion algorithm. Alternatively, a fuzzy authentication system for online transaction fraud
detection using geolocation can be used.
• A unique multi-layer security architecture can be developed to protect customer information in a
cloud-based environment. This approach includes analyzing current security protocols, perform-
ing a vulnerability assessment, and creating a more robust multi-layered security structure. The
concept incorporates advanced encryption methods, strict access rules, and continuous threat de-
tection tools. Extensive simulations are run to test the framework’s effectiveness, focusing on data
integrity, access control, and confidentiality. The results show a significant improvement over tra-
ditional, single-layer security methods, providing enhanced protection against unauthorized access
and data breaches while ensuring regulatory compliance.

Industrial Viewpoint of E-commerce Vulnerability Landscape from

Nagad:
A large number of e-commerce payments are processed daily through the Nagad system. Previously, due
to the lack of proper vulnerability checks, attackers could gain unauthorized access and cause data leaks,
leading to significant data breaches. Without proper security measures, many fraudulent transactions
occurred, resulting in financial losses. In most cases, attackers would manipulate data by tampering with
the callback URL during payment processing. This led to high levels of customer dissatisfaction.
Currently, Nagad’s e-commerce payments are only enabled for whitelisted sites. The URL that originates
from the API is secured with a one-time user and password, which is updated on next browsing the
website. On the staging environment, Vulnerability Assessment and Penetration Testing (VAPT) is
conducted using robotic process automation to identify and fix any potential weaknesses. The middleware
between customers and the e-commerce gateway ensures transaction information is undetectable by
secure systems, preventing unauthorized access.
For protection against Man-in-the-Middle attacks, HTTPS with SSL/TLS is used, request and response
signatures are imposed, certificate pinning is implemented, end-to-end encryption is enabled, server SSL
certificates are verified, and strong authentication is used.