See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/304549785

A Design of Security Assessment System for E-Commerce Website

Conference Paper · December 2015

DOI: 10.1109/ISCID.2015.16

CITATIONS READS
8 294

3 authors, including:

Ke Zhang
University of Electronic Science and Technology of China
43 PUBLICATIONS 295 CITATIONS

SEE PROFILE

All content following this page was uploaded by Ke Zhang on 11 December 2022.

The user has requested enhancement of the downloaded file.

 2015 8th International Symposium on Computational Intelligence and Design

A Design of Security Assessment System for E-commerce Website

Xia Wang, Ke Zhang, Qingtian Wu

Research Institute of Electronic Science and Technology,
University of Electronic Science and Technology of China,
Chengdu, China
E-mail: piaoshang816@163.com, kezhang@uestc.edu.cn, qingtian_wu@yahoo.com

Abstract—According to the development speed and security various attacks, such as denial of service attacks, SQL injection,
issues of e-commerce website in today's society, analyzed the steal user information. OWASP (open web application security
most important currently security risks of the e-commerce project) of the ten most important web application threat report
website. A system design is proposed to test and evaluate the showing to injection attacks and cross site scripting attacks the
security vulnerabilities. This design is carried on the qualitative most serious [7] shown in Table. 1and Table.2.
tests for vulnerability scanning and the quantitative assessment
of the test data by using the result evaluation module. In TABLE I. 2010 OWASP TEN NEWS SECURITY
addition, in order to make the evaluation results more intuitive, THREATS
the test data are controlled and weighted based on the idea of OWASP Top 10-2010
mathematical modeling and analytic hierarchy process (AHP).
Then generated evaluation judgment function so that evaluated A1-Injection
the test data directly and effectively. Finally, we got the A2- Cross Site Scripting
evaluation results contain vulnerability rating, vulnerability
classification and website security level assessment. Not only that A3- Broken Authentication and Session Management
this design has also made some constructive suggestions for the
security of e-commerce sites to provide some effective measures A4-Insecure Direct Object References
to protect. In this paper, this design was a combination of A5-Cross Site Request Forgery
qualitative test and assessment, and has a certain protective
effect on the security of e-commerce websites. A6-Security Misconfiguration
A7-Insecure Cryptographic Storage
Keywords—e-commerce; security vulnerabilities; test systems;
quantitative evaluation A8-Failure to Restrict URL Access
A9-Insufficient Transport Layer Protection
I. INTRODUCTION
A10-Unvalidated Redirects and Forwards
E-commerce website is the main carrier of enterprise and
consumer interaction and complete online transactions, is an
important way to evaluate the performance of enterprise e- TABLE II. 2013 OWASP TEN NEWS SECURITY
commerce system [1]. According to the China Internet THREATS
Network Information Center: 2010 online shopping market size OWASP Top 10-2013
of over 430 billion yuan compared with 2009, there is a A1-Injection
substantial growth. With the popularity and rapid development
of Internet, e-commerce has become increasingly integrated A2- Broken Authentication and Session Management
into our lives, provides us with the convenience of life, we are A3- Cross Site Scripting
becoming increasingly dependent on these services [2-3]. But
in such an open architecture Internet, coupled with the impact A4-Insecure Direct Object References
of other factors, the e-commerce sites face attack and A5-Security Misconfiguration
destruction events emerge in an endless stream, to our
economic activities brought great trouble and security risks. A6-Sensitive Data Exposure
With the rapid development of e-commerce sites, the A7-Missing Function Level Access Control
presence of a variety of security vulnerabilities in these sites A8-Cross Site Request Forgery
are gradually exposed [4-6]. Vulnerability refers to the
existence of a system's weaknesses or flaws, it is exploited by A9-Using Known Vulnerable Components
the attack could cause software to make the software to enter A10-Unvalidated Redirects and Forwards
an unsafe state. According to Symantec released the "Symantec
Internet security threat report", more than 60% of software
security vulnerabilities is about web application, these
vulnerabilities could lead web application is subjected to

