Here is another example, does your e-commerce site pass the cost of an item to your credit card processing system via a parameter in the URL? If so, it's easy for a hacker to alter the price by simply changing the URL. Hackers have used this technique in the past to get products or services at a discount. Some even changed the prices to negative values, which credited their account each time they placed an order!

Although such attacks are easy to defeat if tangible goods are being sold and delivered, this is not the case for intangible items such as downloadable software or expensive reports. Once a hacker has obtained the file there's nothing to stop him posting it on a public Web site for everyone to see and for all the search engines to find.

Not all hacks require such a degree of technical competency. Every popular Web browser lets users view the HTML source code of the current page, and many developers leave comments in HTML and Javascript code. Even something as innocuous as the name and phone number of the programmer can be exploited by hackers skilled in social engineering.


When Web sites comprised nothing more than a collection of HTML pages and fancy clipart, a Web server on the receiving end of a hacker's attention merely deprived customers from looking at your electronic glossy brochures for a couple of hours. But as sites have become online versions of the traditional call centre, taking enquiries and processing orders and delivering quotes, a crash or hack which puts the site out of business for just a few minutes will cost you real money and impact your revenue. And lots of it. The hardest part is knowing that you've been attacked, and thus realising that you need to take action. Checking your Web pages, transaction database and security logs regularly, can not even ensure your continuing immunity.

Consider the current darling of the Web development scene, namely Content Management Systems. A CMS product allows anyone in your organisation to update your Web site using some simple HTML forms and a password, and they can do it from anywhere via the Web. No need to have access to FTP as there are no files to upload. Need to add a story to the front of your site? Just enter a password and type away. But what if a hacker were to do this? A malicious, untrue news release posted on your site for just an hour, and which found its way onto the internet rumour mill, could halve a company's share price. And the harder you work to publicise your denial of the story, the more people get alerted to the fact that you've been hacked. So the hacker wins twice.

As a Web developer, keeping on top of hacker techniques is critical. And as you might expect, the Web itself is the key to doing so. One excellent site is www.owasp.org, home of the Open Web Application Security Project. This freely accessible site contains a wealth of information to help developers stay on top of the most important techniques for ensuring hacker-proof e-commerce sites. OWASP is a community project, staffed by developers from across the world who have agreed to share their experience and expertise in order to identify common threats and advise on how to prevent them. There are separate areas dealing with Javascript, PHP, SQL, ASP, and all the common development languages.