VA-PT of a Magento based application having Magento extension purchases - Cyber Security Case Study

Scenario

A web application built with Wordpress was presented with limited scope. However, allowed full port-scan in test environment. Resulted with High, medium and low level severity issues.

Testing methodology

As the scope was limited for web app, Automated scan was performed by limiting to provided scope. While exploitation was done manually. In terms of web server, port status was checked by automated tools and exploitation was performed manually

Risk Found

    Session mis-management and account hijacking Poor encryption leading to MITM attack Session exploitation Improper usage of HTTP method allowed to communicate with server unnecessarily Excessive information disclosure using Clickjacking

Business Risk

----------