Common Web Commerce Attacks
In the rest of this chapter, we describe common attacks on your Web commerce applications that you must prepare to defend against. Each section contains a description of an attack as well as recommendations to control and counter it where applicable.
Broken Authentication and Session Management Attack
Although a common attack, mounting a successful attack of this kind is difficult. Flaws in authentication and session management most frequently involve the failure to protect security-sensitive credentials (passwords or other key material) and session tokens through their life cycle. This allows attackers to compromise credentials or exploit other implementation flaws to assume other users' identities. All Web application frameworks are vulnerable to authentication and session management attacks. Vulnerabilities are usually exploited within the main authentication mechanism, password management, and session timeout logics.
Passwords are the most common form of credential used for authenticating users on the Web. Therefore, flaws in password management are of particular importance for this attack category. One typical attack against password-protected systems involves devising an automated system to guess users' passwords by way of brute forcing. There are three types of password-guessing brute force attacks8:
- Vertical: An attacker starts with a single known username and tries a large set of passwords (typically by leveraging automated scripts) and tests ...
Get Web Commerce Security Design and Development now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.