API Security Strategies for E-Commerce Platforms this Black Friday

The holiday period is the busiest time of the year for retail businesses. However, alongside numerous legitimate transactions and bustling retailers, this season also provides perfect cover for malicious actors.

With APIs handling hundreds of transactions, people are often too busy to investigate, and the sheer volume of transactions makes verification challenging.

In this post, we’ll round up the most common security issues facing ecommerce retailers, from vulnerabilities to bot attacks.

Like any web application, it’s crucial to recognize where users may supply input, such as in reviews, and defend against injection-type attacks. This could be an SQL injection, where users provide input that escapes the current context, allowing them to run arbitrary queries on the database, including dumping the entire database and accessing every transaction. Ecommerce systems are also targeted for blind cross-site scripting.

This occurs when a user inputs data that is reflected in an admin control panel, for example, embedding a cross-site scripting payload in the shipping address. When the admin prepares to print the label, they view the payload, which then sends back screenshots or cookies from the admin to the attacker.

Instead of rendering special characters as their true value, they should be replaced with their HTML entity equivalent, even when processed in or for an API, to prevent SQL or Javascript from running when the response is rendered.

Identifying and Addressing Business Logic Vulnerabilities in Ecommerce Transactions

Of course, ecommerce systems face more than just pure technical vulnerabilities; they are also prone to business logic issues. The two most common issues involve currency conversion and quantities.

Surprisingly, these vulnerabilities are relatively easy to identify, even without specialized security skills. For instance, when you add items to your cart, the total is usually calculated by multiplying the price of each item by the number of items. But what happens if you enter a negative quantity?

If the business logic isn’t programmed correctly, this can be exploited to obtain a discount. Imagine adding three items priced at $10 each to your cart, resulting in a total of $30. Now, if you add another item priced at $20 with a quantity of -1, your cart’s value would drop to $10. The system mistakenly calculates the price as if -1 of an item subtracts $20 from the total.

When purchasing in USD, you might expect a price of 20.99 to be $20.99. However, if you switch to another currency, you might end up paying 20.99 GBP (equivalent to $25.98) or 20.99 INR (which is $0.25), due to incorrect currency conversion. The issue often arises when using third-party payment systems via APIs, as the currency is sent as part of the API request. An attacker could potentially intercept this request and alter it.

The best way to uncover these issues is to thoroughly test the purchase process, attempting to change numbers to negative values or switch currencies.

Addressing Brute Force Attacks and Race Conditions 

Finally, we must consider brute force attacks and race conditions, which are more technical in nature but exploit the infrastructure surrounding ecommerce systems rather than their code or implementation. Brute force attacks happen when a website permits an excessive number of unrestricted user requests. This allows an attacker to try numerous username and password combinations, often using data from previous breaches or leaks, until they find a match. This issue is also prevalent in the use of discount codes, where simpler, shorter codes can be easily brute-forced and widely shared.

Race conditions typically occur with discount codes as well. If two orders simultaneously use a discount code intended for single use, it might be possible for that code to be applied multiple times. While APIs are designed to handle high traffic, which is beneficial for scaling a store quickly, they can become a source of security vulnerabilities if an organization is not prepared for such rapid scaling. This vulnerability makes ecommerce APIs particularly susceptible to bot attacks and fraud.

Strategies for Resolving Ecommerce API Security Vulnerabilities

Resolving ecommerce security vulnerabilities begins with understanding the different types of threats and the appropriate tools for addressing them. For traditional vulnerabilities, off-the-shelf scanners serve as a practical starting point.

While not comprehensive, especially for API-specific issues, they provide a solid foundation for businesses new to security auditing. However, these scanners often fall short in detecting business logic issues, tending to highlight lower-priority concerns and complicating the prioritization of vulnerabilities and risk assessment.

To effectively tackle the more elusive business logic issues, there are two primary strategies. The first involves conducting a full penetration test, where a professional meticulously analyzes your application to pinpoint vulnerabilities. The second strategy is to scrutinize logs for suspicious transactions and trace the actions of potential intruders. Both approaches, while potentially costly in terms of time and resources, are crucial for a thorough understanding of complex business logic issues that simple scanning algorithms might miss.

Additionally, addressing brute force attacks and race conditions requires a careful examination of your infrastructure. This includes implementing appropriate rate limits and investing in advanced firewalls that can dynamically block bot attacks and other suspicious activities.

Given the complexity of managing these diverse security challenges, many businesses find it beneficial to invest in an all-in-one platform like Traceable. This type of solution consolidates various security functions – scanning, investigation, and blocking – into a single, cohesive tool. An all-in-one platform like Traceable simplifies the management of your APIs, offering comprehensive support from initial discovery to advanced threat intelligence. This integrated approach not only streamlines the security process but also ensures a more robust defense against the myriad of threats in the ecommerce landscape.

About Traceable

Traceable is the industry’s leading API Security company helping organizations achieve API visibility and attack protection in a cloud-first, API-driven world. Traceable is the only intelligent and context-aware solution that powers complete API security – API discovery and posture management, API security testing, attack detection and threat hunting, and attack protection anywhere your APIs live. Traceable enables organizations to minimize risk and maximize the value that APIs bring their customers. To learn more about how API security can help your business, book a demo with a security expert.