2009-05-03 00:05:05

Mon, 22 Sep 08 12:21:34 -0600

Be afraid, be VERY afraid.
I did a google search for "shopping carts" in search of a good shopping cart for a client of mine, and naturally, opted to PEN test the demos.

Not expecting to find any security holes in professional paid shopping carts, I went forward anyway.

What I found will shock and astound you.

XSS, SQL injection, potential database exposition, you name it, I found it.

I have been in a dither all day since discovering these exploits.

Naturally, I contacted the makers with the nature of the exploits, and how to correct them, but so far, I have received no replies (I sent them around 2:00am this morning (Sept 22, 08))

I am scared to shop online now.

At this point, my recommendation would be to shop only at major stores, such as ebay, amazon.com, overstock.com, buy.com, etc. As they have been pretty well tested by every blackhat on the planet.

Beyond that, I can not distribute a list of exploits to the public until a patch has been released and is in widespread use.

I am not sure about the legalities of distributing a list of vulnerable shopping carts at this point, so I will render my personal suggestion to anyone wanting to do E-Commerce on their website: Google Checkout and Paypal

My personal favorite being Google Checkout, because it has far more features, the rates are lower, more modifiable and customizable, and it has this cool feature:

Get free transaction processing when you use Google AdWords
When you use Google Checkout to process your sales, you'll only be charged a low 2% + $0.20 per transaction. If you advertise with Google AdWords, you will also be eligible for free credit card processing for some or all of your Google Checkout sales. And there are no monthly, setup or gateway fees.

Please note that the free transaction processing you accrue through your AdWords account can only be applied towards the business that is advertised on AdWords. The linked AdWords and Checkout accounts must be used for the same business purposes.



That being said, PayPal has a long history of effective fraud protection, and I have not heard about Google Checkout's deal yet. The link to their fraud protection is Here for Google Checkout and Here for PayPal.

Beyond those, I'd say AgoraCart is one of the better Open Source shopping carts out there. I would rsuggest it based on security and extensibility.