DISCLAIMER : I , ABHINAV SINGH DID NOT BREACH INTO THE SECURITY MEASURE OF THE FOLLOWING WEBSITES : IBIBO.COM , AVISOMART.COM,FLIPKART.COM .
I ONLY TESTED THEIR SECURITY MEASURES. THE AUTHOR IS IN NO WAY RESPONSIBLE TO ANY DAMAGE. tHIS ARTICLE IS ONLY FOR EDUCATIONAL PURPOSE.
There are a lot of shopping portals and websites picking up pace in India right now. But they are still not receiving the type of response they should be getting . American and European online shopping giants are among the leading web companies currently but the scenario is different in India . People here are still stuck to the believe that they do not provide quality goods. They are only popular in metropolitan and big cities .
The article is not about their popularity but their security . How secure are these websites and how secure is their payment gateway .
I went on to carry out my penetration testing on all popular online shopping websites.
The point where all were strong was the payment gateway and the reason behind it was that the payment gateways are solely managed by the respective bank you are using for the transaction .
But what about the other security measures .
Flipkart was all clear ,they are doing a good job in security measures I must say . But there were some small flaws in other popular sites( I wont take the name) . I have reported this to the admins about the flaws and got response too. I was fortunate enough this time , but I am still waiting for the response from my previous exposure of security flaws in Dhoni's , Priyanka chopra's and Priety Zinta's official websites.
I wont go into very detail of various penetration testing I applied on these online shopping websites but the front where I found these website vulnerable is analysing the HTTP headers.
Consider these two images and note the price of Blackberry phone in my shopping cart . In top image it is 12,100.00 Rs and in the lower image its 121.00Rs . So how do you think the deal is!! Blackberry at Rs 121 only.
No I am not kidding . Infact as i proceeded to the payment gateway still it didnot make a final check weather i have modified the headers or not . It simply allowed me to buy this phone at Rs 121 only .
By simply intercepting and working and analyzing closely the HTTP request and response that was transmitted during my penentration testing , I could figure out mechanisms to break them .
Web developers hardly try to keep a check on the values that an authenticated user is sending . All they worry about is to make the authentication secure but in the mean time they forget how important is validating the request of an authenticated user as well. You wont find such security flaws in any top online shopping websites of America or Europe.
Here I will also show how online survey websites can also be tricked upon to increase your survey money.
Earning money through online survey is currently very popular in India but they are currently the most vulnerable systems online. I have an account on a survey website too. I simply hacked it to increase my earnings without even submitting my survey . Also I went on a step further to hack the servers to add free 100$ payment point in my account and even successfully transfered it to other account .
I do not understand why the hell these websites impliment captcha and other security measures when they have even bigger threats than spam open to be breached.
Anyways the issues have been patched in most of the websites I have reported about.
Atleast these companies are not completely ignorrant like our government agencies who have so many loopholes still opened thatswhy I never posted any information about them as It can be a matter of National security.
I still suggest to all my readers and friends that we are in a world that is largely goverened by the web so we must contribute to make it a better and healthier place . We cannot be evils and destroy the wonderful creation of mankind. Developers , coders , companies put in lot of effort to bring services at the click of fingers for its users but some Dark Hackers try and exploit the weak areas and disturb the whole service. Instead the should work actively to build a better web . You know what inspires me the most these days?? The new add campaign of Google crome - "THE WEB IS WHAT YOU MAKE OUT OF IT" .
Its simply very true. Thanks for reading . Please add your valuable comments for improvements and suggestions.