In the world of Information Technology, among several JavaScript frameworks that are available for front end development, off late, Angular and React have shown a growing popularity, together with NodeJS. These three JavaScript frameworks are now being widely used among most of the Software Engineers, along with all programming languages – According to Stack Overflow Developer Survey that was conducted last year in 2018. Continue reading
Common eCommerce Security Vulnerabilities and How NodeJS can rightly address them
The increasing online transactions is followed by an equal rise in the number and types of attacks relating to the security of online payment systems. Some of these attacks have taken the advantage of vulnerabilities in the third-party plug in utilized by eCommerce websites, such as shopping cart software.
Other attacks have made use of the vulnerabilities that are common in any web applications, such as SQL injection or cross-site scripting. This article has been written referring to K.K Mookhey’s Paper on Security Focus, published in Security Community of Symantec Connect. The article gives you an overview on these vulnerabilities with examples, either from the set of known vulnerabilities, or those discovered during the original author’s penetration testing assignments.
The different types of vulnerabilities discussed here are:
- SQL injection
- Price Manipulation
- Buffer Overflows
- Cross-site scripting
- Weak authentication or authorization
Misuse of these vulnerabilities can lead to a wide range of negative results. SQL injection or price manipulation attacks can paralyze the website, harming confidentiality, and in some worst cases, they can also cause the e-commerce business to shut down completely.
A Background on Security Vulnerabilities
There are ‘n’ number of reasons why security vulnerabilities occur in shopping cart and online payment systems. The primary reasons for such vulnerabilities is the fact that web application developers are often unaware of secure programming techniques. As a result, security of the application will not be in the list of their development tasks at all.
Securing the eCommerce website becomes even of lesser priority due to the necessities to meet deadlines in the fast-moving e-commerce world. Even a day’s delay in publishing a brand new feature on the website can easily increase your risk of losing business to your competitor. We have typically found these in cases where eCommerce businesses need to regularly add functionality to their websites to stay on par with the rising demands of Customers and Industry trends.
In such a scenario, the primary goal will be to have the functionality in place; security can always be taken care of later, which will not be re-considered until a vulnerability misuse happens. Another reason why security vulnerabilities happen is because of the inherent complexity in most online systems. The demanding Customers are placing requirements on their e-commerce providers that requires complex designs and programming logic.
Let us now move on to the details of each vulnerability in an eCommerce website.
SQL Injection
SQL injection refers to the insertion of SQL meta-characters in user input, in such a manner that attacker’s queries are executed in the back-end database. Usually, attackers will first identify if a site is vulnerable to such an attack and they do so by sending in the single-quote (‘) character. The consequence of the SQL injection attack on a vulnerable eCommerce site can give the following access to the attacker:
- The back-end technology that is being used for the eCommerce website.
- Access to restricted areas of the site because he manipulated the query to an always-true Boolean value.
- Allows the execution of operating system commands.
One of the most popular of such attacks is when a 20 year old programmer, Jeremiah Jacks in Orange Country, California, found that it was possible to get access to the highly confidential data such as credit card numbers, transaction details, etc. through SQL injections.
Price Manipulation
This is another vulnerability that may sound unique to online shopping carts. During the occurrence of this vulnerability, as a common thing, the total payable price of the goods will be stored in a hidden HTML field of a website with dynamically generating pages. An attacker can use a web application proxy such as Achilles to change the amount that is payable, when this information flows from the User’s browser to the web server.
The final payable price can be manipulated by the attacker to a value of his choice. This information is then sent to the payment gateway with whom the online merchant has associated. If the volume of transactions is very high, the price manipulation may go completely unnoticed, or may get discovered when it is too late.
Buffer overflows
Although not very common in online shopping carts, Buffer overflow vulnerabilities should definitely not be ignored. Sending in a large number of bytes to web application that is technically not equipped to sustain the data load can lead to unexpected consequences. Your growing eCommerce business will come across such a scenario, moving forward. In one of the author’s penetration testing assignments, it was possible to disclose the path of the PHP functions being used by sending in a very large value in the input fields. When 6,000 or more bytes were fed into a particular field, the back-end PHP script was unable to process them and the error that was displayed revealed the location of these PHP functions. Using this error information, it was possible to access the restricted ‘admin’ folder.
Cross Site Scripting
The Cross-site Scripting attack is primarily targeted against the end user and takes advantages of two factors:
- The with little or no input validation by the web application
- The trust placed by the end-user in a URL that carries the vulnerable website’s name.
In most of the cases, the attacker will craft the URL in order to try and steal the user’s cookie, which will have session ID and other sensitive information. The JavaScript can also be coded for navigating the user to the attacker’s website, where malicious code can be pushed, using ActiveX controls or by taking advantage of browser vulnerabilities that are common in Internet Explorer or Netscape Navigator.
Weak Authentication or Authorization
Authentication protocol that does not allow multiple failed logins can be easily attacked using tools such as Brutus. Similarly, if the web site uses HTTP Basic Authentication or does not pass session IDs over SSL (Secure Sockets Layer), an attacker can easily sense the traffic to discover user’s authentication and/or authorization credentials.
How can NodeJS address Security Vulnerabilities in a better manner when compared with other Technologies
With eCommerce website built with NodeJS, you don’t have to think much about the security factor, especially the payment gateway feature in the e-commerce platform. Big Players like Walmart and PayPal have taken good benefit from moving their application to NodeJS. However, to prevent Security vulnerabilities, they have followed some of the best practices in NodeJS development that are listed below.
Use of TLS
If your Application’s work flow is subject to transmission of sensitive data, use Transport Layer Security (TLS) to secure the connection and the data. This technology encrypts data before it sends the data from the client to the server, thus preventing some common and easy attacks.
