E-TİCARET SİTELLERİ İÇİN KATMANLI AÇIK TESPİT MODELİ: TASARIM VE DEĞERLENDİRME

Yıl 2026, Cilt: 8 Sayı: 2, 105 - 118, 27.02.2026

Kenan İslamoglu , Fatma Nur Akı

https://doi.org/10.56809/icujtas.1755050

https://izlik.org/JA68PA24YS

Öz

E-ticaret platformları, kullanıcı verileri ve finansal işlemleri bünyesinde barındırmaları nedeniyle siber saldırıların öncelikli hedefleri arasında yer almaktadır. Bu çalışma, e-ticaret sitelerinde yaygın olarak karşılaşılan güvenlik açıklarının etkili şekilde tespit edilmesini sağlamak amacıyla, literatürde ilk kez manuel ve otomatik analizleri entegre eden senaryoya dayalı, katmanlı bir tespit ve raporlama modeli önermektedir. Model; hedef belirleme, bilgi toplama, zafiyet tarama, açık doğrulama ve raporlama olmak üzere beş aşamalı bir yapıya sahiptir. OWASP ZAP, Burp Suite gibi otomatik araçların yanı sıra, kullanıcı davranışlarına dayalı manuel testlerle desteklenen yapı sayesinde tespitlerin doğruluk ve güvenilirlik seviyesi artırılmıştır. Farklılaştırıcı olarak, model yalnızca teknik analizle sınırlı kalmayıp CVSS tabanlı risk önceliklendirme ve yönetici seviyesine hitap eden, senaryo temelli karar destek raporlaması sunmaktadır. Değerlendirme sonuçları, SQL Injection ve XSS gibi kritik açıklıkların yüksek başarı oranıyla tespit edildiğini göstermektedir. Bu yönüyle çalışma, e-ticaret sistemlerinde sürdürülebilir güvenlik için literatüre katkı sunan özgün ve genişletilebilir bir yaklaşım ortaya koymaktadır.

Anahtar Kelimeler

E-ticaret Güvenliği , Güvenlik Açığı Tespiti , Zafiyet Tarama Araçları , CVSS , OWASP , Siber Güvenlik Modeli

A LAYARED VULNERABILITY DETECTION MODEL FOR E-COMMERCE PLATFORMS: DESIGN AND EVALUATION

https://izlik.org/JA68PA24YS

Öz

E-commerce platforms, due to their inherent exposure to sensitive user data and transactional flows, remain prominent targets for sophisticated cyber threats. This study introduces a novel multi-phase vulnerability assessment and reporting framework specifically tailored for e-commerce environments. The proposed model is distinguished by its integration of manual penetration testing and automated vulnerability scanning within a context-aware and scenario-specific architecture—an approach not previously consolidated in existing literature. The framework is structured across five sequential phases: reconnaissance, information enumeration, vulnerability detection, exploit validation, and risk-based reporting. Leveraging tools such as OWASP ZAP and Burp Suite, and enhanced with human-in-the-loop analysis techniques, the model significantly improves detection fidelity and reduces false positives.
A critical innovation lies in its use of CVSS-based risk scoring combined with dynamic, context-aware vulnerability mitigation strategies, enabling actionable insights for both technical practitioners and executive decision-makers. Empirical validation demonstrates the model’s efficacy in identifying high-impact vulnerabilities, including SQL Injection and Cross-Site Scripting (XSS), across real-world e-commerce implementations. Overall, the study contributes a scalable, reproducible, and technically robust methodology for enhancing cybersecurity resilience in e-commerce ecosystems.

