Practical Security Testing for

E-Commerce & Payment Applications

Soroush Dalili OWASP Chapter Event

SecProject Birmingham, UK, May 2024
About Me

 Soroush Dalili
 AppSec security testing & code review
 Research & training
 SecProject director, ex MDSec & NCC Group

 LinkedIn: https://www.linkedin.com/in/sdalili/
 X (Twitter): https://x.com/irsdl
 Blog: https://soroush.me/
Agenda

E-Commerce Security Assessment:

 Who can be tested?
 Planning the assessment
 Testing methodology
 Examples
Who Can Be Tested?

Apps dealing with money & numbers:

 E-commerce apps (online shops & retail)
 Payment providers
 Banks & gambling sector
Planning For Payment Assessment…

Hey, we need our

online juice shop to be
security tested! Certainly, we just need some more
details to plan it!
BTW, is the entire
order & payment process
within the scope?
Example: The Juice Shop Requirements!

Payment related questions:

 Order process & workflows
 Any third party involved in processing payments? How?
 Any implementation or design diagrams?
 Any restrictions on checkout?
 In-scope payment types: card, PayPal, gift card, etc.
 Sample payment data (according to the testing environment)
 If not live, how to test exact paid amount?
 Refund process
 Other features:
 Discounts & promotions, vouchers, gift cards, prepaid balance, credit schemes
 Additional charges
 Use of different currencies
Other Useful Information

Ask more questions based on what’s being tested, examples:

 How can we place/cancel orders with less friction?
 Are card details being stored?
 What shipping address do we need to use?
 What current protections are in place?
 What are current business concerns?
 Scammers using us to validate stolen cards!
 A single-use voucher being used twice
 Offers been abused in the past
 What are the implications of negative values in the balance?
 Are there different delivery types?
 Can items be delivered internationally?
Brief Testing Methodology
1. Parameter manipulation
2. Time-of-check-time-of-use (TOCTOU) & race condition
3. Numeric & precision handling
4. Replay attacks
5. Card number-related issues
6. Dynamic prices, prices with tolerance, or referral schemes
7. Discount codes, vouchers, offers, reward points, and gift cards
8. Currency arbitrage in deposit/buy and withdrawal/refund
9. Cryptography issues
10. Downloadable and virtual goods
11. Using test data in production environment
12. Hidden and/or insecure backend APIs
Parameter Manipulation

 Price Manipulation
 Currency Manipulation
 Quantity Manipulation
 Shipping Address and Post Method Manipulation
 Additional Costs Manipulation
 Response Manipulation
 Repeating an Input Parameter Multiple Times
 Omitting an Input Parameter or its Value
 Mass Assignment, Autobinding, or Object Injection
 Monitor the Behaviour while Changing Parameters to Detect Logical Flaws
 Server-side parameter injection/pollution
TOCTOU & Race Condition Issues

 Transferring money
 Buying items simultaneously
 Changing the order upon payment completion
 Changing the order after payment completion

Also applies to reward points, vouchers and discount code

 Using a single-use voucher multiple times
 Transferring or spending points
Example 1: TOCTOU without Race Condition

Change the
basket now!
For real life?!
Example 2: TOCTOU with Race Condition
Demo: Using Burp Suite

Using customised code from SecDim:

https://play.secdim.com/game/python
/challenge/steampy/
 Example 3: TOCTOU with Race Condition

Authorising multiple
requests?
Study Race Conditions More?

 https://portswigger.net/web-security/race-conditions
 Think about using multi sessions / multi devices
 Review how rate limit has been implemented
Avoiding TOCTOU & Race Conditions

 It depends… Performance might be reduced for security/integirity!

 Rate limiting
 Not a solid solution but helpful
 Atomic transactions
 Fully complete or fails entirely
 Locking mechanisms
 Database locks, session-based locking, etc.
 Consistent state checks
 Is it still valid? Is it the same transaction?
 Preventing concurrent user sessions
 Monitoring (many transactions, negative values, inconsistencies, etc.)
 Some more recommendations https://portswigger.net/web-security/race-conditions#how-to-
prevent-race-condition-vulnerabilities
Numeric & Precision Handling

 Overflows and Underflows

 Negative Numbers
 Decimal Numbers
 Large or Small Numbers
 Zero, Null, or Subnormal Numbers
 Exponential Notation
 Reserved Words
 Numbers in Different Formats
 Currency Rounding Issues
 Generic Rounding Issues
Demo: Numbers Gone Awry

 Different arithmetic result by using large or small numbers, example:

 https://www.federalregister.gov/documents/2015/05/01/2015-
10066/airworthiness-directives-the-boeing-company-airplanes
 https://play.secdim.com/game/typescript/challenge/integer-overflowts/
 https://play.secdim.com/game/go/challenge/integer-overflowgo/
 Some more examples:
https://play.secdim.com/browse?cwe=wrap-around-error
Thank you! Any questions?

Soroush Dalili (@irsdl)

Reference

 See https://soroush.me/downloadable/common-security-issues-in-financially-
orientated-web-applications.pdf and its references
 https://soroush.me/blog/2019/04/how-to-win-big-and-even-more/
 https://portswigger.net/web-security/race-conditions