978-1-4673-9587-8/15 $31.00 © 2015 IEEE 137

DOI 10.1109/ISCID.2015.16
 One reason for the security vulnerabilities is due to the lack
of experience in the site development staff, the security
problem is not enough attention to [8-14], the most important is
the lack of a comprehensive security testing and evaluation.
Function of electronic commerce enterprises, scientific
evaluation, can effectively help the enterprise to find the
technical vulnerability management process, eliminate network
of e-commerce platform in the practical application of security
risks, effectively at the same time the consumer reasonable
consumer guide. Most existing domestic and international e-
commerce Web site evaluation limited to site stability
evaluation, assessment Consumer Satisfaction Survey and
opportunities specific website [15], lack of a specific security
assessment.
This paper focuses on the security of e-commerce sites to
be tested for security vulnerabilities, and design a targeted
safety assessment system, the data obtained by testing,
evaluation modules come through a Site Security visualization
of quantitative and qualitative results, and convenient for
security measures proposed.
II. SECURITY ASSESSMENT SYSTEM COMPONENTS
One of the most important security threats that exist in e-
commerce site is security vulnerability. Based on the most
important security vulnerabilities such as SQL injection attacks.
SQL injection is a web development most common security
vulnerabilities. SQL injection vulnerabilities can be used to
obtain sensitive information from a database, or perform a
series of malicious actions add users to export files, and so take
advantage of the characteristics of the database may even get a
database system as well as the highest authority, SQL injection
vulnerabilities in the process such as shown in Fig. 1.
Attackers access to the site of the
SQL injection vulnerabilities,
looking for the injection point.
Terminal
Attacker construct
injection statement.
SQL Injection Attacks
Server
The new SQL injection statement
processing in the database.
Database Server
Figure 1. SQL Injection Process
138
A security assessment system is designed for this type of
major vulnerability. The system includes the security testing
module and the result evaluation module, as shown in Fig. 2.
E-commerce Site Security
Assessment System
Results Evaluation
Safety Test Module
Module
Structure Scanning Database Exploit Evaluation Assessment Results
of The Site Testing Match Test Standard Results Interface
Figure 2. Architecture of E-Commerce Site Security
Evaluation System
The test module is mainly based on penetration test,
penetration test is refers to the security of network to the target
customer a reality check, with the aggressive behavior of the
overall pressure tested for safety; target customers host and
network security assessment imitation hacker attack specific
attack behavior process. In the process of testing, vulnerability
scanning technology is used to test the security of all aspects of
the network. Combined with vulnerability scanning,
vulnerability scanning, according to the discovery of the
vulnerability, the use of its SQL injection vulnerability testing,
and ultimately a vulnerability scanning test results.
The results obtained from the safety evaluation module test
module test results, the test content is controlled by analyzing
test parameters and vulnerability category, generating
evaluation index, evaluate the results. Finally, the visual
interface present the evaluation of the results.
III. DETAILED DESIGN OF SYSTEM MODULE
The security assessment system includes the security
testing module and the result evaluation module. For these two
modules the specific features and details of the workflow are
described below:
A. Detailed design of Test module
Security vulnerability testing module is the use of the site
vulnerability scanner vulnerability on scanning, identify
vulnerabilities, found loopholes and exploited to penetration
testing on the vulnerability of the dangers of size.
Vulnerability scanner simulates the web client, performs a
privileged URL scan, a fragile CGI scan, typically records
HTTP interaction, and then inject malicious loads into the
subsequent interaction to observe the response data. Through
these operations is found effective, SQL injection, cross site
scripting, directory traversal vulnerability Cookie poisoning.
The system structure and basic flow of the vulnerability
scanner is shown in Fig. 3.
 IV. GENERATION OF SAFETY EVALUATION INDEX
User Configuration
Console
Safety evaluation index is an important guiding standards
Test Target for safety assessment, generation of the evaluation indicators
related to mathematical modeling and analytic hierarchy
Vulnerability Scan Engine process (AHP), mathematical modeling is refers to the data
Database according to the security threat level to establish the
Test Target
mathematical relationship between parameters, is down to pick
the quantitative analysis data to prepare for qualitative analysis.
Scan Knowledge Usually using a 1-9 ratio scale degree of security
Test Target vulnerabilities for web security zone index (through the
analytic hierarchy process (AHP) for analysis of selection
index) assignment, in general, the sub indexes of upper indexes
Scan Results and Report
Generation Tool
to judge the importance and standard assignment as shown in
Table.3:
Figure 3. Vulnerability Scanner Architecture Diagram

