Blog

30 Days of E-Commerce Testing - Day Twenty-Five!

Day 25
What security concerns do you associate with ecommerce and how would you test them?

Well, this is really similar to day 22.

owasp.png

So I might use it as an opportunity to think about OWASP.

What would I test on the top ten?

At a first glance, I would look at
Injection
Are the fields I’m entering data into safe from injection?
I’d test out any fields I can enter data into for special characters - a <script> tag is a nice easy one.

Broken authentication
What are our password requirements?
Are they sensible - are there any silly requirements (e.g. max password length?)
What is our password recovery process like - do we rely on any easily accessible knowledge (mothers maiden name)

Encryption of sensitive data
What data are we storing that could be sensitive - passwords and payment details spring to mind.
Is it all encrypted appropriately?

Access control
Can I directly access pages that belong to another user? Like their profile or shopping cart?
What about different user permissions - can I access a page I shouldn’t? Like a buyer accessing something only accessible to sellers?

There’s probably more in the top ten to dig in to, but this is where I would start!
- JE