5 high-risk vulnerabilities in e-commerce applications



In today’s world, where virtual lives take precedence over real ones, the only way a business can thrive is to establish an online presence. With more and more retail stores embracing digitalization every day, the e-commerce industry has never been as successful and popular as it is today.

According to data provided by Statista, E-commerce revenue is expected to reach a huge $ 5.4 trillion by 2022.

Nowadays, there are hundreds and thousands of e-commerce applications aimed at a diverse customer base. While the use of these apps has contributed significantly to the success of several businesses and corporations, they have also provided cybercriminals with a lucrative target. Most ecommerce applications are often riddled with various vulnerabilities that could lead to critical security and privacy issues.

After performing web application security assessments for numerous e-commerce applications, by Kratikal VAPT the team discovered a range of unique and interesting vulnerabilities that could disrupt a company’s business operations. So here is a specially curated list of Top 5 High Risk Vulnerabilities We Found In Various Ecommerce Applications.


Here is an opportunity for you to stand out from the crowd!

To rejoin
our weekly Cyber ​​Times newsletter and become a member of our Cyber ​​Resilient community

# 1 Parameter alteration

Parameter tampering is a critical vulnerability, which can lead to price manipulation and is often found in online payment gateways and shopping carts of an e-commerce application.. An application is vulnerable to price manipulation or parameter tampering if its server places undue trust in client-side validation or does not validate server-side user input while processing an order.

Usually the total amount payable for the order placed is stored in a hidden HTML field of a dynamically generated web page. For example, an order is placed on an e-commerce application by by clicking on the link that contains some parameters related to the command such as:


Malicious actors can use direct request manipulation or a web application proxy like Achilles or the CLI tool to change the total amount payable when the order is processed. By exploiting this vulnerability, attackers can:

  • buy any item for 1 or any other value of yours
  • get a refund of the full amount even if the item is purchased for only 1

# 2 Direct unsafe object reference (IDOR)

One of the most serious vulnerabilities of e-commerce applications, IDOR takes place when an application accepts input from a user and uses that input to retrieve a database key or file without sufficient authorization. When this happens, a malicious actor can make certain modifications to the references and gain access to unauthorized data.

(Source: NewsBreak)

For example, while browsing an e-commerce application, an attacker notices that when they click a link to place an order, there is a link in the form like:


Here, the payment method (pmode = cod) was included as a parameter. In this case, the attacker can change the payment method to prepaid (pmode = prepaid) Like:


By doing this, anyone can place a COD order and pass it off as a prepaid order, basically by buying the goods for free.

In addition, malicious actors can also abuse this vulnerability to cancel the order of other users and perform various other malicious activities.

# 3 Redirects and transfers not validated

The possibility of redirects and uncommitted forwards arises when an ecommerce application accepts untrusted input that can cause the app to redirect a request to a URL included in the untrusted entries.. By modifying the untrusted URL entry in such a way as to lead users to a malicious site and attackers can launch sophisticated phishing attacks and successfully steal user credentials.

Since the server link in the modified URL remains the same as the original site, these phishing attempts appear legitimate and are more likely to be successful. This vulnerability can also be exploited to create a malicious URL capable of bypassing the access control of the application., which can allow attackers to access privileged functions.

# 4 Inclusion of local files

Local File Inclusion (LFI) is the process of including files that are present locally on the server by exploiting vulnerable include procedures implemented in an e-commerce application. This vulnerability allows attackers to trick an e-commerce application by exposing or executing files on a web server.. LFI occurs due to incorrect disinfection of paths passed to “include” statements.

Attackers can exploit this vulnerability to extract any file from the server, including password files, database files, and sensitive user data.. An LFI attack can result in information disclosure, cross-site scripting (XSS), or remote code execution.

For example, if an ecommerce application uses code that includes the name of a file in the URL such as:


A malicious actor can change the URL to something like this:


In the absence of appropriate filtering processes, the web server will expose the sensitive content of the / etc / passwd file.

# 5 Cross-site request infringement

Using cross-site request forgery (CSRF), malicious actors can send maliciously crafted requests to trick users into unknowingly performing an action by simply having them click on the requests. Through CSRF attacks, malicious actors force a target system to perform a function through the target user’s browser without the user’s knowledge. The impact of successful CSRF attacks may vary depending on the privileges held by the victimized users.

Also known as Session Riding, XSRF, or Sea Surf, CSRF exploits the fact that an ecommerce application fully trusts a user once that user’s identity has been confirmed. These attacks can have devastating consequences such as unauthorized fund transfers, data theft and changed passwords..

In the case of e-commerce applications, attackers can also use CSRF attacks to cancel another user’s delivery. For example, a typical request to cancel an order may look like:


An attacker can disguise this URL in an email like:

t = “0”>

Once a target user clicks on this disguised request, the cancellation of the order is carried out without the user’s knowledge.

Cross-Site Query Counterfeiting in Ecommerce Applications

Now that we have discussed the top 5 high risk vulnerabilities found in eCommerce applications, you should understand how disrupted your business can be if an attacker decides to target your application.

To avoid some devastating consequences, you are strongly advised to make sure you detect any vulnerabilities in your e-commerce application before malicious actors have the opportunity to exploit them. You can do this by periodically performing web application security testing and correct all vulnerabilities detected immediately.

Being proactive is the only way to secure your application!

Want to make sure your app is secure?

Get Application Security Tests Now!

Article 5 High-risk vulnerabilities in e-commerce applications first appeared on the Kratikal blogs.

*** This is a syndicated Security Bloggers Network blog from Kratikal Blogs written by Dhwani Meharchandani. Read the original post at: https://www.kratikal.com/blog/vulnerabilities-in-e-commerce-applications/



About Author

Comments are closed.