O'Reilly logo

Web Commerce Security Design and Development by Ronald L. Krutz, Hadi Nahari

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Common Web Commerce Attacks

In the rest of this chapter, we describe common attacks on your Web commerce applications that you must prepare to defend against. Each section contains a description of an attack as well as recommendations to control and counter it where applicable.

Broken Authentication and Session Management Attack

Although a common attack, mounting a successful attack of this kind is difficult. Flaws in authentication and session management most frequently involve the failure to protect security-sensitive credentials (passwords or other key material) and session tokens through their life cycle. This allows attackers to compromise credentials or exploit other implementation flaws to assume other users' identities. All Web application frameworks are vulnerable to authentication and session management attacks. Vulnerabilities are usually exploited within the main authentication mechanism, password management, and session timeout logics.

Passwords are the most common form of credential used for authenticating users on the Web. Therefore, flaws in password management are of particular importance for this attack category. One typical attack against password-protected systems involves devising an automated system to guess users' passwords by way of brute forcing. There are three types of password-guessing brute force attacks8:

  • Vertical: An attacker starts with a single known username and tries a large set of passwords (typically by leveraging automated scripts) and tests ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required