Professional Documents
Culture Documents
Vulnerability Analysis of Indonesian Ecommerce Website
Vulnerability Analysis of Indonesian Ecommerce Website
中国地质大学
硕士学位论文
印度尼西亚电子商务网站的脆弱性分析
邹华清
培 养 单 位: 计算机学院
二○一九年三月
A Dissertation Submitted to China University of Geosciences
For the Master Degree of Computer Science
VULNERABILITY ANALYSIS OF
INDONESIAN ECOMMERCE WEBSITE
本人郑重声明:本人所呈交的硕士学位论文《 VULNERABILITY
指导下,在中国地质大学(武汉)攻读硕士学位期间独立进行研究
工作所取得的成果。论文中除已注明部分外不包含他人已发表或撰
写过的研究成果,对论文的完成提供过帮助的有关人员已在文中说
明并致以谢意。
本人所呈交的硕士学位论文没有违反学术道德和学术规范,没
有侵权行为,并愿意承担由此而产生的法律责任和法律后果。
学位论文作者签名:
日 期 : 2019 年 5 月 2 日
中国地质大学(武汉)研究生学位论文导师承诺书
本人郑重承诺:本人所指导的硕士学位论文《 VULNERABILITY
下,研究生在中国地质大学(武汉)攻读硕士学位期间独立进行研
究工作所取得的成果,论文由研究生独立完成。
研究生所呈交的硕士学位论文没有违反学术道德和学术规范,没
有侵权行为,并愿意承担由此而产生的与导师相关的责任和后果。
指导教师(签字):
日 期:2019 年 月 日
中国地质大学(武汉)研究生学位论文导师承诺书
本人郑重承诺:本人所指导的硕士学位论文《 VULNERABILITY
下,研究生在中国地质大学(武汉)攻读硕士学位期间独立进行研
究工作所取得的成果,论文由研究生独立完成。
研究生所呈交的硕士学位论文没有违反学术道德和学术规范,没
有侵权行为,并愿意承担由此而产生的与导师相关的责任和后果。
指导教师(签字):
日 期:2019 年 月 日
中国地质大学(武汉)学位论文使用授权书
本人授权中国地质大学(武汉)可采用影印、缩印、数字化或
其它复制手段保存本学位论文;学校可向国家有关部门或机构送交
本学位论文的电子版全文,编入有关数据库进行检索、下载及文献
传递服务;同意在校园网内提供全文浏览和下载服务。
涉密论文解密后适用于本授权书。
学位论文作者签名:
日 期:2019 年 5 月 22 日
ABSTRACT
Over the past few decades, the number of internet user has been increasing
significantly. In 2018, there are now more than 4 billion people around the world
connecting to the internet. Along with it, the ecommerce website is also experiencing
rapid development in the current era of digital technology, including in Indonesia.
Important data owned by the ecommerce website makes website vulnerability is a
serious threat to those websites. A large number of financial transaction data and
personal user data is the reason why the ecommerce website is one website that is
often targeted for hacking.
There are several research related to vulnerability analysis of a website. Most
of those research focused on the implementation and methods for finding security
holes on a website. It is still very difficult to find research related to the discover the
vulnerability on ecommerce websites in Indonesia. This encourages the writer to do
research related to this.
In this thesis, a test was conducted to find out the potential vulnerability in ten
biggest ecommerce website in Indonesia based on the Open Web Application
Security Project (OWASP) standard. Open Web Application Security Project
(OWASP) is a worldwide free, open community focused on enlightening the security
of software (application) and also Non-Profit Charitable Organization with the
mission to make software security visible to persons and organizations to brand
informed choices about their software security risks. Action research and penetration
testing methods are chosen to find the potential vulnerability of each website. This
research is also conducted to find the level of risk and recommend solutions to
improve the security problem.
In this study, various kinds of potential security problem were found on each
website. There are 15 types of potential vulnerability found, but none of them has a
high level of risk. Cross-Domain JavaScript Source Files Inclusion is the most
common security problem in the ten websites. Whereas Session ID in URL Rewrite,
Secure Page Include Mixed Content, X-Frame-Options Settings Malforms are the
least found security problem. At the end of the research, the writer recommends a
solution to fix the security problem. Thus, the paper contributes to the understanding
of web security risk in the Indonesian ecommerce websites.
在过去的几十年里,互联网用户的数量显著增加。2018 年,全球有超过
40 亿人接入互联网。与此同时,电子商务网站也在当前的数字技术时代得到了
快速发展,包括在印度尼西亚。电子商务网站所拥有的重要数据使网站的脆弱
性成为这些网站的严重威胁。大量的金融交易数据和个人用户数据是电子商务
网站成为黑客攻击目标的原因。
有几个研究与网站的脆弱性分析有关。这些研究大多集中于在网站上寻
找安全漏洞的实现和方法。在印度尼西亚发现电子商务网站的脆弱性仍然是一
个非常困难的研究课题。这鼓励作者做与此相关的研究。
Security Project(OWASP)是一个全球性的免费开放社区,致力于提高软件
(应用程序)的安全性,同时也是一个非营利慈善组织,其使命是让个人和组
织能够看到软件安全性,并对其软件安全风险做出明智的选择。选择行动研究
和渗透测试方法来发现每个网站的潜在漏洞。本研究也旨在找出风险水平,并
提出改善安全问题的解决方案。
在这项研究中,每个网站上都发现了各种潜在的安全问题。发现了 15 种
了解决安全问题的方案。因此,本文有助于理解印尼电子商务网站的网络安全
风险。
关键词:电子商务、网站漏洞、owasp
CONTENS
I
2.3 RELATED WORK ......................................................................................... 47
CHAPTER 3 PENETRATION TESTING ................................................................. 50
3.1 Penetration Testing ......................................................................................... 50
3.1.1 Definition ............................................................................................... 50
3.1.2 Objective ................................................................................................ 50
3.1.3 Testing Needs and Benefits ................................................................... 50
3.1.4 Testing Frequency ................................................................................. 51
3.1.5 Process of Penetration Testing............................................................... 52
3.2 OWASP ZAP .................................................................................................. 53
3.2.1 Introduction............................................................................................ 53
3.2.2 Zap Features........................................................................................... 54
3.2.3 Finding Issues ........................................................................................ 57
CHAPTER 4 RESULT ............................................................................................... 66
4.1 Testing Result ................................................................................................. 66
4.2 Vulnerability Analysis .................................................................................... 76
4.2.1 Vulnerability Mapping and Comparation .............................................. 76
4.2.2 Vulnerability Description and Recommendation Solution .................... 80
CHAPTER 5 CONCLUSION AND FURTHER WORK .......................................... 86
5.1 Conclusion ...................................................................................................... 86
5.2 Further Work .................................................................................................. 87
REFERENCES ........................................................................................................... 88
II
LIST OF FIGURES
III
Figure 3.9 Setting of passive scan in OWASP ZAP ................................................... 62
Figure 3.10 Attack he website using spider feature .................................................... 63
Figure 3.11 Active scan in OWASP ZAP .................................................................. 63
Figure 3.12 Fuzz feature in OWASP ZAP ................................................................. 64
Figure 4.1 Chart of vulnerabilities rank based on testing result. ................................ 78
Figure 4.2 Chart of total number vulnerability found on each website ...................... 80
IV
LIST OF TABLES
Table 4.1 Number of vulnerability alert and risk level found in Lazada.co.id ........... 66
Table 4.2 Number of each vulnerability types of lazada.co.id ................................... 66
Table 4.3 Number of vulnerability alert and risk level found in mataharimall.com .. 67
Table 4.4 Number of each vulnerability types of mataharimall.com ......................... 67
Table 4.5 Number of vulnerability alert and risk level found in blibli.com ............... 68
Table 4.6 Number of each vulnerability types of blibli.com ...................................... 68
Table 4.7 Number of vulnerability alert and risk level found in zalora.com .............. 69
Table 4.8 Number of each vulnerability types of zalora.com..................................... 70
Table 4.9 Number of vulnerability alert and risk level found in jd.id ........................ 70
Table 4.10 Number of each vulnerability types of jd.id ............................................. 71
Table 4.11 Number of vulnerability alert and risk level found in mataharimall.com 71
Table 4.12 Number of each vulnerability types of tokopedia.com............................. 72
Table 4.13 Number of vulnerability alert and risk level found in elevania.com ........ 72
Table 4.14 Number of each vulnerability types of elevania.com ............................... 73
Table 4.15 Number of vulnerability alert and risk level found in shopee.com .......... 73
Table 4.16 Number of each vulnerability types of shopee.com ................................. 74
Table 4.17 Number of vulnerability alert and risk level found in bukalapak.com ..... 74
Table 4.18 Number of each vulnerability types of bukalapak.com ............................ 75
Table 4.19 Number of vulnerability alert and risk level found in qoo10.com ........... 75
Table 4.20 Number of each vulnerability types of qoo10.com .................................. 76
Table 4.21 Rank of vulnerability found in all website ............................................... 76
Table 4.22 Number of vulnerability type found on each website .............................. 79
Table 4.23 Number of each vulnerability type found on each website ...................... 79
V
CHINA UNIVERSITY OF GEOSCIENCE 1
CHAPTER 1
INTRODUCTION
1.1 Background
Over the past few decades, information technology has made a big leap. If we
see the scenario of past 10 years, information technology has been gradually making a
significant positive impact on human life. The Internet and web applications are one
of the most rapidly developed sector of information technology.
