>_AYSOLI SECURITY HUB
THREAT AREA

E-Commerce System

Online shops process credit card and customer data under high time pressure. They are the primary target for data theft and automated skimming.

Your Strategy

Protect the integrity of your frontend scripts through Subresource Integrity (SRI) and a restrictive CSP. Validate every step of the checkout process on the server to prevent price manipulation and unauthorized discounts.

Best Practices

  • Payment Isolation: Use only certified, external payment gateways (PCI-DSS compliant).
  • Bot Defense: Implement behavioral analysis to block scraping and credential stuffing.
  • Compliance: Ensure that the right to erasure (GDPR) can be automatically implemented for all customer data.

STRIDE-LM Design Risks

SpoofingS-WEB-02

Broken Authentication

Vulnerabilities in session management or the login process.

TamperingT-WEB-01

Application Logic Tampering

Manipulation of application logic to gain advantages.

TamperingT-WEB-03

SQL Injection

Injecting malicious database commands via user input.

Information DisclosureI-WEB-01

Sensitive PII Exposure

Disclosure of personally identifiable information (GDPR risk).

Denial of ServiceD-WEB-01

Application Layer DoS

Exhaustion of resources through complex web requests.

Elevation of PrivilegeE-WEB-01

Insecure Direct Object Reference (IDOR)

Accessing data objects by manipulating references.

Lateral MovementL-01

Lateral Movement

Accessing further internal systems after initial login.

Monitoring GapsM-WEB-02

Missing Security Headers

Missing configuration of protection mechanisms in the HTTP header.

MITRE ATT&CK® Techniques

Reconnaissance
T1595

Active Scanning

ATT&CK

Active scanning of web infrastructure for vulnerabilities.

Mitigated by
Bot Management & Anti-ScrapingExtended ProtectionMedium
CIS: 12.1OWASP: A04:2021
Rate Limiting & ThrottlingBaseline ProtectionLow
CIS: 12.1OWASP: API4
Initial Access
T1190

Exploit Public-Facing Application

ATT&CK

Exploiting vulnerabilities in internet-facing services.

Mitigated by
Input Validation & SanitizationBaseline ProtectionMedium
CIS: 16.11OWASP: A03:2021
Strict Transport Security (TLS 1.3)Baseline ProtectionLow
CIS: 6.3OWASP: A02:2021
Dynamic Application Security Testing (DAST)Extended ProtectionMedium
CIS: 18.1OWASP: ASVS
T1566

Phishing

ATT&CK

Delivering malicious content via electronic communication.

Mitigated by
Content Security Policy (CSP)Baseline ProtectionMedium
CIS: 16.11OWASP: A03:2021
Security Headers (X-Frame / Content-Type)Baseline ProtectionLow
CIS: 16.11OWASP: A05:2021
Output Content FilteringBaseline ProtectionLow
NIST: AI-1.2OWASP: LLM02
Execution
T1059-007

JavaScript Injection

ATT&CK

Execution of malicious code in the victim's browser.

Mitigated by
Content Security Policy (CSP)Baseline ProtectionMedium
CIS: 16.11OWASP: A03:2021
Input Validation & SanitizationBaseline ProtectionMedium
CIS: 16.11OWASP: A03:2021
Subresource Integrity (SRI)Baseline ProtectionLow
CIS: 16.11OWASP: A06:2021
Dynamic Application Security Testing (DAST)Extended ProtectionMedium
CIS: 18.1OWASP: ASVS
Security Headers (X-Frame / Content-Type)Baseline ProtectionLow
CIS: 16.11OWASP: A05:2021
Output Content FilteringBaseline ProtectionLow
NIST: AI-1.2OWASP: LLM02
Persistence
T1505-003

Web Shell

ATT&CK

Installation of a backdoor on the web server.

Mitigated by
Input Validation & SanitizationBaseline ProtectionMedium
CIS: 16.11OWASP: A03:2021
Dynamic Application Security Testing (DAST)Extended ProtectionMedium
CIS: 18.1OWASP: ASVS
Credential Access
T1539

Steal Web Session Cookie

ATT&CK

Capturing active session tokens to bypass authentication.

Mitigated by
Secure Cookie AttributesBaseline ProtectionLow
NIST: PR.DS-1OWASP: A07:2021
HTTP Strict Transport Security (HSTS)Baseline ProtectionLow
CIS: 16.11OWASP: A05:2021
Strict Transport Security (TLS 1.3)Baseline ProtectionLow
CIS: 6.3OWASP: A02:2021
T1110

Brute Force

ATT&CK

Attempts to gain access to accounts or API keys through systematic trial and error.

Mitigated by
Bot Management & Anti-ScrapingExtended ProtectionMedium
CIS: 12.1OWASP: A04:2021
Rate Limiting & ThrottlingBaseline ProtectionLow
CIS: 12.1OWASP: API4
T1552

Credentials from Password Stores

ATT&CK

Extracting passwords from web browsers or password managers.

Mitigated by
Output Content FilteringBaseline ProtectionLow
NIST: AI-1.2OWASP: LLM02
T1557

Adversary-in-the-Middle

ATT&CK

Intercepting communication between two parties.

Mitigated by
HTTP Strict Transport Security (HSTS)Baseline ProtectionLow
CIS: 16.11OWASP: A05:2021
Strict Transport Security (TLS 1.3)Baseline ProtectionLow
CIS: 6.3OWASP: A02:2021
Command & Control
T1568

Dynamic Resolution

ATT&CK

Dynamic generation of targets for concealment (domain fronting).

Mitigated by
Content Security Policy (CSP)Baseline ProtectionMedium
CIS: 16.11OWASP: A03:2021
Subresource Integrity (SRI)Baseline ProtectionLow
CIS: 16.11OWASP: A06:2021
Exfiltration
T1020

Automated Exfiltration

ATT&CK

Automated exfiltration of data via interfaces.

Mitigated by
Bot Management & Anti-ScrapingExtended ProtectionMedium
CIS: 12.1OWASP: A04:2021
Rate Limiting & ThrottlingBaseline ProtectionLow
CIS: 12.1OWASP: API4
Output Content FilteringBaseline ProtectionLow
NIST: AI-1.2OWASP: LLM02

Is your scenario more complex?

AYSOLI experts support you in implementing your specific security requirements.

Free consultation
E-Commerce System | IT Security Checklist for SMEs · AYSOLI Security Hub