Use of Helmet
Helmet can help protect your app from some well-known security vulnerabilities by setting HTTP headers appropriately.
Helmet is actually just a collection of smaller middleware functions that sets security-related HTTP response headers.
Using cookies securely
To ensure cookies do not open your App to attacks, do not use the default session cookie name and set cookie security options appropriately.
Prevent brute-force attacks against authorisation
Make sure that the login end points are protected to make private data more secure.
A common and a powerful method is to block authorization attempts using two metrics:
- The first is number of consecutive failed attempts by the same user name and IP address.
- The second is number of failed attempts from an IP address over a period of time. For example, block an IP address if it makes 100 failed attempts in one day.
Ensure your dependencies are secure
Using npm to manage your Application’s dependencies is definitely worthwhile, since npm@6, npm automatically reviews every install request. In addition, you can use ‘npm audit’ to examine your dependency tree.
Avoid other known vulnerabilities
Have a detailed awareness on Node Security Project or Synk advisories that may affect Express or other modules that your Application uses. These databases serve as an excellent source for knowledge and tools about Node security.
Some further recommendations from the Node Security Checklist
- Use csurf middleware to protect against cross-site request forgery (CSRF).
- Always filter and clean user input to protect against cross-site scripting (XSS) and command injection attacks.
- Use parameterized queries or prepared statements to secure your App from SQL injection attacks.
- Use the open-source sqlmap tool to detect any SQL injection vulnerabilities in your App.
- Use the nmap and sslyze tools to test the configuration of your SSL and always stay alert on the expiry of the certificate.
- Use safe-regex to ensure your regular expressions are not prone to regular expression denial of service attacks.
Enterprises are embracing the Combination of NodeJS and Microservices. Know Why
The aim behind most of the software projects is to provide solution to a problem. However, during the process of developing a software and while implementing a solution for a problem, another problem arises, and it continues without the IT team not being able to cope up with it. Continue reading
10 useful tips to consider in choosing the best Freelancer for your project
The number of freelancers has been increasing year by year, occupying the major part of the workforce today. This is because, hiring a freelancer has proven positive for many employers. Especially in small businesses, where they may not be in a position to hire a full-time worker, yet they are need of someone who can give full attention to their projects, hiring freelancers have worked very well. However, companies do get into a dilemma when they have to hire a freelancer. Here are some useful tips to consider, for hiring a freelancer for our business.
Analyse the area in which you require a freelancer’s help: It is very important to find out the area in which want a freelancer to take an active role. Because, you never know, you might be already having a full time worker who would be having enough knowledge or skill to help you in the area. Have a brainstorming session with your full time workers, know if you already have a resource who can help you in the area, or if you really requre a freelancer’s help.
Do not leave out any detail: See that you communicate your idea effectively with the freelancer you are going to hire. You might be either hiring a developer or a designer. See that you describe your full idea about the product you are aspiring for. Do not hold back any information or leave any point out. Just giving a brief overview of your project will certainly not be enough. After the freelancer has worked on it, if the end result is not according to your idea, then it will lead to a huge waste of time, money and efforts for both of you. So, see to it that the freelancer is clear about every small part of your project.
Consider more than one freelancer: If you find two freelancers who are equally competent, do give a small part of your project to each one of them. This will be a good way to reduce time, and also see which person suits you the best.
Always mark down 10 percent less than your actual budget: If your budget is INR 75,000, then do not offer the freelancer more than INR 63,000. Freelancer will always assume that your budget is negotiable. Always provide space for your freelancer to assume that that he/she got more than what others would have got. This will also serve as the best way to motivate the him/her to work better in your project.
Do not go by the five star rating: Most freelancers complete tasks that are a cake walk for them, in a very short period of time, and earn five star rating for the work completed. They perhaps wouldn’t have enough exposure to challenging projects. Ask them for their complete portfolio, and see if they have completed any similar project.
See that the freelancer is available for communication: Especially if the freelancer is a remote worker, then, not only ask for his/her phone numbers, but also make sure of their availability on WhatsApp and Skype. Also, freelancers work on more than one project at a given period of time. They tend to pay more attention to the project for which they may have to provide progress updates on a regular basis, and might take those projects casual, whose employers may not demand regular updates.
Get a freelancer for a fair pay: Although you would have found the best freelancer, do advertise your project so that, you get a fair and competitive price, suiting the marketing standards.
Be familiar with the law: If not as much as full time employees, freelancers also gets covered under labour laws relating to working hours and rates of pay, which particularly apply to freelancers.
Outlining ownership rights: Before the start of the project, do make sure that the freelancer is clear that the end result of their work belongs to you and not him/her.
Get a binding contract signed: When you are giving a complete detail of your project to the freelancer, you will obviously be giving them access to some of your confidential information. Get a contract agreement signed from the freelancer, stating that, they do not disclose your confidential information to any other third party, during or after the project.
Author Bio: The Author of this article has over 8 years of experience as a Freelance Application Developer. With his extensive experience, he now very well understands what it takes for a company to hire the best freelancer for their projects.
If you are a business owner, looking out for a freelancer for your Web Application or Hybrid Mobile App development project, you may get in touch with the author through www.s-suresh.com.
10 Benefits of Hiring a Freelancer over a Web Development Company
Many companies in India, without considering the benefits of hiring a freelancer to develop their new website, end up hiring a web development company. This is because, they might not know the benefits of hiring a freelancer, and might simply look for web development companies in Chennai or Bangalore on google, and approach the first few companies that came up in their search results. Continue reading