Ecommerce: External Script Audit

Posted on 2015-02-20
Last Modified: 2015-03-19
A friend runs an ecommerce company and has asked for some help. The company started small, selling private label fashion, but has now grown rapidly and has a lot of traffic.

Over time his team have implemented many external scripts (tracking pixels, external advertising scripts, third part consumer behaviour scripts etc). He is concerned about how to audit all of these effectively (and on an ongoing basis) to ensure everything is legitimate and none of these scripts are presenting a security concern for his shoppers. Either because it is malicious, or because it is simply doing more with their data than it is supposed to.

What is the best way to go about this? Is there potentially a ‘hygiene code checker’ type module out there for checking remote code before its executed on a client’s machine?

Any advice or pointing at a product/service provider who could help would be much appreciated.

Thanks team!!!
Question by:Roger Adams
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
LVL 110

Expert Comment

by:Ray Paseur
ID: 40622368
What is the URL of the site you're talking about?

What's the concern here -- JavaScript or PHP?

Author Comment

by:Roger Adams
ID: 40622399
It's third party javascript primarily, being called from internal ecommerce platform code. The code base has grown so quickly, how does one do the following in a timely manner:
1. Identify all external scripts so they can be reviewed individually and manually?
2. Parse or verify the code in these scripts to ensure there is nothing malicious or customer details are not misused?
3. How can the security team identify and monitor external scripts on an ongoing basis?

Manual review of the code is always an option, and the current solution. But is there a better way?

Thanks in advance
LVL 81

Expert Comment

by:David Johnson, CD, MVP
ID: 40622514
It is probably time for a demolish and rebuild
I hope they didn't build there own e-commerce but use a payment provider.  Building a secure payment module is prone to errors and subsequent security problems. using a payment provider removes these security concerns from your site to the payment provider. This also keeps the customers private information off of your site.  Even Steve Gibson of and a security expert uses a payment provider as he did not want the responsibility of keeping his customers data secure on his hosted website.
Revamp Your Training Process

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action.


Author Comment

by:Roger Adams
ID: 40622741
My impression is that the payment module is fine.

He is more concerned about third party scripts that deliver legitimate services. Such as  track user behaviours, display a scroll bar of products down the side, display a product based on what the user might like etc. All of these are provided by legitimate third party companies. The owner of the site is trying to think proactively about possible threats to their shoppers in the future; what if one of these providers are hacked and this trusted script is suddenly modified to serve some kind of malware to shoppers?

Even a rebuild would only give some assurance about what is in place at that moment in time. No matter how well you manually attempt to catalogue things, these ecommerce sites grow at furious rates and within six months it would be a mess again.

Does that make sense?
LVL 110

Accepted Solution

Ray Paseur earned 500 total points
ID: 40622970
Yes, that makes sense.  It's a software "anti-pattern" that can be largely solved with Composer.  Composer allows you to designate the scripts and release levels that your application depends on ("Dependencies") so you know you're always building on a stable code base.  There are similar dependency injectors for JavaScript, and task runners that can build your libraries for you (Grunt, Gulp, etc.)  These help keep your work organized and your dependencies at known, trusted and stable release levels.

For the most part, if you start with trusted components and download your own copies (or serve only from the stable CDNs like Google and Twitter), you will be OK.  If you're unsure about the stability of a script, just make an MD5() digest string from the code (sort of like what GitHub does).  If the md5() ever changes you can flag the code for review.

To your specific questions...

1. Identify external scripts?  No problem if you're using Composer.  Otherwise, begin the task by reading the HTML documents and looking for off-site URLs.  This is a time-consuming task, so prepare to spend a while making the inventory.

2. Verify there is nothing malicious?  Expect there to be malware in anything you're getting from a tainted external source!  Read the source code.  If the code comes from a reasonably popular and well-respected source like GitHub, you've got a fair chance that other people are reading the code, too.  And if there are security holes found in open-source software they are usually patched immediately.  If the code is from third-party suppliers who are not part of the open-source community, you have to trust them.  If you can't trust them, don't depend on them, full stop.

3. Identify and monitor... ongoing basis? Information technology security is a full-time four year college major today.  The threats are always changing and there's no answer you can get in a forum that will keep you protected in the future.  In fact, it you start that college major today, by the time you graduate there will be new threats entering the world and curriculum.  Most installations concerned with security (especially those growing very fast) will have on-staff professionals or will hire a consultancy like PwC or McKinsey to help monitor the ever-changing threats and issues.  If you want the management-level overview, consider joining OWASP and becoming active in their work.

It should go without saying, but I'll say it anyway -- if someone deploys a site that depends on foreign code without understanding exactly what the code does, well, they probably deserve what they're going to get!  If you were thirsty and you found a bottle of unknown liquid would you close your eyes, hold your nose, and drink it?
LVL 81

Expert Comment

by:David Johnson, CD, MVP
ID: 40623550
most malware will be inside of your database or via a sql injection when you don't validate all user input.

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Part of the Global Positioning System A geocode ( is the major subset of a GPS coordinate (, the other parts being the altitude and t…
International Data Corporation (IDC) prognosticates that before the current the year gets over disbursing on IT framework products to be sent in cloud environs will be $37.1B.
Learn how to match and substitute tagged data using PHP regular expressions. Demonstrated on Windows 7, but also applies to other operating systems. Demonstrated technique applies to PHP (all versions) and Firefox, but very similar techniques will w…
The viewer will learn how to count occurrences of each item in an array.

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question