About

The Customer is a European company, which offers a customer-facing ecommerce cloud platform to airline companies. The platform is designed to facilitate product information and order management for the airlines.

challenge

The Customer wanted to get penetration testing of their ecommerce platform to evaluate its security level. They turned to VolgoTechnologies security testing team to get the services they needed and find out whether there were any vulnerabilities in their solution that could be exploited by hackers.

Solution

VolgoTechnologies security testing team conducted black box penetration testing of the Customer’s ecommerce platform. The security testing team used testing tools compliant with the ethical hacking methodology. VolgoTechnologies security engineers identified four vulnerabilities in the Customer ecommerce platform and classified them according to their severity.

The login form in the Customer platform was not properly protected against brute-force attacks. Multiple unsuccessful login attempts undertaken by VolgoTechnologies security engineers were followed by a successful login. The security testing team recommended the Customer to limit the number of failed login attempts per user. The number of attempts was left for the Customer to assign.

CSRF means a possibility to exploit the Customer ecommerce platform by transmitting unauthorized commands from users that this platform trusts. VolgoTechnologies security testing team recommended enforcing the protection against CSRF attacks by including an additional token within relevant requests. It should be generated using a cryptographic random number generator, and each token number should be associated with a particular user session.

Staging

Staging the Ecommerce Solution Pentesting for a Company Providing Software for Airlines involves a thorough security assessment to identify vulnerabilities in the ecommerce platform and ensure compliance with industry standards. Here a structured approach.

Datawarehouse

Dataware House

Desktop Application

Results

The Customer obtained the evaluation of the security level of their ecommerce cloud platform. Penetration testing allowed the security engineers to identify four vulnerabilities in the Customer platform. The Customer got the list of corrective measures aimed at eliminating the security weaknesses to increase the ecommerce platform protection level.

Technologies and Tools

Metasploit, Nmap, SQLMap, Nikto, DIRB, Burpsuite, Nessus, Zmap