By simulating link clicks, page views, and other forms of TABLE III. THE DEGREE OF IMPORTANCE ASSIGNED
user behavior to analyze the input site, as much as possible to STANDARD
obtain the directory and file structure of the entire site, not to Scale Meaning
prepare for the next vulnerability scan. The response message
for each request sent for analysis to find potential 1 Two indicators compared with the same importance
vulnerabilities message, once receives the response of the 3 Compared to two indicators, the former is slightly
security vulnerabilities of these return information vulnerability more important than the latter
database matching. According to the results of the vulnerability
5 Compared to two indicators, the former was
analysis, the results were further analyzed and used, combined significantly more important than the latter
with the penetration testing tools to simulate the process of
hackers, so that customers can understand the results of the 7 Two indicators compared to the former than the
latter strongly
vulnerabilities and intuitive understanding. Test results of
different injection points are obtained. 9 Two indicators compared to the former than the
latter is extremely important
B. Detailed design of the assessment module
Analytic hierarchy process method is pairwise comparison
When the test data generation module test, evaluation
module to obtain these data, according to the type of data to of each index and by 9 bit rate scheduling of each evaluation
generate parameters, such as vulnerability threat degree grade. index the relative advantages and disadvantages of the order,
The test data for comprehensive evaluation, finally showing which in turn can be constructed evaluation index of the
vulnerability classification scanning, determined with different judgment matrix, and then determine the weight of index
hole of the final system security level, given safety values. The concrete steps are shown in Fig.5:
recommendations, this quantitative analysis the security of
electronic commerce website, the site safety issues have a Vulnerability Probe
visual display of. The general flow chart of the evaluation
module is shown in Fig. 4. Analysis and Classification
of Vulnerability
Get Test Results
Interface Evaluation
Quantitative
Generating An Weight Comprehensive
Evaluation Index Processing Assessment Results Vulnerabilities
Weight Processing

Figure 4. Related Flowchart of Evaluation Module Evaluation Security Value Weight

Parameters Calculation Determination
The evaluation standard is a similar assessment library, and
the evaluation module is confirmed by the specific test content.
Is mainly to test data selection control, will choose the data Evaluation Function
arrangement, produce judgment matrix, for each security Generator
problem obtained with respect to the weight of the whole
security system, and ultimately the use of judging function was Evaluation Index
performed to assess the whole. Generation