The new 2018 Global Digital Suite of reports reveals that there are now more
than 4 billion people around the world using the internet [1]. Over half of the world’s
population is now online, with the latest data showing that nearly a quarter of a billion
new users came online for the first time in 2017. Much of this year’s growth in
internet users has been driven by more affordable smartphones and mobile data plans.
Because the bandwidth costs are significantly getting lower, and developments of
new technologies are continuously growing over the years, Internet services are
widely accessible around the globe and so is the use of Internet services[1-3]. The
chart presented below (figure 1.1) shows that the global Internet users in 2000 were
just around 7 percent of human population, which has been increased to around 48
percent in 2018.
As seen from the figure 1.2, internet users in Indonesia grew 51 percent within
a year. This figure is the largest in the world, far exceeding even the global average
growth of only 10 percent. In the second and third positions are the Philippines and
Mexico, both of which have growth rates of 27 percent [1]. Internet user growth
based on country in 2017 can be seen in figure 2.
worldwide amounted to 2.3 trillion US dollars and e-retail revenues are projected to
grow to 4.88 trillion US dollars in 2021[4].
According to Positive Technology [5], Ecommerce sites, characterized by an
abundance of web applications, saw the second-highest average number of attacks in
the sample day analyzed. This sector handles large volumes of sensitive consumer
data, such as personal and financial information. The most popular attack vector in
this sector, too, is Path Traversal, which potentially gives attackers access to file
system directories. Denial of Service (DoS) attacks also constitute a significant
portion of attacks (14%), a method that can render web applications inaccessible in a
sector in which uptime is critical.
seen from the figure 1.3, ecommerce’s website is also the second biggest target of
hacker attacks.
The selection of the Indonesia ecommerce website as the object of research is
also based on the large number of internet users and also the large number of hacker
attacks on sites in this country. As seen from the figure 1.4, when we dive into the
data and talk about different countries the most targeted ones in February 2018 were
the sites hosted in the United States with 18.729 hacks in total. Indonesia and South
Africa follow with 4679 and 4441 websites.
Diagnosing
Taking action
Evaluating
Specifyinglearning
d. Take control of the application, for example doing things, which are not
allowed to do.
e. Evidence collecting, for example evidence collection of things done while
taking control of the app.
f. Reporting, it involves writing a report about everything from the beginning to
the end of testing.
g. Suggesting remedies for the vulnerabilities found while testing.
Collect
information
Start exploitation of
vulnerabilities
Evidence
collecting
Reporting
Suggesting remedies
for the vulnerabilities
means that it can be made to run on most operating systems that support Java. ZAP
can be found by default within the Kali Linux Penetration Testing Operating System,
or it can be download from here and run on OSs that have Java installed. The
OWASP ZAP proxy borrows heavily in GUI appearance from the Paros Proxy
Lightweight Web Application security testing tool. Kindly see this article for a
detailed look at the Paros Proxy tool.
The OWASP Zed doing penetrating generally follows following stages:
a. Explore
In this stage, the tester tries to learn about the system that is being tested.
This includes determining the endpoints of the system, what patches are
installed in the system. Often also includes exploring the site for hidden
contents and possible known vulnerabilities.
b. Attack
In this stage, the tester attempts to actually exploit the known
vulnerabilities to prove that they are actually exists in the system.
c. Report
In this stage, the tester makes report of the results of his testing which
includes the vulnerabilities found along with how they are exploited. In
addition, it includes how difficult it is to exploit those vulnerabilities and
the severity of that exploitation.
1.4 Organization Of Thesis
In this thesis, the list of potential vulnerabilities of top ten Indonesian
ecommerce website presented in OWASP Top Ten report is reviewed.
This thesis is organized in the following chapters:
Chapter 1 Introduction
Consist of background problem, problem statement, research scope, research method
and approach, and thesis organization.
Chapter 2 Literature review
Explain about web vulnerability, how vulnerability assessment tools work, web
vulnerability attack threats, and web application vulnerability scanners, the growth of
CHINA UNIVERSITY OF GEOSCIENCE 11
Indonesian ecommerce website and top ten Indonesian ecommerce website. This
chapter also explain about Explain about previous research that related with this
research.
Chapter 3 Penetration Testing
Consist of the definition and objective of penetration testing, testing needs and
benefits, testing frequency, process of penetration testing, Explain about zap, zap
features, zap testing procedure, and how to finding issues.
Chapter 4 Result
Explain about the result of research, analysis and discussion about the test result of
the experiment that already finished and the comparison of web vulnerability of
Indonesian ecommerce websites
Chapter 5 Conclusion And Further Work
Explain about the conclusion that concluded from the previous chapter and also a
recommendation for future works on this topic.
12 VULNERABILITY ANALYSIS OF INDONESIAN ECOMMERCE WEBSITE
CHAPTER 2
LITERATURE REVIEW
Web application and database vulnerability scanners look for vulnerabilities that are
traditionally ignored by network- or host-level vulnerability scanners [14].
Even custom-developed Web application and/or database application often
use common middleware (e.g., a specific supplier’s Web server, such as Microsoft®
Internet Information Server [IIS] or Apache®), backends (e.g., Oracle® or
PostgreSQL), and technologies (e.g., JavaScript®, SQL) that are known or
considered likely to harbor certain types of vulnerabilities that cannot be identified
via signature based methods used by network- and host-based vulnerability analysis
tools. Instead, Web Application scanners and database scanners directly analyze the
target Web application or database, and attempt to perform common attacks against it,
such as SQL injections, XSS, least privilege violations, etc [14].
2.1.3 Web Vulnerability Attack Threats
The Open Web Application Security Project (OWASP) security community
has released its annual report capturing the top vulnerabilities and risks in web
application development as a combination of the probability of an event and its
consequence [6]. The OWASP Top Ten vulnerabilities are:
a. . Injection
b. Cross-Site Scripting (XSS)
c. Broken Authentication and Session Management
d. Insecure Direct Object References
e. Cross-Site Request Forgery (CSRF)
f. Security Misconfiguration
g. Insecure Cryptographic Storage
h. Failure to Restrict URL Access
i. Insufficient Transport Layer Protection
j. Un-validated Redirect and Forward
Each of the OWASP Top Ten vulnerabilities is described in detail in corresponding
sections that illustrate how to exploit flaws.
16 VULNERABILITY ANALYSIS OF INDONESIAN ECOMMERCE WEBSITE
a. Injection
Many types of vulnerabilities, including SQL Injection (SQLI), belong to the
general class of injection flaws. Introducing malicious data into a computer program
causes an injection attack [16]. The process of how someone do SQL injection can be
seen in picture 2.1. Malicious data can enter the program at specific places and later
are exploited by an attacker.
that can be executed on any web application based on almost any web technologies,
like Java, ASP.NET and PHP with any type of SQL database at the back-end [20-22].
For example, in August 2011, an Anonymous group attacked the Bay Area
Rapid Transit (BART) service by hacking into one of its websites and leaking the
personal information of over 2,400 passengers [23].
b. Cross-Site Scripting (Xss)
Cross Site Scripting (XSS) vulnerability occurs when there is a possibility of
injection of malicious code in web application(the process can be seen in picture 2.2).
Thus, the XSS flaw is as a result of not validated or sanitized input parameters. There
are three types of XSS: Non-Persistent, sometimes also called Reflected XSS;
Persistent or Stored XSS; and Document Object Model (DOM) based [14].
Non-Persistent XSS Vulnerability
This vulnerability occurs when a web application accepts an attacker’s malicious
request that is then echoed into the application's response in an unsafe way. As
shown in Figure 2.2, the attacker sends an email that contains a link. User clicks the
link and a request with a payload is sent to a page vulnerable to XSS. The page
accepts the malicious data (script), adds it in the response, and returns to the user’s
browser. The user’s browser interprets the page and injected script is executed.
18 VULNERABILITY ANALYSIS OF INDONESIAN ECOMMERCE WEBSITE
encryption, hashing should be used for securing passwords. There are a number of
techniques employed in cracking hashed data.
