Evaluation of Most Visited E-Commerce Web Sites in Turkey in Aspects of Structure and Security

: Applications on World Wide Web have made our daily lives easier with their basic and fast access, neglecting time and place, they have become indispensable. It made Web applications a popular target for malevolent users and increased web security risk. In this study web penetration test which is indispensable for web security and threating risks for web security are mentioned. In Turkey, 12 of the most visited e-commerce sites were scanned as an ordinary user to consider a safety assessment of the general situation of the websites. The knowledge about these sites such as used technologies and infrastructure which considers as vulnerability of sites and can be obtained by the ordinal person who uses penetration tests has been investigated in this study.


Introduction
The information is important in this century. However its secrecy, integrity and accessibility as in "Information Security" is important as well. Information security is the effort to create a secure information processing platform to protect information or data in the electronic environment from unauthorized access while preserving and transporting without disrupting its integrity [1]. There are various difficulties in ensuring information security due to the transformation of management needs related to information security, in methodology, improper configuration of network security devices, avoiding security by taking into account time and costs in projects, lack of knowledge about the information security of the institution's employees [2]. Internet and web security are increasing every day due to millions of users and exist in all areas of life from finance to health, from communication to entertainment. The Internet has become an integral part of our daily lives, providing unprecedented convenience through web and mobile applications [3].
Since web applications are open to all including hackers, because of their definition, security of these applications is troublesome [4].
Since nowadays the information security is important, there are many studies in literature. Polat [5] mentioned the importance of penetration testing, which should be done intermittently for information security, especially for the information security, by talking about the types of infiltration tests, the study methodology and the application forms. Stiawan et al. [6] analyzed cyberattack techniques and the penetration test anatomy for assisting security officers to perform appropriate self-security assessment on their network systems. Sandhya et al. [7] focused on solving the problem of threat of expose of data issue by surveying various tools for penetration testing. In addition they provided a sample for basic penetration testing using Wireshark. Nixon and Haile [8] used some penetration tests on WLAN security protocols and MAC Filtering. They used computer with Kali Linux operating system for this aim. As a result of various experiments they observed that there are many loopholes in WLAN and proposed a solution to secure the WLAN using Pseudo Random MAC Address Generation Algorithm called PRMACGA. Bullee et al. [9] investigated the extent of persuasion principles are used in successful social engineering attacks. They extracted 74 scenarios from social engineering literature and analyzed. Each scenario was split into attack steps, containing single interactions between offender and target. For each attack step, persuasion principles were identified. As a result of the scenario analysis they determined how to exploit the human element in security. Wu et al. [10] analyzed the measures that a social planner such as the government or industry association controls firms' security decisions. The obtained results show that taken precautions measures are not always is effective. They recommend to social planners to enhance or attenuate the controlling level of the two security decisions based on realistic security and business environments. Čisar et al. [11] discussed the assessment of information system security. The authors focused on three major features of the system for the security of an information system: availability, integrity and confidentiality. The paper presents a wide-ranging overview of possible uses, benefits and drawbacks of Kali Linux Operating System. Stasinopoulos et al. [12] proposed an open-source tool which named as Commix that automates the process of detecting and exploiting command injection flaws on Web applications. They presented and elaborate on the software architecture and detection engine of Commix as well its extra functionalities that greatly facilitate penetration testers and security researchers in the detection and exploitation of command injection vulnerabilities.
In this study, several e-commerce web sites were scanned using web penetration test methods via statistical sites and open source programs and some information were collected about the technologies and infrastructure they use.

Material and Method
Penetration tests are important for assessing websites in terms of structure and security. Thus, this study explains the methods of penetration tests and their use.
Penetration tests are test group which procures the mischiefs beforehand to information technologies infrastructure and institution's data flow by an attacker (Hacker, former employee, Script Kiddie etc.) or malware (worm, virus, Trojan horse, spyware etc.) [13]. Web security penetration tests and the methods used are shown in Table 1. In the study information gathering from penetration tests methods, weakness scanning and analyzing operation steps were taken as basis. Followed method is shown in Figure 1. In the light of followed method; first determined websites' information about infrastructure and technology is gathered and then comparisons were made via weakness scan.
a. Information to be gathered from the perspective of structure and technology they use are shown in Table 2. Their choosing as web server 3.
The platform they work on 4.
Security equipment used 5.
Web Tracers In order to gather and evaluate the information about websites, firstly determined websites were scanned at Shodan and Netcraft websites which are analysis websites. Then necessary information about websites were gathered using Niktos and Paros applications which are information gathering purposed scanner programs in Kali Linux.
According to the method followed; second step is vulnerability scan.
b. Determined websites are scanned first with Acunetix program and then with commercial Nessus programs trail version for weakness detection and found weaknesses' detailing.
Information to be gathered for vulnerability analysis: -Weakness level of websites, -On which category which weaknesses are encountered, -Weakness evaluation.