Figure 5 Generating Step of Evaluation Index

139
 The data obtained in the security vulnerability testing
module are qualitative analysis, and, on the vulnerability of
exploration, through the analysis of these vulnerabilities is
needed in the process of evaluation index generated, such as
causes, what kind of security threats, a threat to the whole level
of the e-commerce sites and the classification, through the
mathematical modeling of security vulnerability quantitative,
combined with matrix theory by analytic hierarchy process
(AHP analysis method to obtain evaluation parameters and
weights, finally according to the actual threat generated by the
evaluation function to judge, to determine the electronic
commerce website safety grade size.
V. ASSESSMENT ANALYSIS AND INTERFACE DISPLAY
In the testing and evaluation module, the vulnerability
scanner site analysis was conducted on e-commerce sites, and
the corresponding vulnerability scanning, the vulnerability
scanning tools can against SQL injection, cross site scripting,
unsafe object references, local path leakage, unsafe directory
right limit, loopholes in the server, sensitive directories and
document scanning, the backup file scanning and the source
code leak, command execution, file contains, web Trojan horse
and so on are comprehensive vulnerability scanning, can
according to their own needs choose part or all of the
vulnerabilities scanning. Scan test results obtained by the full
scan of the electronic commerce website ranking according to
vulnerability rank.
Vulnerability level can more intuitive show vulnerability
scanning test results, including for a certain class of vulnerabilities in
electronic commerce website there are many and according to the
levels of vulnerability to the vulnerability of SQL injection test, let us
more specific understanding of the electronic commerce website
of vulnerabilities.
On the basis of these test data fed to the results of the
assessment system, and weighted by quantitative analysis, by
assessing the discriminant function to get the final level of
security of e-commerce.
CONCLUSIONS
In this paper, we design a security vulnerability security
assessment system e-commerce website, focus on the
vulnerability scan test and match, and then exploit simulated
attack, by an evaluation module test results are evaluated and
presented to facilitate the proposed improvements for better
security . From the type of e-commerce security issues analysis,
the e-commerce sites for security vulnerabilities evaluation
systems, quantitative analysis of the safety evaluation index
were studied to obtain a final evaluation criteria, and better
140
View publication stats
security of e-commerce sites were evaluation. For the security
and interests of businesses and consumers to improve the
security of e-commerce websites provide some reference.
ACKNOWLEDGMENT
This paper was partially supported by the Fundamental
Research Funds for the Central Universities (ZYGX2014J099).
REFERENCES
[1] Deng Yu Liang, “Design and Implementation of e-commerce
measurement system,” Computer Applications and Software, pp. 165-
169, Dec.2009.
[2] Open Web Application Security Project OWASP top 10-2010: The ten
most critical Web application security risks [R] .2010
[3] OWASO. Categary: OWASO Web Scarab project [EB/OL]. (2012-01-
08).http://www.owasp.org/index.php/category:OWASO-
Webscarab_project.Sugihara R,Gupta R K.Optimal speed control of
mobile node for data collection in sensor networks[J].IEEE Transactions
on Mobile Computing, ,pp. 127–139, January 2010
[4] Yang Ting, “new requirements of modern e-commerce on computer
security technology,” Kaneda, vol. 7, 2013.
[5] Zhang Jianwu, “Research on security evaluation technology for web
application,” Xi'an, Beijing University of Posts and
Telecommunications.
[6] Zheng Leilei, Song Lihua, Guo Rui and Zhang Jiancheng, “Research on
security of B/S architecture software,” B. Computer Technology and
Development , pp.221-224, Jan 2012
[7] Xiaohua Wang, Software Feature Model and Test Application Research,
China Academy of Science (National Space Science and Application
Research Center), 2009.
[8] Lian Yu, Wei-Tek Tsai, Xiangji Chen, Linqing Liu, Yan Zhao, Liangjie
Tang, Wei Zhao, "Testing as a Service over Cloud", Proceedings of
IEEE International Symposium on Service-Oriented System
Engineering (SOSE 2010).
[9] Oriol Manuel. YETI on the cloud. ICSTW 2010 - 3rd International
Conference on Software Testing, Verification, and Validation
Workshops, p 434-437, 2010.
[10] MELL P, GRANCE T.The NIST Definition of Cloud Computing [R]
.National Institute of Standards and Technology, 2011
[11] Wikipedia. Software testing. http://en.wikipedia.org/wiki/Software-
testing
[12] Lj. Lazi, "Software Testing Optimization by Advanced Quantitative
Defect Management", Computer Science And Information Systems, vol.
7, No. 3, p. 459-487, 2010.
[13] J. Tian. Software Quality Engineering-Testing, Quality Assurance, and
Quantifiable Improvement, IEEE Computer Society.
[14] I. Tumer and C. Smidts, "Integrated design-stage failure analysis of
software-driven hardware systems", IEEE Transactions on Computers,
pp.1072-1084, 2010
[15] M. Kang, T. Gu, and J. Baik, "A user friendly software reliability
analysis tool based on development process to iteratively manage
software reliability", International Symposium on Software Reliability
engineering, 2009