Lab 5: Gretchen Greene And Nathan Stewart PhD

LAB 5 7 Lab 5 Gretchen Greene Nathan Stewart Phd

As with any new technology, risks can arise in e-commerce that is not common to those traditional “brick-and-mortar” stores. A major concern for e-commerce applications is credit/debit card use. Major damage can be done to an organization if the credit/debit card transactions are not secured in terms of financial fraud, loss of consumer confidence, identity theft, or legal regulations. Online Goodies provides custom promotional gifts to corporate customers and is an Internet-based company. Some of their products include mugs, computer accessories, t-shirts, and office décor.

The majority of its income comes from online credit card purchase. They give their repeat customers a discount based on their annual purchase amount. This report is to create a test plan for Online Goodies based on the OWASP standards. The report includes an overview and rationale of all of the tests performed including a brute force test, an authentication test, privilege escalation test, code injection test, and web application fingerprint test.

Paper For Above instruction

The rapid proliferation of e-commerce platforms has revolutionized retail, but it has also introduced a myriad of security vulnerabilities that threaten both consumers and organizations. As e-commerce involves significant sensitive data, especially credit card information, security testing aligned with recognized standards such as OWASP (Open Web Application Security Project) is vital to safeguard digital transactions. This paper aims to detail a comprehensive test plan for Online Goodies, an online retail business, emphasizing security measures like brute force, authentication, privilege escalation, code injection, and web application fingerprinting tests, grounded in OWASP guidelines.

Introduction

The essence of e-commerce security rests on protecting customer data, preventing financial fraud, preserving brand reputation, and ensuring compliance with legal and industry regulations such as PCI DSS. With a heavy dependence on credit card transactions, online platforms must implement rigorous testing protocols to identify and mitigate vulnerabilities proactively. The OWASP Testing Guide offers a robust framework for assessing web application security, which this plan adopts to evaluate the Online Goodies platform.

Overview of Selected Tests

The tests outlined—brute force, authentication, privilege escalation, code injection, and web application fingerprinting—target distinct layers and types of security threats:

• Brute Force Testing: Assesses the resilience of login mechanisms against repeated credential guessing attacks.
• Authentication Testing: Verifies the robustness of login procedures, session management, and password policies.
• Privilege Escalation Testing: Checks whether standard user accounts can acquire elevated privileges, potentially leading to unauthorized access.
• Code Injection Testing: Evaluates susceptibility to malicious code execution, including SQL injection and cross-site scripting.
• Web Application Fingerprinting: Identifies underlying software platforms and server configurations to exploit known vulnerabilities.

Rationale for Testing Strategy

Implementing a layered security testing approach aligns with OWASP recommendations, addressing both technical vulnerabilities and procedural gaps. Brute force and authentication tests are essential to ensure that login credentials are adequately protected against automated attacks and unauthorized access. Privilege escalation testing prevents attackers from misusing access rights, which could compromise entire systems. Code injection assessments reveal weaknesses that could allow attackers to execute malicious scripts or manipulate databases. Web fingerprinting provides intelligence on server and application details, allowing targeted remediation of known vulnerabilities. This comprehensive strategy ensures that Online Goodies' systems are resilient against prevalent attack vectors, maintaining customer trust and regulatory compliance.

Implementation of Testing Procedures

The testing process will proceed in phases, beginning with reconnaissance through fingerprinting to understand the platform environment. Followed by vulnerability scanning and specific attack simulations, such as brute force and privilege escalation, in controlled environments. Automated tools like OWASP ZAP and Burp Suite, combined with manual testing, will provide accurate assessments. All tests will be documented meticulously, highlighting vulnerabilities, exploitability, and recommended remediation steps.

Conclusion

In conclusion, adopting OWASP-aligned testing procedures for the Online Goodies platform is essential to mitigate security risks inherent in e-commerce. By systematically evaluating the platform’s defenses against brute force, credential theft, privilege abuse, code injection, and information disclosure, the organization can strengthen its security posture. Continuous testing and timely remediation of identified vulnerabilities will contribute to building a secure, trustworthy online shopping environment that complies with industry standards and safeguards customer data effectively.

References

• Chavhan, A. (2016). What is Walkthrough in Software Testing? Retrieved from https://www.geeksforgeeks.org/what-is-walkthrough-in-software-testing/
• OWASP. (2013). Handling E-Commerce Payments. Retrieved from https://owasp.org/www-pdf-archive/Handling-E-Commerce-Payments.pdf
• OWASP. (2013). Improving Web Application Security: Threats and Countermeasures. Retrieved from https://owasp.org/www-pdf-archive/ThreatCountermeasures.pdf
• PCI Security Standards Council. (2013). Information Supplement: PCI DSS E-commerce Guidelines. Retrieved from https://www.pcisecuritystandards.org/documents/Ecommerce_Guidelines.pdf
• Appanna, D. (2019). "Security Testing in E-commerce Web Applications." International Journal of Computer Science and Information Security, 17(3), 65-72.
• Gupta, R., & Kumar, S. (2020). "Assessment of Web Application Security using OWASP Top Ten." Journal of Cybersecurity and Digital Forensics, 5(2), 113-120.
• Abdul, M., & Jain, P. (2018). "Automated Vulnerability Scanning and Penetration Testing for Web Applications." International Journal of Information Security, 17(4), 567-578.
• Green, T., & Lee, K. (2021). "Securing E-Commerce Platforms: Best Practices and Frameworks." ACM Computing Surveys, 54(2), 1-29.
• Mitnick, K. D., & Simon, W. L. (2020). "The Art of Deception: Controlling the Human Element of Security." Wiley Publishing.
• Rastogi, R., & Mahajan, S. (2017). "Web Application Firewall and Security Testing." International Journal of Computer Science and Information Technologies, 8(4), 109-115.