Finding the flaw in encryption or hashing functions can be a very difficult task,
so usually an attacker tries some other options to exploit Insecure Cryptographic
Storage Vulnerability. For example, due to the fact that a hashed password can't be
reversed, it is theoretically impossible to crack someone's password. But with
dictionary attacks, the match can be found. Another widely used approach is the use
of rainbow tables [34]; an example is when an attacker stores a table of data that
contains passwords and the hashed value for each password. By comparing hash
values, it is possible to determine the corresponding password.
h. Failure To Restrict URL Access
Many web applications check URL access rights before rendering protected
links and buttons. However,applications need to perform similar access control
checkseach time these pages are accessed, or attackers will be able toforge URLs to
access these hidden pages anyway [6].
Failure to restrict URL Access vulnerability usually occurs when unauthorized
users are able to access the content of web pages that are only intended to be viewed
by users with special privileges, for example administrators. In 2007, the Macworld
Conference & Expo web site failed to restrict special URL access to a Steve Jobs
keynote speech and let users get “Platinum” passes worth nearly $1,700, all for free
[35].
i. Insufficient Transport Layer Protection
Applications frequently fail to encrypt network trafficwhen it is necessary to
protect sensitive communications.When they do, they sometimes support weak
algorithms, useexpired or invalid certificates, or do not use them correctly [6].
j. Un-Validated Redirect And Forward
Web applications frequently redirect and forward usersto other pages and
websites, and use untrusted data todetermine the destination pages. Without proper
validation,attackers can redirect victims to phishing or malware sites, oruse forwards
to access unauthorized pages [6].
22 VULNERABILITY ANALYSIS OF INDONESIAN ECOMMERCE WEBSITE
final step in their approach was to analyze the responses by using a set of well-
defined rules which would identify vulnerabilities and exclude potential false-
positives. Their results showed that they achieved a detection coverage rate of 81% in
the scenario where they had access to the known number of vulnerabilities, and
maintained a false-positive rate of 18% in their optimistic interpretation. These results
are better than those of the commercial tools that the authors analyzed, and suggest
that it is possible to improve the effectiveness of vulnerability scanners [36].
a. Free/Open-Source Web Application Scanners
Many open-source and free web application scanners are available for
blackbox testing and analysis. Some of these applications provide extensive
functionality with the ability to be customized and expanded to meet the needs of
users. Others however do not provide a great deal of usability and have a limited
amount of functionality, and therefore can only test for a few web application
vulnerabilities. Three of the more thorough and robust free/opensource scanners,
Grendel-Scan [42], Wapiti [43], and W3AF [44], OWASP ZAP will be reviewed.
Grendel-Scan [135] is an open-source web application security testing tool
which has an automated testing module for detecting common web application
vulnerabilities. It has the ability to find simple web application vulnerabilities, but its
designers state that no automated tool can identify complicated vulnerabilities, such
as logic and design flaws. Grendel-Scan tests for SQL injection, XSS attacks, and
session management vulnerabilities, as well as other vulnerabilities.
Wapiti [136] is a free web application vulnerability scanner and security
auditor. It performs black-box analysis by scanning the web pages of a web
application in search of scripts and forms where data can be injected. After the list of
scripts and forms is gathered, Wapiti injects payloads to test if the scripts are
vulnerable. Wapiti scans for remote file inclusion errors, SQL and database injections,
XSS injections, and other vulnerabilities.
W3AF [44] is exactly what it stands for, a Web Application Attack and Audit
Framework. The goal of the project is to create a framework which can find and
exploit web application vulnerabilities easily. The project’s long term objectives are
24 VULNERABILITY ANALYSIS OF INDONESIAN ECOMMERCE WEBSITE
for it to become the best open source web application scanner, and the best open
source web application exploitation framework. Also, the designers want the project
to create the biggest community of web application hackers, combine static code
analysis and black box testing into one framework, and become the NMAP [45] of
the web. W3AF incorporates a great deal of plug-ins into its framework, and is
capable of testing for SQL injection, XSS attacks, buffer overflow, malicious file
execution, and session management vulnerabilities.
OWASP ZAP ZED Attack Proxy is an OWASP flagship project, also known
as ZAP. These tools will be explaind in detail in the next chapter.
b. Commercial Web Application Scanners
Commercial web application scanners are generally licensed to companies or
organizations that wish to test their web applications for vulnerabilities so that they
can fix security holes before they are maliciously exploited. Since a data breach can
result in the loss of personal information of thousands of customers, and the loss of
millions of dollars, companies are willing to pay large sums of money for these
applications. These commercial applications compete against each other for market
share, and therefore do not want to disclose their scanner’s limitations or restrictions.
However, an approach to analyze these limitations and restrictions is proposed in this
thesis. Some of the features of popular commercial web application scanners will be
discussed below [41].
Cenzic [46] sells a web application scanner tool called Hailstorm which utilizes
stateful testing. Stateful testing tools are designed to behave like human testers by
taking what seem to be an application’s insignificant or disparate weaknesses, and
combining them together into serious exploits. The key benefits that Hailstorm claims
are the ability to identify major security flaws in target applications, to help with
internal compliance policies, to avoid vulnerabilities that lead to downtime, and to
assess applications for commonly known vulnerabilities. Cenzic provides a 7-day free
trial of Hailstorm Core which can detect vulnerabilities including SQL injection,
XSS , and session management.
CHINA UNIVERSITY OF GEOSCIENCE 25
application intruder, session key analyzer, and data comparer. The professional
version includes Burp Scanner which can operate in either passive or active mode, or
either manual scan or live scan mode. The vulnerabilities it searches for include SQL
injection, XSS injection, and session management vulnerabilities.
Rational AppScan [50] is licensed by IBM for advanced web application
security scanning. The AppScan tool automates vulnerability assessments and tests
for SQL injection, XSS attacks, buffer overflows, and other common web application
vulnerabilities. AppScan can generate advanced remediation capabilities in order to
ease vulnerability remediation, simplify results with the Results Expert wizard, and
test for emerging web technologies. Rational AppScan provides an unlimited
evaluation period for its standard edition; however, with the evaluation license the
software is only capable of testing a test web site provided by AppScan.
BuyServers Ltd. [51] sells a web vulnerability scanner called Falcove which is
a 2-in-1 scanning and penetration tool, meaning that it not only tries to detect
vulnerabilities, but is capable of exploiting them as well. Falcove utilizes a crawler
feature that checks for web vulnerabilities, audits dynamic content (password fields,
shopping carts), and generates penetration reports that explain the security level of the
tested web site. However, BuyServers Ltd. no longer supports the trial version of the
product that detects SQL injection, XSS, and file execution attacks.
HP’s WebInspect [52] software provides web application security testing and
assessment for complex web applications. WebInspect claims fast scanning
capabilities, broad security assessment coverage, and accurate web application
security scanning results. HP also believes WebInspect identifies security
vulnerabilities that are undetectable by traditional scanners by using innovative
assessment technologies such as simultaneous crawl and audit, and on current
application scanning. HP WebInspect scans for data detection and manipulation
attacks, session and authentication vulnerabilities, and server and general HTTP
vulnerabilities, but does not currently provide a working evaluation version of the
product.
CHINA UNIVERSITY OF GEOSCIENCE 27
customer orders. This is intended to be able to access the locker, the customer is
given a special code. The homepage of Mataharimall can be seen in picture 2.5
of buying and selling sites where people can directly sell and buy. Visitors cannot do
sell (sell) activities on Blibli.com without certain cooperation agreements.
Currently Blibli.com works with trusted banking partners and all transactions
are guaranteed to be safe with VeriSign certification, Verified by VISA, MasterCard
SecureCode and Credit Card Fraud Detection System. The homepage of Blibli can be
seen in picture 2.6.
d. Zalora.co.id
ZALORA Indonesia is a shopping website that provides fashion clothing
needs consisting of various brands of products, both local and international. Zalora
Indonesia, established in 2012 by Catherine Sutjahyo, [65] is part of the Zalora Group
in Asia which consists of Singapore's Zalora, Zalora Malaysia, Zalora Vietnam,
Zalora Taiwan, Zalora Thailand and Zalora Philippines. [66]
Zalora is a subsidiary of the online shopping site Zalando. Zalando is a project
from Rocket Internet. [67] In Indonesia Zalora is under the auspices of and managed
by PT Fashion Eservices Indonesia. [68] Sites in each country ensure that fashion
CHINA UNIVERSITY OF GEOSCIENCE 33
products are tailored to each country's taste and adapt their preferences. With a choice
of more than 500 local and international brands, Zalora bring fashion into a
dimension that is better than before. Zalora offer women's clothing, men's clothing,
shoes, accessories, sports equipment, Muslim fashion, and more. This is what makes
Zalora the main fashion destination in Indonesia. In just a few years, this website has
revolutionized the fashion scene in Asia, starting with your shopping habits to shape
your personal style. More than 30,000 online products and hundreds of new products
every week. Zalora is a means of providing fashion that is balanced with the latest
technology that will give the costomer an unparalleled online shopping experience.
