Login | Register

Security Weaknesses in E-commerce Platforms


Security Weaknesses in E-commerce Platforms

Pagey, Rohan (2023) Security Weaknesses in E-commerce Platforms. Masters thesis, Concordia University.

[thumbnail of Pagey_MASc_S2023.pdf]
Text (application/pdf)
Pagey_MASc_S2023.pdf - Accepted Version
Available under License Spectrum Terms of Access.


Software as a Service (SaaS) e-commerce platforms for merchants allow individual business owners to set up their online stores without any coding, or procuring any software/hardware. Prior work has shown that the checkout flows of such e-commerce applications are vulnerable to different kinds of logic bugs such as parameter tampering or workflow bypass, with serious financial consequences, e.g., allowing “shopping for free”. In this work, we first present a list of typical operations for such platforms, showing that there are several more functionalities beyond the check-out process, which can also lead to serious security consequences. We then leverage the fact that such platforms now heavily incorporate API requests and GraphQL calls (emerging) to design a semi-automated security analysis framework. We use this framework to analyze 32 representative e-commerce platforms (including 8 open-source ones) for seven different vulnerability categories; such platform host over 10 million stores as approximated through Google dorks. We uncover several previously unknown vulnerabilities with serious consequences, e.g., allowing an attacker to takeover all stores under a platform, and listing illegal products at a victim’s store—in addition to “shopping for free” bugs, without exploiting the checkout/payment process. We found 12 platforms vulnerable to store takeover and 6 platforms vulnerable to shopping for free, affecting thousands of stores (49000+ for store takeover, and 28000+ for shopping for free, as approximated via Google dorks). We have responsibly disclosed the vulnerabilities to all affected parties: two vendors have fixed the issues and four are still working. We have also requested four CVEs (amongst the 8 open source projects), and three CVEs have been assigned.

Divisions:Concordia University > Gina Cody School of Engineering and Computer Science > Concordia Institute for Information Systems Engineering
Item Type:Thesis (Masters)
Authors:Pagey, Rohan
Institution:Concordia University
Degree Name:M.A. Sc.
Program:Information Systems Security
Date:January 2023
Thesis Supervisor(s):Mannan, Mohammad and Youssef, Amr
ID Code:991766
Deposited By: Rohan Pagey
Deposited On:21 Jun 2023 14:36
Last Modified:21 Jun 2023 14:36
All items in Spectrum are protected by copyright, with all rights reserved. The use of items is governed by Spectrum's terms of access.

Repository Staff Only: item control page

Downloads per month over past year

Research related to the current document (at the CORE website)
- Research related to the current document (at the CORE website)
Back to top Back to top