Tasks and Objectives
An online retailer from the US contacted us after being made aware by clients and law enforcement that the credit cards of clients have been used without their knowledge to pay various bills. The online retailer sells goods online and allows users to pay via credit card.
Fast Lane Services and Solution
We started out with a full Vulnerability Assessment and subsequent Web Application Penetration test against the e-commerce website portal and associated databases and application. We were quickly able to verify that the client had out-of-date Apache versions running on their server farms, which led to a full cross-site scripting vulnerability. XSS allows attackers to execute their own code.
In this particular case, the credit card form where the information has been entered was actually entered into the attackers servers by redirecting the input. Although the client was still on the online retailer website, the credentials have been phished and therefore the attackers were able to get all the credit card information. Upon producing a full report and mitigation advice, the client has taken all necessary steps to ensure their online presence no longer allows for Cross-Site Scripting.