An Integrated Vulnerability Assessment of Electronic Commerce Websites

Full Text (PDF, 831KB), PP.24-32

Views: 0 Downloads: 0

Author(s)

Issah Baako 1,* Sayibu Umar 1

1. Bagabaga College of Education, Tamale, Ghana

* Corresponding author.

DOI: https://doi.org/10.5815/ijieeb.2020.05.03

Received: 14 May 2020 / Revised: 25 May 2020 / Accepted: 4 Jun. 2020 / Published: 8 Oct. 2020

Index Terms

E-commerce websites, w3af, security, vulnerabilities, data protection, XSS, injection

Abstract

This paper examines the security issues on electronic commerce websites in Ghana using technical and nontechnical procedures. The study assessed e-commerce websites for the security tools employed to protect user data and other related privacy issues on the websites. It also analyzed e-commerce websites for encryption security tools that protect customer data and test e-commerce websites for the presence of security vulnerabilities that could threaten the security of the sites and their users using w3af. The study used a combination of three methods; web content analysis, information security audit and testing of the websites using w3af, a vulnerability assessment tool. Web application attack and audit framework (w3af) was used to test and identify possible vulnerabilities on the e-commerce websites that could be used by malicious users to steal customer data for fraudulent intent. The research focused to reveal the security vulnerabilities present on e-commerce websites that could affect the trust of clients, the satisfaction of clients, and patronage of e-commerce services by customers. The study found credit card number disclosures, full path disclosures vulnerabilities, cross-site request forgery vulnerabilities and social security number exposures of clients on the e-commerce websites. These security weaknesses in these e-commerce websites have been highlighted as findings in the study that would inform policy direction on electronic data collection, protection and use in the e-commerce industry in Ghana. The findings will also inform industry players in the e-commerce sector on the need to strengthen security on their websites and caution customers to be security conscious on all e-commerce websites. The major significance of the study is the fact that majority of the electronic commerce websites have a lot of vulnerabilities making them unsecure for customers to trust their private data into their care. This study as such informs the customer society and the electronic commerce industry of these security weaknesses and the urgent need to get them fixed. Some solutions have been suggested in the paper to assist in fixing these security vulnerabilities. These solutions have provided the best results. A diligent application of these methods in addressing the vulnerabilities would provide a more secure and less vulnerable e-commerce websites for users. The precautions suggested could assist protect customers and reduce cyber threats during online shopping.

Cite This Paper

Issah Baako, Sayibu Umar, "An Integrated Vulnerability Assessment of Electronic Commerce Websites", International Journal of Information Engineering and Electronic Business(IJIEEB), Vol.12, No.5, pp. 24-32, 2020. DOI:10.5815/ijieeb.2020.05.03