ZALORA is part of the Global Fashion Group, the world's leading fashion
group. Established in 2011 and dedicated to making online fashion companies in
developing countries. Until now, the Global Fashion Group operates in 27 countries.
Global Fashion Group is present in India, Middle East, South America and Russia.
Through ZALORA, the Global Fashion Group is able to access markets in the
Tenggrara Asia, while ZALORA seeks to become a fashion destination in Southeast
Asia.
This online shopping site is one of the branches of the largest online store in
Europe, Zalando. In Asia, the name is Zalora, which has sister companies in eight
countries, such as Indonesia, Malaysia, Singapore, Vietnam, Taiwan, Hong Kong,
Thailand, and Philippines. Zalora with confidence that e-commerce businesses in the
country will succeed. Because access to small areas is still lacking, with Zalora
everyone has access. Its development is supported by the cooperation of the Zalora
team in marketing their web-store. Starting from online promotions, such as through
Google, Facebook, Twitter, etc. The homepage of Zalore can be seen in picture 2.7.
34 VULNERABILITY ANALYSIS OF INDONESIAN ECOMMERCE WEBSITE
"Alibaba's biggest rival, the Chinese market leader. [70] In Indonesia, JD.ID works
with Provident Capital. [71]
JD.com (also known as JingDong Mall), which is the parent company of
JD.ID, was built by Liu Qiangdong (known as Richard Liu) in July 1998 as a physical
store selling magneto-optical products in Beijing, China, under the name Jingdong
Century Trafing Co., Ltd. The company's online B2C site rose online in January 2004
with the domain name jdlaser.com then 360buy.com in 2007. Finally the domain
name was changed again to JD.com in March 2013 [72]. The homepage of Jd.id can
be seen in picture 2.8.
such as Apple's iPad Pro and A2010 from Lenovo, which was launched at the end of
2015. Since then they have expanded their product offerings and included categories
such as shoes and apparel body and also beauty and health products.
The JD.ID website address that uses Indonesian country-code top-level
domains (.id) was chosen to symbolize their commitment to provide faster and safer
services. [75] According to reports, the domain name requires funds of Rp.
500,000,000 (~ US $ 38,000) to obtain. [76]
f. Tokopedia.com
Tokopedia is an Indonesian technology company, sometimes referred to as a
unicorn. It was founded in 2009 by William Tanuwijaya. As of November 2018, the
e-commerce operator is valued at about $7 billion. Tokopedia describes its mission as
democratizing commerce through technology [77-80].
PT Tokopedia was founded by William Tanuwijaya and Leontinus Alpha
Edison on February 6, 2009. The company manages Tokopedia.com, which was
publicly launched on August 17. Since it was officially launched, Tokopedia
managed to become one of Indonesia's internet companies that grow rapidly.
PT Tokopedia received initial seed funding from PT Indonusa Dwitama in
2009 of IDR 2.5 billion. In the following years, Tokopedia attracted capital injections
from global venture capitals including East Ventures (2010), CyberAgent Ventures
(2011), NetPrice (2012), and SoftBank Ventures Korea (2013). In October 2014,
Tokopedia managed to make history as the first technology company in Southeast
Asia to receive a US$100 million investment (around IDR 1.2 trillion) from Sequoia
Capital and SoftBank Internet and Media Inc (SIMI). In April 2016, Tokopedia raised
another $147 million [81]. In 2017, Tokopedia received $1.1 billion investment from
Chinese e-commerce giant Alibaba.[6]. Again in 2018, the company secured $1.1
billion funding round led by Chinese e-commerce giant Alibaba Group Holding and
Japan's SoftBank Group[82] putting its valuation to about $7B [83].
As a technology company, Tokopedia presents four main businesses for its
users. Tokopedia's first product, as well as being the best-known product o is the
marketplace. Tokopedia provides a free C2C business platform for merchants and
CHINA UNIVERSITY OF GEOSCIENCE 37
buyers. A trading tool that empowers merchants to be able to provide more. There are
also Official Stores for several leading brands. Through its marketplace products,
Tokopedia offers millions of products that are divided into 25 big categories.
In the marketplace, Tokopedia also provides digital products such as credit,
BPJS payments, electricity and water, telephone bills, credit cards, and so on. There
are also flight tickets, events, games voucher, and other digital products.
In 2016 Tokopedia spread its wings by presenting financial technology
(fintech) products. Tokopedia fintech products consist of digital wallets, affordable
investments, business capital loans, virtual credit cards, protection products, credit
scoring based on data for a loan, and other financial services.
Recently in 2018 Tokopedia launched Mitra Tokopedia application. This
application is intended to enable everyone, especially small businesses' owners to be
able to sell Tokopedia digital products such as data packages, electricity tokens, BPJS,
game vouchers, and so on.
On December 12, 2018, Fortune reported that PT Tokopedia had raised
another $1.1 billion [84]. As of April 2015, Tokopedia.com claims to have more than
4.9 million active product listings, facilitating sales of more than 5 million products
every month [85]. Today, Tokopedia has over 80 million monthly active users and
over 4 million merchants on the platform, 70% of the merchants are the first-time
entrepreneurs. For its role in developing online business in Indonesia, Tokopedia won
the 2014 Marketeers of the Year award for the e-Commerce sector, at the 2015
Markplus Conference held by Markplus Inc. on December 11, 2014. On May 12,
2016, Tokopedia was selected as the Best Company in Consumer Industry of the
Indonesia Digital Economy Award 2016. In 2018, Tokopedia won several awards.
Last May the Tokopedia app successfully topped the Apple Store beating Facebook,
WhatsApp, and Instagram. While on Android, Tokopedia also managed to become #
3 Top Chart on Google Play, beating Facebook and Instagram. In December 2018
Tokopedia was chosen as the best choice for the community on Google Play. The
homepage of Tokopedia can be seen in picture 2.9.
38 VULNERABILITY ANALYSIS OF INDONESIAN ECOMMERCE WEBSITE
also reported a gross merchandise value (GMV) of US$1.6 billion, up 206 per cent
from a year earlier. However, losses in the parent group, Sea are also widening. The
group recorded an adjusted net loss of US$252 million in Q4 2017, up 306 percent
from Q4 2016's US$62 million net loss [111].
These GMV claims have also led to backlash by Alibaba-backed competitor,
Lazada. The former CEO, Max Bittner asserted that GMV numbers can be easily
inflated “by subsidy schemes and history shows that GMV falls away as unhealthy
subsidies are removed.”[106] Nonetheless, in Malaysia, Shopee became the 3rd most
visited e-commerce portal in Q4 2017, replacing Lelong and “overtook Lazada to
rank as the best app on both Google Play and iOS App stores.”[112] Similarly among
consumers in Indonesia, a survey conducted in December 2017 by TheAsianParent
revealed that “for Indonesian mothers, Shopee is a first choice shopping platform
(73%), followed by Tokopedia (54%), Lazada (51%) and Instagram (50%).”[113]
In 2016, Shopee launched an initiative called ‘Shopee University’, a series of
workshops and tutorials to aid local entrepreneurs and businesses in setting up their
online businesses in the Philippines.[114] In 2017, Shopee launched Shopee Mall
with 200 brands in Singapore. The dedicated portal features thousands of products
sold by leading brands and retailers in the region. Shopee Mall was created to offer a
more diverse online shopping experience, and to better cater to larger brands looking
to pursue an omni-channel approach [115]. In 2018, Shopee launched the China
Marketplace portal that offers shoppers easy access to products from Chinese
merchants, without any shipping and agent fees in Singapore. This portal directly
competes with Lazada's Taobao Collection option [116].
Shopee's parent company, Sea Group, filed for an Initial Public Offering on
the New York Stock Exchange (NYSE) in October 2017 for US$1 billion [117].
Tencent is the main beneficiary of the Sea listing with a 39.7% share while Blue
Dolphins Venture — an organization set up by founder Forrest Li — holds 15%. Li
himself has 20%, and Chief Technology Officer, Gang Ye holds 10%.[118] In 2015,
Shopee was awarded the Singapore Startup Of The Year in the second edition of
Vulcan Awards, presented by Singaporean digital publisher, Vulcan Post [119].
CHINA UNIVERSITY OF GEOSCIENCE 43
i. Bukalapak.com
Bukalapak is one of the leading online marketplace in Indonesia and a
Unicorn company, owned and run by PT Bukalapak.com [120]. Bukalapak literally
means "open a stall" in Indonesian. Anyone can open an online store to then serve
prospective buyers from all over Indonesia either unit or in large quantities.
Individual or corporate users can buy and sell all type of products, both new and used.