Anahtar Kelimeler

Keywords: E-commerce Security , Vulnerability Assessment , Vulnerability Scanning Tools , CVSS , OWASP , Cybersecurity Architecture

Kaynakça

• Alshamrani, A., Myneni, S., Chowdhary, A., & Huang, D. (2019). A survey on advanced persistent threats: Techniques, solutions, challenges, and research opportunities. IEEE Communications Surveys & Tutorials, 21(2), 1851–1877. https://doi.org/10.1109/COMST.2019.2891891
• Anderson, R. (2020). Security engineering: A guide to building dependable distributed systems (3rd ed.). Wiley.
• Bau, J., Bursztein, E., Gupta, D., & Mitchell, J. (2010). State of the art: Automated black-box web application vulnerability testing. IEEE Symposium on Security and Privacy, 332–345. https://doi.org/10.1109/SP.2010.27
• Chaffey, D., & Ellis-Chadwick, F. (2019). Digital marketing (7th ed.). Pearson Education.
• Chen, H., & Zhao, F. (2018). Vulnerability detection in web applications: A systematic literature review. Journal of Systems and Software, 144, 314–327. https://doi.org/10.1016/j.jss.2018.07.002
• Choudhary, N., & Sharma, A. (2022). Web application vulnerabilities and security issues: A systematic mapping study. Journal of King Saud University - Computer and Information Sciences, 34(9), 6575–6590. https://doi.org/10.1016/j.jksuci.2021.04.008
• Doupe, A., Cova, M., & Vigna, G. (2010). Why Johnny can’t pentest: An analysis of black-box web vulnerability scanners. In International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (pp. 111–131). Springer. https://doi.org/10.1007/978-3-642-14215-4_6
• ENISA. (2023). Threat landscape 2023. European Union Agency for Cybersecurity. https://www.enisa.europa.eu/publications
• FIRST.org. (2019). Common vulnerability scoring system v3.1: Specification document. https://www.first.org/cvss/specification-document
• Fitzgerald, B., & Stol, K. J. (2015). Continuous software engineering: A roadmap and agenda. Journal of Systems and Software, 123, 176–189. https://doi.org/10.1016/j.jss.2015.06.063
• Geer, D. (2015). Penetration testing: A duel between attacker and defender. IEEE Security & Privacy, 13(3), 84–87. https://doi.org/10.1109/MSP.2015.65
• Goseva-Popstojanova, K., & Perhinschi, A. (2015). On the capability of static code analysis to detect security vulnerabilities. Information and Software Technology, 68, 18–33. https://doi.org/10.1016/j.infsof.2015.08.002
• Gupta, A., & Gupta, S. (2015). Cross-site scripting (XSS) attacks and defense mechanisms: Classification and state-of-the-art. International Journal of System Assurance Engineering and Management, 6(S1), 125–134. https://doi.org/10.1007/s13198-014-0270-z
• Halfond, W. G. J., Viegas, J., & Orso, A. (2006). A classification of SQL-injection attacks and countermeasures. In Proceedings of the IEEE International Symposium on Secure Software Engineering (pp. 13–15).
• Jamil, D., & Zaki, M. (2011). Security issues in cloud computing and countermeasures. International Journal of Engineering Science and Technology, 3(4), 2672–2676.
• Jovanovic, N., Kruegel, C., & Kirda, E. (2006). Static analysis for detecting taint-style vulnerabilities in web applications. Journal of Computer Security, 14(1), 57–85. https://doi.org/10.3233/JCS-2006-14103
• Li, Z., Xia, X., Lo, D., & Wang, X. (2018). Automatic detection of vulnerable source code in open source software: An empirical study. IEEE Transactions on Reliability, 67(3), 1231–1247. https://doi.org/10.1109/TR.2018.2834471
• Mell, P., Scarfone, K., & Romanosky, S. (2007). A complete guide to the Common Vulnerability Scoring System version 2.0. National Institute of Standards and Technology (NIST).
• NIST. (2022). Special publication 800-115: Technical guide to information security testing and assessment. National Institute of Standards and Technology.
• OWASP. (2023). OWASP top ten web application security risks – 2023. https://owasp.org/Top10
• Solove, D. J. (2007). The digital person: Technology and privacy in the information age. NYU Press.
• Suto, L. (2010). Analyzing the accuracy and time costs of web application security scanners. The Leviathan Security Group.
• Zhou, Y., Sharma, A., & Sadeghi, A.-R. (2020). Automated risk assessment and mitigation of web vulnerabilities using hybrid analysis. ACM Transactions on Privacy and Security, 23(1), 1–30. https://doi.org/10.1145/3378384