1. Handling E-Commerce Payment
Ref: https://www.owasp.org/index.php/Handling_E-Commerce_Payments
Best practices compliant with the Payment Card Industry (PCI) guidelines is explained in the link above.
PCI compliance goal:
- Build and maintain a secure network
- Protect Cardholder Data
- Maintain a Vulnerability Management Program
- Implement Strong Access Control Measures
- Regularly Monitor and Test Networks
- Maintain an Information Security Policy
Things to avoid:
1. Unvalidated Redirects and Forwards
Ref:
https://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet
Safe use of redirects and forwards can be done in a number of ways:
- Simply avoid using redirects and forwards.
- If used, do not allow the url as user input for the destination. This can usually be done. In this case, you should have a method to validate URL.
- If user input can’t be avoided, ensure that the supplied value is valid, appropriate for the application, and is authorized for the user.
- It is recommended that any such destination input be mapped to a value, rather than the actual URL or portion of the URL, and that server side code translate this value to the target URL.
- Sanitize input by creating a list of trusted URL's (lists of hosts or a regex).
- Force all redirects to first go through a page notifying users that they are going off of your site, and have them click a link to confirm.
No comments:
Post a Comment