Bukalapak was founded by Achmad Zaky and Nugroho Herucahyono in early 2010
as a digital agency division named Suitmedia, based in Jakarta [121-123].
Bukalapak has only been a Limited Liability Company. In September 2011,
After standing more or less a year, Bukalapak received additional capital from
Batavia Incubator (a joint venture of Rebright Partners led by Takeshi Ebihara,
Japanese Incubator and Corfina Group). In 2012, Bukalapak received additional
investments from GREE Venturesled by Kuan Hsu.[124] (a joint company from
Rebright Partners led by Takeshi Ebihara led by Kuan Hsu[125-126]).
In March 2014, Bukalapak announced an investment by Aucfan, IREP, 500
Startups, and GREE Ventures [127]. Not long ago from the news, on March 18, 2014
Bukalapak also launched a mobile app for Android . The application known as mobile
Bukalapak was created specifically for the sellers to facilitate the seller in accessing
his wares and transact via smartphone. Since it was first launched until July 3, 2014,
the application has been downloaded by more than 87 thousand users of Bukalapak.
Although it has only been established for 3 years, Bukalapak has a good
reputation in terms of customer service and its easy-to-access website. Bukalapak also
over time, growing with newest innovations to facilitate Bukalapak users for the
transaction.
On June 25 2014, Bukalapak adds the Quick Buy feature, which allows buyer
to buy goods without having to register new account. When the page pops up, just fill
in the purchase data and buyer selects the Buy Without Account tab. In this stage,
buyer simply enters his/her active email and detail of shipping address. The active e-
mail will be used to send the payment bill and to contact the buyer in case the
44 VULNERABILITY ANALYSIS OF INDONESIAN ECOMMERCE WEBSITE
certain time limit, the buyer's funds will be refunded 100%. The homepage of
Bukalapak can be seen in picture 2.12.
September, Gmarket launched its global marketplace. Next, in May 2012, Gmarket
was rebranded as Qoo10 [140]. In January 2013, Qoo10 was established in China.
Three years latter, in January 2015, Qoo10 was established in Hong Kong.[citation
needed]. In July, Giosis raises US$82.1 million in series a funding from Singapore
Press Holdings, eBay, Oak Investment Partners, Saban Capital Group, Brookside
Capital, and UVM 2 Venture Investments [101-103] The company stated their
intention to use the funds to accelerate Qoo10’s technology growth and service
development, while investing in additional infrastructure and talent acquisition [141-
143]. Finally In April 2018, eBay completes acquisition of Giosis Private Limited and
its Japan properties, including Qoo10.jp, which will operate independently from other
Qoo10 sites [144-146]. eBay relinquishes its stakes in Giosis' non-Japanese
businesses, which are moved under newly established parent company, Qoo10 Pvt.
Ltd.
attack attempts would stay as attempts. It is researched, which open source security
scanner would be wise to implement, considering there is already existing testing
automation framework in place, with what the security scanner should be integrated.
He used omparative analysis of suitable security testing scanners [149].
Fangqi Sun presents novel, practical program analyses to detect web
application vulnerabilities, especially application-specificones. It begins by providing
he first pureclient-side solution to detect XSS worms which exploit XSS
vulnerabilities. This dissertation formulates their respective core characteristics and
introduces corresponding server-side techniques to detect them. Specifically, for
access control vulnerabilities, it describes the first static analysis that infers and
enforces implicit access control assumptions, and for logic vulnerabilities in
ecommerce applications, it presents the first static detection of logic attacks that cause
incorrect payment status [150].
Yuliana Martirosy describes a web application that is intended to be used to
evaluate the efficiency of QualysGuard WAS and Acunetix WVS WAVS. The
application implements real-life scenarios that imitate the Open Web Application
Security Project (OWASP) Top Ten Security Risks that are presented in the wild
[151].
Ismaila Idris, Mohammad Umar Majigi, Shafii Abdulhamid, Morufu Olalere,
Saidu Isah Rambo analyzed security pertaining to 10 Ministries, Department and
Agencies (MDA‟s) websites. We found vulnerabilities in all websites with different
degree of security risk. To achieve the results we have cross tabulated vulnerabilities
found in these websites with their security risk level. As a result the research work
found that vulnerability A4insecure direct object reference with 49% is the main
contributor of web security risk in MDA’s websites. Apart from this it is clearly
evident that majority of the vulnerabilities found in MDA’s websites belongs to
informational risk group with percentage 45.82% but still few high impacting
vulnerabilities exists and needs to be handle without delay [152].
From the description above, it can be seen that the previous research focused
on the implementation and methods for finding security holes on a website. It is still
CHINA UNIVERSITY OF GEOSCIENCE 49
CHAPTER 3
PENETRATION TESTING
Collect
information
Start exploitation of
vulnerabilities
Evidence
collecting
Reporting
Suggesting remedies
for the vulnerabilities
It has supports many languages. Involvement is actively encouraged. It can reuse well
regarded components [159]. OWASP ZAPlayout can be seen in figure 3.2.
The Spider is used to search for new pages (URLs), and links of other
websites on a particular website. First, when the application is browsed manually,
ZAP lists some URLs found on the manually visited pages. When Spider starts, it
first looks those listed URLs to find new links or URLs. If found any, it adds the
URLs on the list and again visits those newly found URLs. And this process will
continue until it finds new URLs or links. Both Traditional and Ajax Spiders are for
the same purpose. The first one is used for finding other than Ajax rich resources
while the second one is to find Ajax rich web pages because they are more effective
than Traditional Spiders.
c. WebSockets Support
WebSocket is a protocol that provides a two-way communication (full duplex)
channel through a single TCP socket over the web [160]. ZAP is able to provide
WebSocket support. ZAP can see, intercept, change, and even fuzz all the WebSocket
communications, or it can send new WebSocket messages. Detail information can be
found from github zaproxy article [161].
d. Forced Browsing (using OWASP DirBuster code)
Forced Browsing is a kind of attack where the attacker tries to enumerate or
access the restricted resources which have no reference or any link in the application
but exist and can be accessible [162]. Brute Force techniques are used for a Forced
Browsing attack in which the attackers either guess or use automated tools to find
unlinked URLs within the application [163]. The OWASP Forced Browsing attack is
based on their DirBuster project [164]. It is a multi-threaded Java application which is
designed to brute force the unlinked directories in the application. For further reading,
please refer to OWASP [165].
e. Fuzzing (using fuzzdb and OWASP JBroFuzz)
Fuzzing or Fuzz Testing is a software testing technique to find
implementation bugs and coding errors. In Fuzz Testing, an attempt is made to make
the application (software) crash by delivering a random, invalid or unexpected user
inputs value to the application (software) and then monitoring to see if it crashes. If
the application crashes or fails with the random user input value, then there may be a
56 VULNERABILITY ANALYSIS OF INDONESIAN ECOMMERCE WEBSITE
security issue. ZAP performs Fuzzing through the JBroFuzz project code which
includes files from the fuzzdb projects [166].
f. Online Add-ons Marketplace (Extensibility)
ZAP is an open source project of OWASP. One of the ZAP principle is
involvement of people as much as possible. It helps ZAP grow in terms of its usage
and also extend the services it provides. To make active participation and contribution
to a further development easier, there is an online marketplace provision for add ons
in ZAP, where one can write and upload (through Google code project), download,
and install add-ons dynamically. Add-ons extend ZAP functionality.
g. Developer Features
As OWASP mentioned [167], there are so many developer features in ZAP. It
has an easy-to-use quick start tab. One just needs to enter the URL and click the
attack button and attack the application. There is a provision of REST API which
allows to interact with ZAP programmatically. It is useful for security regression tests
[168]. It can be accessed directly or via one of the client implementations. It has Java
and Python API Clients support. When using ZAP UI, if one wants to use API, it
should be enabled in the options API screen in the UI. ZAP can also be run in
Headless Mode. If it runs in Headless Mode, API is automatically enabled.
ZAP has an Anti CFRS Token Handling mechanism. ”Anti CSRF tokens are
(pseudo) random parameters used to protect against Cross Site Request Forgery
(CSRF) attacks” [169]. ZAP has provision for different kinds of authentication to use
in the web application. Authentication methods have been defined in the context
according to which authentication is handled. It has an Auto Updating feature for its
add-ons. Add-ons can be updated even if ZAP is running. One does not even need to
restart ZAP. It is always a good idea to check for updates for different add-ons before
testing the application.
