Regularly carrying out penetration tests on e-commerce websites ensures a good level of security. This is necessary to ensure the proper functioning of the site as well as the company’s brand image with its customers. But the security challenges are so numerous that it is sometimes necessary to establish priorities.
Security issues for e-commerce websites: defining the priorities of a pentest
Here is a summary of the main security issues for e-commerce websites. The priorities on which the pentest will focus must be defined according to the specific functional and technical context of each e-commerce platform. This is the first step towards defining the scope of the pentest.
Security of the payment brick
This is a crucial point which must be based on a recognised and PCI DSS certified solution. The integration of the solution with the e-commerce platform must be tested to avoid errors that could lead to security breaches, in particular the collection of banking data, which must comply with what the publisher has planned and documented for the use of the solution (forms, encryption, etc.).
Security of the customer journey
The entire customer journey should be tested regularly to protect against various fraud attempts. From order validation to confirmation of delivery details. This involves looking for technical flaws (OWASP) but also logical flaws (possibilities to bypass the functional logic provided for the users of the website).
Security of personal data
With the GDPR, this aspect has become crucial to test. Even without bank data, a leak of personal data (name, first name, e-mail) can expose users and then drive them away from an e-commerce website when the information becomes public.
In the particular context of e-commerce, the confidentiality of order data (who buys what?) can also be very sensitive for the protection of privacy. Injection flaws are the most common example for accessing a database, but other types of vulnerabilities should be taken into account, such as misconfiguration of the infrastructure, or the use of vulnerable components.
Ensuring the integrity of the catalogue
This is another sensitive point that can lead to significant losses in the event of an attack aiming to corrupt or delete data. The vulnerabilities potentially used by attackers are of various kinds: injections, misconfiguration of servers, or authentication possibilities to a back-office, etc.
Ensuring service continuity
In the event of an interruption, the more turnover the website generates, the greater the loss of business. Or if the interruption occurs during a key period (Christmas, Black Friday, etc.). DoS attempts should be tested for possible weaknesses on the server or application side.
Countering traffic diversion
Attacks aimed at diverting users to a malicious clone are as damaging to an e-commerce website as to its customers. It is important to test for vulnerabilities related to the website itself (e.g. XSS vulnerabilities) as well as to make website visitors aware of the risks of social engineering (e.g. the importance of checking domain names, including the correct spelling).
Related security issues
The bridges between the e-commerce website and logistics must also be tested. In general, a poorly secured e-commerce platform can also be a gateway to other parts of a company’s internal IT.
Other entry points
Beyond the main e-commerce website (www), other applications can represent entry points for an attacker: a management back-office, partner access, an API, a public access staging platform, etc. The more secure the main website is, the more likely it is that attackers will look for other applications whose security may have been neglected.
Other security aspects to consider before conducting an e-commerce website pentest
Frameworks or CMS based e-commerce websites.
In the case of a website built with a solution such as Magento or Prestashop, it is especially important to check the configuration of the solution, the choice of plugins, the updates, as well as any specific developments.
Portfolios with large amounts of e-commerce websites
To prevent risks on large numbers of e-commerce websites, without breaking the budget, it is possible to adopt several approaches:
- Scanning the entire scope with first level (automated) tests
- Carry out exhaustive penetration tests on a sample
In the case of a portfolio with many e-commerce sites, we strongly recommend testing a technically representative sample (one or more sites) in order to cover the risks at least on a reduced scope. This can be combined with first level tests on the whole scope.
What is the price for an e-commerce website pentest?
The cost of an e-commerce website pentest depends on the functional complexity of the platform in question. For a “classic” site made with Magento or Prestashop, a budget of around €4k allows for an in-depth analysis.
It is possible to carry out a quicker analysis to keep to a smaller budget. However, if the main e-commerce site is linked to other elements, such as a partner space, a back-office, etc., then the price will be higher to secure the whole ecosystem.
It is also possible to plan an annual budget of between €10K and €15K to carry out regular penetration tests on a critical e-commerce site and/or on different parts of its ecosystem.