Results
Information about websites analyzed, gathered in the perspective of structure and technology they use and information gathered in the perspective of weakness analysis are tested. Results below are obtained at the end of the studies.

Structural Results
The information of operating system used, web host software, platform they work on, Security equipment they used, location and web trackers of websites which are chosen from the Turkey's top visited websites, is below in Tables 3, 4, 5, and 6. It is the known fact that finding out the operating system used in server and web server software can be helpful to information gathering which is the first step of attack. Thus, Web Application Firewall (WAF) software hinders the information gathering procedures called footprint. Hence, no information was gathered about some websites' operating system and web hosts. As seen on Table 3 web server use Linux as operating system with the 25%, while 33.33% of them uses Win 2008. There has been a website detected which is using Windows 2003 server on which Microsoft has no support since July 14, 2015 and it will not have security patch anymore. As seen on Table 4 the percentage of IIS (last version 10.0) choosers as web host software is 41.67% and all of them are using old version. On examined websites it has been seen that web host Nginx (latest version 1.13) software has being used with 16.6%. The older versions of Nginx software could be reason to some weaknesses like remote exploit. There are not websites which uses PWS software and IIS 7.0. According to Table 5 .NET is the most using platform with 58.33%. As shown as Table 6, 4 (33.33%) websites uses security equipment, while others equipments of other 8 websites could not be detected. It has been seen that Citrix Netascaler and F5 BIGIP uses by 2 websites as WAF which can distribute traffic between the determined hosts as distributer and is a protector against especially injection and XSS attacks.

Results from Weaknesses Perspective
Acunetix and Nessus programs find vulnerabilities in four level categories. These categories are high, medium, low and information. Information level can be ignored. While high level is critical and must be taken prevent immediately. In this study determined Websites were scanned in the computer laboratory by Acunetix and Nessus programs on 14th, 15th and 16th June 2017.
a. Evaluation of the scan results with Acunetix: A total of 60 websites, each of which lasted an hour, were scanned with Acunetix program. Degrees of vulnerability information found in the results of scanning with the Acunetix program are shown in Table 7. As shown in Table 7, no site has high risk vulnerability and many of vulnerabilities is a low degree.
b. Evaluation of the scan results with Nessus: Determined websites were scanned with Nessus program. Each of them lasted an hour. Degrees of vulnerability information found in the results of scanning with the Nessus program are shown in Table 8.
As shown in Table 8, no sites have high risk vulnerability and many of sites have medium vulnerabilities.

Conclusion and Suggestions
This research generates a template for Turkey's top visited 12 ecommerce websites both in the perspective of technology they use and in the perspective of their weaknesses, and sets and example to see structure and deficiencies. It has been shown what kind of information can be collected on a public website and what kind of vulnerability scanning can be done by an ordinary user.
Web applications constitute the great part of security flaws since they are both open to public and they are time and place independent. This study shows that the most of visited web sites in Turkey has considerable number of vulnerabilities. Especially average level weaknesses cannot be ignored.
As a result of the study:  Unix or Unix derivative operating system is the most prefer with 25%.  As the web server, 16.67% is preferred to nginx software.  When it comes to the platform used .NET is the most preferred with 58.33%.  Determined websites are using security equipment with 33.33%.  At the end of the Acunetix software scans "Clickjacking:X-Frame-Option Header Missing" and "Cookie Without HttpOnly Flag Set are the most common weakness in low level risks with %25.  According to Nessus program "Web Application Potentially Vulnerable to Clickjacking" is the most common weakness in medium level risks with %80 are founded.  For the considerable number of vulnerabilities, web applications should be tested for penetration in determined periods to determine possible attacks or threats beforehand, to see deficiencies and take precautions against them.  The most visited sites are used firewall which is managed by specialists. There are small amount of vulnerability in such sites and the information that can be available by hackers is less than the sites without firewall.  The reason for the differences in the security of the group is a result of the different business policies.  People with low knowledge-level websites are increasing their weaknesses.  Using ready codes increases weaknesses.  In examined websites, using up-to-date software issue must be concerned since it is the reason they have high level risky weaknesses.  It has been determined that collecting information from sites which uses WAF is difficult. Using of WAF is recommended to avoid gathering the information required for attackers.  To check websites against weaknesses of OSWAP Top 10 list manually or with a program is necessary to have  Against the CSRF exploit threat which is seen in most web sites CAPTCHA usage or 'I am not a robot' using is suggested.