The latest version of ZAP (ZAP 2.4.3) has 4 different modes of operation,
namely safe mode, protected mode, standard mode and attack mode. Safe mode can
be used with any web application as no harmful actions are allowed in safe mode. But
it is not useful for security testers. It is only useful for passive scanning. In protected
CHINA UNIVERSITY OF GEOSCIENCE 57
mode, only the URLs in the scope can be attacked. It is safe to use with URLs outside
of scope. Anything can be done in standard mode. So one should be careful while
using ZAP in standard mode. In attack mode, if new nodes are found in scope, ZAP
starts active scanning of the nodes immediately
3.2.3 Finding Issues Of The Website
ZAP creates a proxy server and makes your website traffic pass through that
server (see figure 3.3). It comprises of auto scanners that help you intercept the
vulnerabilities in your website.
https://www.blibli.com
https://www.zalora.co.id
https://www.jd.co.id
https://www.tokopedia.com
https://www.elevenia.com
https://www.shopee.com
https://www .bukalapak.com
https://www .qoo10.com
c. Starting OWASP ZAP
After we install the application to the default directory, you can start clicking
the OWASP ZAP icon on your Windows desktop. The default install directory;
C:\Program Files\OWASP\Zed Attack Proxy\ZAP.exe
As it is a Java application, alternatively you can run the following command
to start it. What it gives you extra configuration like scheduling your penetration test
or starting with a particular URL. This is how we do it;java -Xmx512m -jar zap-
2.7.0.jar.
prevent this from happening, ZAP generates an SSL certificate for each host, signed
by its own Certificate Authority (CA) certificate. This CA certificate (see figure 3.5)
is generated the first time ZAP is run, and is stored locally. To use the ZAP Proxy
with these websites, you will need to install ZAP’s CA certificate as a trusted root in
your browser. Go to Tools>Options>Dynamic SSL Certificate. Click Generate and
then click Save. Save the certificate in the desired location.Open your browser and
install the Certificate to your browser (Firefox, Chrome, IE) accordingly
Medium – to be up to 12 requests
High- to be up to 24 requests
Insane- to be over 24 requests, potentially hundreds
The default is Medium – you should not go higher than this if you are having
performance problems. In a future release we are planning on allowing the Attack
Strength to be configured on a per rule basis.
Also be aware that while the the “Handle anti CSRF tokens” option is very
useful if your application uses anti CSRF tokens, it can significantly impact
performance as it forces the scanner to run single threaded.
During our penetration tests, we use the regular spidering tool first to identify
URLs of the application being tested. Running the AJAX spider after the regular
spidering has helped us get a better map of all application resources in scope. ZAP
gives the option to automatically open the application via browser using Selenium
and explore the application through an event-driven dynamic crawling engine. This
eliminates the need for a manual walkthrough of the application to capture AJAX
requests. The parameter of spider that can be set in ZAP can be seen in picture 3.6.
>AJAX Spider (on ZAP’s menu bar). The tool has configuration parameters such as
maximum depth to crawl, maximum crawl states, maximum duration and other
options to prevent the possibility of infinite crawling. The parameter of AJAX spider
that can be set in ZAP can be seen in picture 3.7.
the responses in any way and is therefore safe to use. Scanning is performed in a
background thread to ensure that it does not slow down the exploration of an
application. The (main) behaviour of the passive scanner can be configured using the
Options Passive Scanner Screen (see figure 3.9).
h. Fuzzer
Fuzzing is sending unexpected or random data to the inputs of a website.
Normally we validate inputs on client-side that’s why we ignore some problems in
the back-end. When we fuzz key inputs (like a main search input of the website or the
login page inputs) we can see coding errors and security loopholes. This is an
optional security step.
To run Fuzzer, locate to the request you want to fuzz from left the pane (see
figure 3.12). Right click and choose Attack, then click Fuzz. In the Fuzzer window,
we’ll see the request post data. Click on the post data and highlight the text you want
to attack. On the right pane, click Add button. We’ll see Payloads window. Click Add
button again. In the Add Payload window, choose File Fuzzers from type combo box.
Select the file you want to use. This file is a database that will be used to brute force
to the input. When it finishes, the results will be listed on the bottom tab called Fuzzer.
The ones tagged with Fuzzed are suspicious and needs to be taken care
been categorized as high priority, medium priority, low priority, and informational
priority, which indicates the degree of associated risks. A high priority alert means
that an issue under this category is more serious than other priority alerts. Likewise,
medium priority alerts, low priority alerts, and informational priority alerts are
consecutively less and less serious. Alerts categories are indicated by different colour
flags. The complete result of this test will be describe in the next chapter.
66 VULNERABILITY ANALYSIS OF INDONESIAN ECOMMERCE WEBSITE
CHAPTER 4
RESULT
4.1 Testing Result
Based on the results of the tests conducted, it was found a potential
vulnerability on ten ecommerce websites in Indonesia. The full description is seen in
the following discussion.
1. Lazada.co.id
On lazada.com there are eight types of potential vulnerability. Table 4.1
shows the result of the test. One of them is in the medium risk category, while seven
others are in the low risk category.
Table 4.1 Number of vulnerability alert and risk level found in Lazada.co.id
Risk Level Number Of Alert
High 0
Medium 1
Low 7
Potential
Risk
No. Alert Vulnerability
Level
Found
4 Web Browser XSS Protection Not Enabled Low 4309
5 X-Content-Type-Options Header Missing Low 4221
6 Cookie Without Secure Flag Low 709
7 Content-Type Header Missing Low 2
8 Cookie No HttpOnly Flag Low 3
2. Mataharimall.com
On mataharimall.com there are seven types of potential vulnerability. Table
4.3 shows the result of the test. One of them is in the medium risk category, while six
others are in the low risk category.
Table 4.3 Number of vulnerability alert and risk level found in mataharimall.com
Risk Level Number Of Alert
High 0
Medium 1
Low 6
Potential
Risk
No. Alert Vulnerability
Level
Found
Cross-Domain JavaScript Source File
3 Inclusion Low 108
4 Web Browser XSS Protection Not Enabled Low 69
5 X-Content-Type-Options Header Missing Low 218
6 Cookie Without Secure Flag Low 116
7 Cookie No HttpOnly Flag Low 68
3. Blibli.com
On blibli.com there are nine types of potential vulnerability. Table 4.5 shows
the result of the test. Two of them are in the medium risk category, while seven others
are in the low risk category.
Table 4.5 Number of vulnerability alert and risk level found in blibli.com
Risk Level Number Of Alert
High 0
Medium 2
Low 7
Potential
Risk
No. Alert Vulnerability
Level
Found
2 X-Frame-Options Header Not Set Medium 1378
Incomplete or No Cache-control and Pragma
3 HTTP Header Set Low 1720
Cross-Domain JavaScript Source File
4 Inclusion Low 1027
5 Web Browser XSS Protection Not Enabled Low 1377
6 X-Content-Type-Options Header Missing Low 2423
7 Cookie Without Secure Flag Low 1490
8 Content-Type Header Missing Low 1
9 Cookie No HttpOnly Flag Low 1465
4. Zalora.co.id
On blibli.com there are ten types of potential vulnerability. Table 4.7 shows
the result of the test.Two of them are in the medium risk category, while eight others
are in the low risk category.
Table 4.7 Number of vulnerability alert and risk level found in zalora.com
Risk Level Number Of Alert
High 0
Medium 2
Low 8
5. Jd.id
On jd.id there are eight types of potential vulnerability. Table 4.9 shows the
result of the test.One of them is in the medium risk category, while seven others are in
the low risk category.
Table 4.9 Number of vulnerability alert and risk level found in jd.id
Risk Level Number Of Alert
High 0
Medium 1
Low 7
Flag is the least found vulnerability. Details of eight potential vulnerabilities found
can be seen in the table 4.10.
Table 4.10 Number of each vulnerability types of jd.id
Potential
Risk
No. Alert Vulnerability
Level
Found
1 X-Frame-Options Header Not Set Medium 1444
Incomplete or No Cache-control and Pragma
2 HTTP Header Set Low 1445
Cross-Domain JavaScript Source File
3 Inclusion Low 12925
4 Web Browser XSS Protection Not Enabled Low 1454
5 X-Content-Type-Options Header Missing Low 1446
6 Cookie Without Secure Flag Low 44
7 Content-Type Header Missing Low 1446
8 Cookie No HttpOnly Flag Low 44
6. Tokopedia.com
On tokopedia.com there are eight types of potential vulnerability. Table 5.11
shows the result of the test.Two of them are in the medium risk category, while six
others are in the low risk category.
Table 4.11 Number of vulnerability alert and risk level found in mataharimall.com
Risk Level Number Of Alert
High 0
Medium 2
Low 6
Flag is the least found vulnerability. Details of eight potential vulnerabilities found
can be seen in the table 5.12.
Table 4.12 Number of each vulnerability types of tokopedia.com
Risk Potential
No. Alert
Level Vulnerability Found
7. Elevenia.com
On elevania.com there are eight types of potential vulnerability. Table 4.13
shows the result of the test.Two of them are in the medium risk category, while six
others are in the low risk category.
