Many companies are beginning to use Web-to-print solutions in order to give their customers more flexibility to design and print products. Some of the best known examples include Shutterfly and Vistaprint, but many mid- and smaller-size printers are also venturing into Web-based print sales. These include Pageflex, NowDocs and Responsive Solutions.
There are several advantages to using these types of solutions. On the customer side, they get to enjoy the speed and convenience of an on-demand printing option. For the business, money that normally would be spent on a sales representative can be saved and spent elsewhere.
However, with any Web site available on the public Internet, security is a huge concern. And because Web-to-print sites are complex in the way they allow visitors to log in, upload images and choose various options, they are inherently more complicated to secure properly. In general, the team responsible for programming these Web sites are focused on aesthetics, functionality and performance. Security of the site is usually handled by a different group of people or, unfortunately, overlooked altogether.
Recently a customer of mine asked us to do a penetration test where essentially we posed as “bad guys” trying to see if we could compromise their network remotely. Specifically, they wanted us to target one of their Web sites – an e-commerce site where users could customize and buy branded apparel and other goods.
In a situation like this, there are dozens of cheap and/or free tools available on the Internet for a hacker to run a Web site through a series of initial security tests. Several of these tools “crawl” a site to discover as many links as possible within it. So if your site was www.print.com, for example, hackers would look at all the links that were visible on that site. Maybe you have a help area linked to www.print.com/help or a contact page at www.print.com/contact. But their tools are also going to dig deeper and try to find links which may not be publicly accessible but could lead to administrative logins or other unauthorized areas, such as www.print.com/admin.
In this example, this crawling technique was successful, and led us to a back-end administration page that looked very curious:
This login page had accompanying information with details on what kind of software the site ran on, as well as a specific version number. This kind of information is very useful to hackers, as they can use it to research known vulnerabilities that might affect this specific version. Or, it might aid them in finding what the default administrator username and password might be, in case the site’s managers forgot to change them.
We struck out on these first few efforts to gain access to the site, and next moved on to looking at weaknesses in the login scheme itself. One of the biggest weaknesses found in login pages is something called SQL injection. Without getting too technical (head to Wikipedia to learn more), SQL injection is an technique in which various combinations of data are typed into the login and password fields to see if the application behaves in strange ways. For example, instead of just sending regular login requests – such as a username of bob and password of letmein – we might also try specially crafted statements that look like a garbled mess in order to confuse the application and let us login.
By doing just a few simple attacks of this nature, we were surprised to suddenly find ourselves looking at the administration page of the site’s e-commerce system:
From this page we could see all customer information (including address and phone numbers) as well as their order history. In addition, we could have edited the product list and pricing, and even downloaded financial reports in Excel format in just a few mouse clicks.
Keep in mind, we gained access to this page without a valid username and password. We did not have to trick any employees into giving us account credentials, nor did we have to breach their internal company network. And from start to finish, this attack took about 15 minutes, used tools freely available on the Internet, and was not considered an advanced attack by any means. In fact, this kind of attack is so trivial – yet so prevalent on the Internet – that an organization called OWASP has put together a top 10 list of Web attacks with guidance on how to defend against them.
In conclusion, if you are setting out to use or build a Web-to-print solution, make sure security is at the forefront of the process – not an afterthought. Ensure the application receives a professional penetration test on a regular schedule (such as quarterly or yearly). If you are interested in doing your own tests, one popular tool is Acunetix, which has a 14-day free trial. If budget is a constraint, the aforementioned OWASP organization has a free tool called the Zed Attack Proxy you can use to test your site. But again, having it professionally tested is recommended, as true penetration testing firms are going to dig deeper and test for risks that an automated tool cannot provide on its own.