HackDig : Dig high-quality web security articles for hacker

Ecommerce and Financial Web Application Vulnerabilities

2015-06-20 13:05

NCC Group has published some guidance for finance/e-commerce application penetration testers.

Partial view of a table from 'Common Security Issues in Financially-Oriented Web Applications'

Common Security Issues in Financially-Oriented Web Applications is arranged in the following sections:

  • Time-of-Check-Time-of-Use (TOCTOU) and race condition issues
  • Parameter manipulation
  • Replay attacks (capture-replay)
  • Rounding issues
  • Numerical processing
  • Card number-related issues
  • Dynamic prices, prices with tolerance, or referral schemes
  • Discount codes, vouchers, offers, reward points, and gift cards
  • Cryptography
  • Downloadables and virtual goods
  • Hidden and insecure backend APIs
  • Using test data in production environment
  • Currency arbitrage in deposit/buy and withdrawal/refund.

Soroush Dalili has provided a very useful extensive guide here, which should be used by developers as well as testers.

On this topic, I would also recommend watching the presentation by Wojtek Dworakowski at AppSec EU 2015 in May about E-Banking Transaction Authorization - Common Vulnerabilities, Security Verification And Best Practices For Implementation ( or download.

All the other presentation recordings from AppSec EU 2015 can be found on YouTube and to download.

Source: seitilibarenluV-noitacilppA-beW-laicnaniF-dna-ecremmocE/91/6/5102/ku.rellewdnekrelc.www

Read:3706 | Comments:0 | Tags:testing development PCIDSS design threats technical specific

“Ecommerce and Financial Web Application Vulnerabilities”0 Comments

Submit A Comment



Blog :

Verification Code:


Share high-quality web security related articles with you:)


Tag Cloud