Table 4.13 Number of vulnerability alert and risk level found in elevania.com
Risk Level Number Of Alert
High 0
Medium 2
Low 6
Risk Potential
No. Alert
Level Vulnerability Found
8. Shopee.com
On shopee.com there are ten types of potential vulnerability. Table 4.15 shows
the result of the test.Three of them are in the medium risk category, while seven
others are in the low risk category.
Table 4.15 Number of vulnerability alert and risk level found in shopee.com
Risk Level Number Of Alert
High 0
Medium 3
Low 7
Malform is the least found vulnerability. Details of ten potential vulnerabilities found
can be seen in the table 4.16.
Table 4.16 Number of each vulnerability types of shopee.com
Potential
Risk
No. Alert Vulnerability
Level
Found
1 Application Error Disclosure Medium 2
2 X-Frame-Options Setting Malform Medium 1
3 X-Frame-Options Header Not Set Medium 248
Incomplete or No Cache-control and Pragma
4 HTTP Header Set Low 1340
Cross-Domain JavaScript Source File
5 Inclusion Low 512
6 Web Browser XSS Protection Not Enabled Low 240
7 X-Content-Type-Options Header Missing Low 1402
8 Cookie Without Secure Flag Low 68
9 Content-Type Header Missing Low 2
10 Cookie No HttpOnly Flag Low 61
9. Bukalapak.com
On bukalapak.com there are eight types of potential vulnerability. Table 4.17
shows the result of the test.Two of them are in the medium risk category, while six
others are in the low risk category.
Table 4.17 Number of vulnerability alert and risk level found in bukalapak.com
Risk Level Number Of Alert
High 0
Medium 2
Low 6
On this website Cross-Domain JavaScript Source File Inclusion is the most
common vulnerability found on this site. On the other hand X-Frame-Options Header
CHINA UNIVERSITY OF GEOSCIENCE 75
Not Set is the least found vulnerability. Details of ten potential vulnerabilities found
can be seen in the table 4.18.
Table 4.18 Number of each vulnerability types of bukalapak.com
Potential
Risk
No. Alert Vulnerability
Level
Found
1 Application Error Disclosure Medium 6
2 X-Frame-Options Header Not Set Medium 5
Incomplete or No Cache-control and Pragma
3 HTTP Header Set Low 2182
Cross-Domain JavaScript Source File
4 Inclusion Low 19017
5 Web Browser XSS Protection Not Enabled Low 7
6 X-Content-Type-Options Header Missing Low 100
7 Cookie Without Secure Flag Low 4052
8 Cookie No HttpOnly Flag Low 160
10. Qoo10.com
On qoo10.com there are eight types of potential vulnerability. Table 4.19
shows the result of the test.One of them is in the medium risk category, while seven
others are in the low risk category.
Table 4.19 Number of vulnerability alert and risk level found in qoo10.com
Risk Level Number Of Alert
High 0
Medium 1
Low 7
Protection Not Enabled is the least found vulnerability. Details of eight potential
vulnerabilities found can be seen in the table 4.20.
Table 4.20 Number of each vulnerability types of qoo10.com
Potential
Risk
No. Alert Vulnerability
Level
Found
1 X-Frame-Options Header Not Set Medium 429
Incomplete or No Cache-control and Pragma
2 HTTP Header Set Low 494
Cross-Domain JavaScript Source File
3 Inclusion Low 6210
4 Web Browser XSS Protection Not Enabled Low 493
5 X-Content-Type-Options Header Missing Low 494
6 Cookie Without Secure Flag Low 1188
7 Cookie No HttpOnly Flag Low 1191
8 Private IP Disclosure Low 494
4.2 Vulnerability Analysis
4.2.1 Vulnerability Mapping and Comparison
Based on the test result, fifteen types of security holes were obtained. After all
the data is combined, it appears that Cross-Domain JavaScript Source File Inclusion
is the most common security gap found in the ten websites. Whereas Session ID in
URL Rewrite, Secure Page Include Mixed Content, X-Frame-Options Settings
Malforms are the least found security holes. Details of the security vulnerability type
ratings found in this test can be seen in the table 4.21.
Table 4.21 Rank of vulnerabilities found in all website
No Alert Total Percent Rank
1 X-Frame-Options Header Not Set 9557 8.0850 5
Incomplete or No Cache-control and Pragma
2 HTTP Header Set 11936 10.0976 3
CHINA UNIVERSITY OF GEOSCIENCE 77
The percentage of the data above can be seen in the diagram below (figure 4.1).
0%
X-Frame-Options Header Not Set
0%
0% Incomplete or No Cache-control and Pragma
HTTP Header Set
0% 0%
Cross-Domain JavaScript Source File
0% 0% Inclusion
1%
Web Browser XSS Protection Not Enabled
6% 8%
X-Content-Type-Options Header Missing
7%
10%
Cookie Without Secure Flag
Private IP Disclosure
48%
Multiple X-Frame-Option Header Entries
Private IP Disclosure
35000
30000
25000
20000
15000
10000
5000
0
1 2 3 4 5 6 7 8 9 10
The cache-control and pragma HTTP header have not been set properly or are
missing allowing the browser and proxies to cache content.
Recommendation solution:
Whenever possible ensure the cache-control HTTP header is set with no-cache,
no-store, must-revalidate; and that the pragma HTTP header is set with no-
cache.
3. Cross-Domain JavaScript Source File Inclusion
Description:
The page includes one or more script files from a third-party domain.
Recommendation solution:
Ensure JavaScript source files are loaded from only trusted sources, and the
sources can't be controlled by end users of the application.
4. Web Browser XSS Protection Not Enabled
Description:
Web Browser XSS Protection is not enabled, or is disabled by the
configuration of the 'X-XSS-Protection' HTTP response header on the web
server
Recommendation solution:
Ensure that the web browser's XSS filter is enabled, by setting the X-XSS-
Protection HTTP response header to '1'.
5. X-Content-Type-Options Header Missing
Description:
The Anti-MIME-Sniffing header X-Content-Type-Options was not set to
'nosniff'. This allows older versions of Internet Explorer and Chrome to
perform MIME-sniffing on the response body, potentially causing the
response body to be interpreted and displayed as a content type other than the
declared content type. Current (early 2014) and legacy versions of Firefox will
use the declared content type (if one is set), rather than performing MIME-
sniffing.Recommendation solution:
82 VULNERABILITY ANALYSIS OF INDONESIAN ECOMMERCE WEBSITE
URL rewrite is used to track user session ID. The session ID may be disclosed
via cross-site referer header. In addition, the session ID might be stored in
browser history or server logs.
Recommendation solution:
For secure content, put session ID in a cookie. To be even more secure
consider using a combination of cookie and URL rewrite.
10. Application Error Disclosure
Description:
This page contains an error/warning message that may disclose sensitive
information like the location of the file that produced the unhandled exception.
This information can be used to launch further attacks against the web
application. The alert could be a false positive if the error message is found
inside a documentation page.
Recommendation solution:
Review the source code of this page. Implement custom error pages. Consider
implementing a mechanism to provide a unique error reference/identifier to
the client (browser) while logging the details on the server side and not
exposing them to the user.
11. Private IP Disclosure
Description:
A private IP (such as 10.x.x.x, 172.x.x.x, 192.168.x.x) or an Amazon EC2
private hostname (for example, ip-10-0-56-78) has been found in the HTTP
response body. This information might be helpful for further attacks targeting
internal systems.
Recommendation solution:
Remove the private IP address from the HTTP response body. For comments,
use JSP/ASP/PHP comment instead of HTML/JavaScript comment which can
be seen by client browsers.
12. Multiple X-Frame-Option Header Entries
Description:
84 VULNERABILITY ANALYSIS OF INDONESIAN ECOMMERCE WEBSITE
Recommendation solution:
Remove the private IP address from the HTTP response body. For comments,
use JSP/ASP/PHP comment instead of HTML/JavaScript comment which can
be seen by client browsers.
86 VULNERABILITY ANALYSIS OF INDONESIAN ECOMMERCE WEBSITE
CHAPTER 5
CONCLUSION AND FURTHER WORK
5.1 Conclusion
From this research, the author found that penetration testing is the right
method for finding a website's security vulnerability. The author managed to find
various potential vulnerabilities on the website with this method. This is in line with
some of the research that has been done before. Besides that, OWASP ZAP is an
open source tool that can be used to find security vulnerability. This is also proven by
the complete features provided by OWASP ZAP to find various security holes on the
target website. Although manual checking must be done to improve the accuracy of
the results obtained.
Based on the results of research, ecommerce websites in Indonesia still have
potential security vulnerabilities that can be exploited. This can be seen from the fact
that there are potential low-level and medium risks found of vulnerability in these
websites. Even though there is no high level of vulnerability risk, fixing potential
security problem with medium and low risk levels is still important considering the
ecommerce website has a variety of very important data that must be maintained so
that it is not easily hacked by irresponsible parties.