Reference

[1]Khoirunnisaa, Alfi Zuhriya, Lutfi Hakim, and Adhi Dharma Wibawa. "The Biometrics System Based on Iris Image Processing: A Review." 2019 2nd International Conference of Computer and Informatics Engineering (IC2IE).IEEE,2019.DOI: 10.1109/IC2IE47452.2019.8940832
[2]Kome, Ivan Marco Lobe. Identity and consent in the internet of persons, things and services. Diss. Ecole nationale supérieure Mines-Télécom Atlantique, 2019.
[3]Zimmermann, Verena, et al. "Assessing Users’ Privacy and Security Concerns of Smart Home Technologies." i-com 18.3 (2019): 197-216.
[4]Gribing Arlfors, Christian, and Simon Nilsson. "Tracking the cookies: A quantitative study on user perceptions about online tracking." (2019).
[5]Mittal, Sangeeta, and Shivani Tyagi. "Computational Techniques for Real-Time Credit Card Fraud Detection."Handbook of Computer Networks and Cyber Security. Springer, Cham, 2020. 653-681.
[6]Cordova, Ronald S., Rolou Lyn R. Maata, and Alrence S. Halibas. "Blowfish Algorithm Implementation on Electronic Data in a Communication Network." 2019 International Conference on Electrical and Computing Technologies and Applications (ICECTA). IEEE, 2019.
[7]Khandare, Laxman, Desai Karanam Sreekantha, and K. V. S. S. S. S. Sairam. "A Study on Encryption Techniques to Protect the Patient Privacy in Health Care Systems." 2019 Innovations in Power and Advanced Computing Technologies (i-PACT). Vol. 1. IEEE, 2019. DOI: 10.1109/i-PACT44901.2019.8960235
[8]Hanees, A. L. "Phishing e mail detection in e Banking using data mining techniques." (2019).
[9]Rescorla, Eric, and A. Schiffman. "The secure hypertext transfer protocol." IETF Request for Comments, RFC 2660 (1999).
[10]Bhiogade, Mittal S. "Secure socket layer." Computer Science and Information Technology Education Conference. 2002
[11]Kant, Krishna, and Prasant Mohapatra. "Scalable Internet servers: Issues and challenges." ACM SIGMETRICS Performance Evaluation Review 28.2 (2000): 5-8.
[12]Shinozaki, Jin, and Masayuki Arai. "Secure Socket Layer Visualization Tool with Packet Capturing Function."International Journal of Future Computer and Communication3.3 (2014): 187.
[13]Turner, Sean. "Transport layer security." IEEE Internet Computing 18.6 (2014): 60-63.
[14]Dierks, Tim, and Eric Rescorla. "The transport layer security (TLS) protocol version 1.2." (2008): 5246.
[15]Ke, Jiun-Kai, Chung-Huang Yang, and Tae-Nam Ahn. "Using w3af to achieve automated penetration testing by live DVD/live USB." Proceedings of the 2009 International Conference on Hybrid Information Technology. 2009.
[16]Goel, Jai Narayan, and B. M. Mehtre. "Vulnerability assessment & penetration testing as a cyber defence technology." Procedia Computer Science 57 (2015): 710-715.
[17]Cohen, Fred. "Managing network security—Part 9: Penetration testing?." Network Security 1997.8 (1997): 12-15.
[18]Massacci, Fabio, Marco Prest, and Nicola Zannone. "Using a security requirements engineering methodology in practice: The compliance with the Italian data protection legislation."Computer Standards & Interfaces 27.5 (2005): 445-455.
[19]Zhao, Jensen J., and Sherry Y. Zhao. "Opportunities and threats: A security assessment of state e-government websites." Government Information Quarterly 27.1 (2010): 49-56.
[20]Yeo, John. "Using penetration testing to enhance your company's security." Computer Fraud & Security 2013.4 (2013): 17-20.
[21]Midian, Paul. "Perspectives on Penetration Testing—Black Box vs. White Box." Network Security 2002.11 (2002): 10-12.
[22]Shah, Sugandh, and Babu M. Mehtre. "An overview of vulnerability assessment and penetration testing techniques."Journal of Computer Virology and Hacking Techniques 11.1 (2015): 27-49.
[23]OWASP, Top. "Top 10-2017." The Ten Most Critical Web Application Security Risks. OWASP™ Foundation. The free and open software security community. URL: https://www. owasp. org/index. php/Top_10-2017_Top_10 (2017).
[24]Rodrigues, Douglas, et al. "Engineering secure web services."Crisis Management: Concepts, Methodologies, Tools, and Applications. IGI Global, 2014. 203-223.
[25]Wassermann, Gary, and Zhendong Su. "Static detection of cross-site scripting vulnerabilities." 2008 ACM/IEEE 30th International Conference on Software Engineering. IEEE, 2008.
[26]Patil, Vishwajit S., Dr GR Bamnote, and Sanil S. Nair. "Cross site scripting: An overview." IJCA Proceedings on International Symposium on Devices MEMS, Intelligent Systems and Communication. No. 4. 2011.
[27]Fonseca, Jose, Marco Vieira, and Henrique Madeira. "Testing and comparing web vulnerability scanning tools for SQL injection and XSS attacks." 13th Pacific Rim international symposium on dependable computing (PRDC 2007). IEEE, 2007.
[28]Wichers, Dave. "Owasp top-10 2013." OWASP Foundation, February (2013).
[29]Song, Fuyuan, et al. "Efficient and Secure k-Nearest Neighbor Search Over Encrypted Data in Public Cloud." ICC 2019-2019 IEEE International Conference on Communications (ICC). IEEE, 2019.
[30]Davidson, Alex, et al. "Privacy pass: Bypassing internet challenges anonymously." Proceedings on Privacy Enhancing Technologies 2018.3 (2018): 164-180.