Evolution of Electronic Storefronts
Let's take a look at how electronic storefronts evolved with respect to technologies and the businesses adopting those technologies. The early Web storefronts were designed by using scripting languages such as Perl, running on a Web server, and interacting with flat files instead of databases. The systems were heterogeneous; that is, each component was distinct and separate. As Web technologies matured, vendors such as Microsoft and Sun Microsystems came up with homogeneous e- commerce framework technologies and other vendors joined the race. Web storefront technologies began to feature multilayered applications involving middleware and middle-tier binary components such as ISAPI filters and Java beans.
Integration with databases allowed applications to migrate from flat files to relational databases (RDBMS), such as MS-SQL server, Oracle, and MySQL. Similarly, for storefronts, technologies such as Dynamic HTML (DHTML) and Flash started gaining popularity, because they made the shopping experience both visually appealing and pleasant. However, each stage of evolution brought new vulnerabilities and new dimensions of attack. Incidents of robberies from electronic storefronts rose dramatically, and stealing information and money on the Web became intolerable, desperately needing technical attention.
Where do hackers find loopholes in e-business systems? Whenever a business decides to establish or upgrade an electronic presence, things don't happen all at once. At one stage or another, different technologies are integrated with existing systems. Businesses thrive on evolution, not software. Mixing and matching various technologies over a period of time leaves opportunities for vulnerabilities to creep in.
The root causes of vulnerabilities plaguing electronic storefronts are:
Poor input validation
Poor session or state tracking
Assumptions that HTML and client-side scripting cannot be tampered with.
Improper database integration
Security loopholes in third-party products
We focus on these issues throughout the remainder of this chapter by following the experiences of a company that decided to place its business on the Web.