In this study, researcher found 15 types of potential security vulnerabilities on
the top ten Indonesian e-commerce websites. Based on the test results, fifteen types of
potential security vulnerability were obtained. After all the data is combined, it
appears that Cross-Domain JavaScript Source Files Inclusion is the most common
security gap found in the ten websites. Whereas Session ID in URL Rewrite, Secure
Page Include Mixed Content, X-Frame Settings, Malforms are the least found
security holes.
If we view from the types of vulnerability that are owned, the website
Mataharimall.com becomes a website with the least type of vulnerability.
Mataharimall.com has seven types of potential vulnerability. Whereas zalora.com and
shopee.com are websites with the most types of potential vulnerabilities. If we look
CHINA UNIVERSITY OF GEOSCIENCE 87
from the number of potential vulnerabilities of each type of security hole, lazada.com
is the website that has the greatest number of potential vulnerability. Whereas
Mataharimall.com is the site with the fewest potential vulnerability
5.2 Further Work
Although the author managed to find potential security vulnerability on
ecommerce websites in Indonesia, in the future there are some improvements that
still need to be done to get better testing results. Those improvements for further
research include:
1. Check the false-positives for each security problem found.
2. Using additional tolls to get a comparison of the results of searching for
website vulnerability.
3. Perform manual checking for each security problem found.
4. Perform testing to the access core (server) so that it gets more optimal
testing results.
88 VULNERABILITY ANALYSIS OF INDONESIAN ECOMMERCE WEBSITE
REFERENCES
[24]The Web Application Security Consortium (WASC). DOM Based Cross Site Scripting or
XSS of the Third Kind, 2005.[2018-11-10]. http://www.webappsec.org/projects/articles/
071105.shtml
[25]Public-Key Cryptography Standards (PKCS). PKCS#11: Cryptographic Token Interface
Standard, 2011. “PKCS #15: Cryptographic Token Information Format Standard”, 2011.
[26]Michigan State University. “Biometrics: Overview”, 2007. [2018-11-10].
http://www.biometrics.cse.msu.edu
[27]thc-hydra. THC Hydra 7.1, 2011. [10.11.2018]. http://www.thc.org/thchydra/
[28]CodeDX. 2016. Insecure Direct Object References. [2018-11-10].
http://codedx.com/insecure-direct-object-references/
[29]G. Lawton “Web 2.0 Creates Security Challenges” IEEE Computer Society , Vol.40 (10) pp.
13 – 16, 2007.
[30]A. Barth, C. Jackson, J. C. Mitchell Robust defenses for cross-site request forgery,
Proceedings of the 15th ACM conference on Computer and communications security (CCS
'08), 2008.
[31]Payment Card Industry Security Standards Council (PCI). “Data Security Standards
Overview”. [10.11.2018]. https://www.pcisecuritystandards.org/security_standards/
[32]Payment Card Industry Security Standards Council (PCI). “Requirements and Security
Assessment Procedures. Version 2.0”, 2010.
[33]Oechslin, P. “Making a Faster Crytanalytical Time-Memory Trade-Off”, 2003. Advances in
Cryptology - CRYPTO 2003, 23rd Annual International Cryptology Conference. Santa
Barbara: Springer.
[34]Brodkin, J. (2007). Network World. “The top 10 reasons Web sites get hacked”, 2007.
[35]McAfee Corporation. Foundstone Hacme Series. [2018-11-10]. http://www.mcafee.com/us/
downloads/free-tools/index.aspx
[36]NT OBJECTives. NTOSpider.[10.11.2018].http://www.ntobjectives.com/security-software/
ntospider-application-securityscanner/
[37]Bau, J., Bursztein, E., Gupta, D., & Mitchell, J. “State of the Art: Automated Black-Box Web
Application Vulnerability Testing”, 2010. IEEE Symposium on Security and Privacy.
Washington, DC: IEEE Computer Society.
[38]Apache Software Foundation. Tomcat Server. [2018-11-10]. http://tomcat.apache.org/
[39]Acunetix Web Vulnerability Scanner, 2012. [2018-11-10].http://www.acunetix.com/
vulnerabilityscanner/ .
[40] D. Shelly. Using a Web Server Test Bed to Analyze the Limitations of Web Application
Vulnerability Scanners. Virginia Polytechnic Institute and State University. 2010.
[41]D. Byrne and E. Duprey. Grendel-Scan. [2018-11-10].http://www.grendel-scan.com/.
[42]N. Surribas. Wapiti. [2018-11-10].http://www.ict-romulus.eu/web/wapiti/.
[43]A. Riancho. W3AF-Web Application Attack and Audit Framework. [2018-11-10].http:
//w3af.sourceforge.net/.
[44] G. F. Lyon. NMAP.ORG. [10.11.2018].http://nmap.org/.
[45]Cenzic, Inc. Hailstorm Core and Hailstorm Starter. [2018-11-10].http://www.cenzic.com,
2010.
[46]N-Stalker. N-Stalker The Web Security Specialists. [2018-11-10].http://nstalker.com, 2010.
[47]Mavituna Security Ltd. Netsparker Web Application Security Scanner.
[15.11.2018].http://www.mavitunasecurity.com, 2010.
[48] PortSwigger. Burp Scanner. [2018-11-15].http://portswigger.net/.
[49]IBM. Rational AppScan Standard Edition. [2018-11-15].http://www-01.ibm.com, 2010.
[50]BuyServers Ltd. Falcove Web Vulnerability Scanner. [2018-11-
15].http://www.buyservers.net, 2008.
[51]Carahsoft Technology Corp. HP WebInspect software. [2018-11-15].
http://www.carahsoft.com/hp/products/webinspect, 2009.
90 VULNERABILITY ANALYSIS OF INDONESIAN ECOMMERCE WEBSITE
[155]Wai, C.T. 2002. Conducting a Penetration Test on an Organization. SANS Institute InfoSec
Reading Room, 3 – 9.[2018-12-10].https://www.sans.org/readingroom/whitepapers
/auditing/conducting-penetration-test-organization-67
[156]OWASP. 2016. About The Open Web Application Security Project. [2018-12-
10].https://www.owasp.org/index.php/About_OWASP
[157]zaproxy/zap-core-help. 2015. OWASP ZAP User Guide. [2018-12-10]. https://github.com/
zaproxy/zap-core-help/wiki/HelpIntro
[158]psiinon. 2012. OWASP Zed Attack Proxy - official tutorial: Overview. [2018-12-10].
https://www.youtube.com/watch?v=eH0RBI0nmww&list=PLEBitBWHlsv8cEIUntAO8st2UG
hmrjUB
[159]Wikipedia. 2016. WebSocket. [2018-12-10]. https://en.wikipedia.org/wiki/WebSocket
[160]zaproxy / zap-core-help. 2015. WebSocket. [2018-12-10].https://github.com/zaproxy/zap-
corehelp/wiki/HelpAddonsWebsocketIntroduction
[161]Hackingheart. 2012. Forced Browsing Attack. [2018-12-10].https://hackingheart.
wordpress.com/2012/07/03/forced-browsing-attack/
[162]OWASP. 2009. Forced browsing. [2018-12-10]. https://www.owasp.org/index.php/
Forced_browsing
[163]zaproxy / zap-core-help. 2015. Forced Browse. [2018-12-10].
https://github.com/ zaproxy/ zap-corehelp/wiki/HelpAddonsBruteforceConcepts
[164]OWASP. 2015. Category:OWASP DirBuster Project. [2018-12-10].https://www.owasp.org/
index.php/Category:OWASP_DirBuster_Project
[165]zaproxy / zap-core-help. 2015. Fuzzing. [2018-12-10]. https://github.com/zaproxy/zap-core-
help/wiki/HelpAddonsFuzzConcepts
[166]psiinon. 2013. FOSDEM 2013: Practical Security for developers using OWASP ZAP.
[2018-12-10].https://www.youtube.com/watch?v=QG2RCZHMEkM&list=PLEBitBWHlsv
8cEIUntAO8st2UGhmrjUB&index=5
[167]zaproxy / zaproxy. 2015. The ZAP API. [2018-12-10].https://github.com/
zaproxy/zaproxy/wiki/ApiDetails
[168]zaproxy / zap-core-help. 2015. Anti CSRF Tokens.[2018-12-10].https://github.com/
zaproxy/zap-core-help/wiki/HelpStartConceptsAnticsrf
[169]Rami M. F. Jnena, 2013. Modern Approach for WEB Applications Vulnerability Analysis,
The Islamic University of Gaza Deanery of Graduate Studies Faculty of Engineering
Computer Engineering Department .