SlideShare a Scribd company logo

Opencart security testing

V
vikram vashisth

This document discusses security best practices for OpenCart including detecting bugs through automated testing, manual testing, log analysis and static code analysis. It recommends security tools like OWASP ZAP, Burp Suite and Kibana to help identify vulnerabilities. Specific vulnerabilities covered include injection, broken authentication, cross-site scripting, insecure direct object references, security misconfiguration and sensitive data exposure. It also provides tips on analyzing log and error messages to find security issues in OpenCart stores.

Education
Related topics:
Cyber-SecuritySoftware Testing Insights Security TestingWeb Security Overview
1 of 13
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
Getting started with: OpenCart Security By - Vikram Vashisth
Topics To be discussed ● Detecting bugs ● Security tools ● Remediation ● Conclusions
Opencart security testing
A1: InjectionA1: Injection A2: Broken Authentication and Session Management A2: Broken Authentication and Session Management A3: Cross-Site Scripting (XSS) A3: Cross-Site Scripting (XSS) A4: Insecure Direct Object References A4: Insecure Direct Object References A5: Security Misconfigurati on A5: Security Misconfigurati on A6: Sensitive Data Exposure A6: Sensitive Data Exposure A7: Missing Function Level Access Control A7: Missing Function Level Access Control A8: Cross Site Request Forgery (CSRF) A8: Cross Site Request Forgery (CSRF) A9: Using Known Vulnerable Components A9: Using Known Vulnerable Components A10: Unvalidated Redirects and Forwards A10: Unvalidated Redirects and Forwards
Vulnerability Statistics of Opencart
How to detect bugs? ● Automated testing ● Manual testing ● Log analysis ● Static code analysis ● Fatal errors
Security Tools : ● Owasp ZAP ● RIPS ● Burp Suite ● Sqlmap ● Kibana (ELK)
Static code analysis using RIPS :
Manual testing using Burp Suite ● cross-site scripting ● CSRF ● code execution ● file upload ● IDOR ...
Automated scanning tools : ●Owasp ZAP ●VEGA ●Selenium
Log analysis using kibana
Fatal errors : ● Fatal error occurred due to attacker activity, which needs to be taken seriously and must be fixed and analyzed for the cause. ● _id: Pg4VZGcBuP6iW0-4fR9s timestamp: 2018-11-30T09:48:20Zip: 178.62.85.75:28990level: error php-level: Fatal error php-msg: Uncaught exception 'Exception' with message 'Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' AND cp2c.commission < -9' ORDER BY c.firstname asc' at line 1<br />Error No: 1064<br />SELECT cp2c.customer_id as customer_id,cp2c.commission,c.firstname,c.lastname FROM oc_customerpartner_to_customer cp2c LEFT JOIN oc_customer c ON cp2c.customer_id = c.customer_id WHERE 1 AND LCASE(CONCAT(c.firstname, ' ', c.lastname)) LIKE '%-9'%' AND cp2c.commission > -9' AND cp2c.commission < -9' ORDER BY c.firstname asc ' in /home/ocseller/www/system/library/db/mysqli.php:40nStack
Thanks!

More Related Content

PDF
Secure Code Reviews
Marco Morana
 
PDF
THOR Apt Scanner
Florian Roth
 
PPTX
Say No to the Dependency Hell
Ivan Pashchenko
 
PDF
Simplified Security Code Review Process
Sherif Koussa
 
PDF
網路攻擊與封包分析- Wireshark
Julia Yu-Chin Cheng
 
PDF
The Log4Shell Vulnerability – explained: how to stay secure
Kaspersky
 
PDF
Avalanche Disclosure
HackApp
 
PPTX
Static Analysis Security Testing for Dummies... and You
Kevin Fealey
 
Secure Code Reviews
Marco Morana
 
THOR Apt Scanner
Florian Roth
 
Say No to the Dependency Hell
Ivan Pashchenko
 
Simplified Security Code Review Process
Sherif Koussa
 
網路攻擊與封包分析- Wireshark
Julia Yu-Chin Cheng
 
The Log4Shell Vulnerability – explained: how to stay secure
Kaspersky
 
Avalanche Disclosure
HackApp
 
Static Analysis Security Testing for Dummies... and You
Kevin Fealey
 

What's hot (7)

PDF
Why Java Developers Struggle With Cryptography APIs?
sarah_nadi
 
PPTX
Null meet Code Review
Naga Venkata Sunil Alamuri
 
KEY
Security Code Review: Magic or Art?
Sherif Koussa
 
PDF
Report
Martin Nwachukwu
 
PPTX
Introduction to Web Application Penetration Testing
Rana Khalil
 
PPTX
The difference between Penetration Testing and Red Team
Nimrod Levy
 
PDF
Secure Code Review 101
Narudom Roongsiriwong, CISSP
 
Why Java Developers Struggle With Cryptography APIs?
sarah_nadi
 
Null meet Code Review
Naga Venkata Sunil Alamuri
 
Security Code Review: Magic or Art?
Sherif Koussa
 
Report
Martin Nwachukwu
 
Introduction to Web Application Penetration Testing
Rana Khalil
 
The difference between Penetration Testing and Red Team
Nimrod Levy
 
Secure Code Review 101
Narudom Roongsiriwong, CISSP
 
Ad

Similar to Opencart security testing (20)

PPT
Security@ecommerce
Om Vikram Thapa
 
PDF
«(Без)опасный Python», Иван Цыганов, Positive Technologies
it-people
 
PDF
(Un)safe Python
Ivan Tsyganov
 
PDF
Web Security
KHOANGUYNNGANH
 
PDF
persentation
vinaykumarmahla
 
PPTX
Plant_Ecommerce_Security_Presentation.pptx
LaxmipujaBiradar
 
PPT
Owasp Top 10 And Security Flaw Root Causes
Marco Morana
 
PDF
Session10-PHP Misconfiguration
zakieh alizadeh
 
PDF
logicaltrust-report-opnsense-1.0.pdf
nattamailru
 
PDF
Detailed Developer Report.pdf
nalla14
 
PDF
Safer Odoo Code [Odoo Experience 2017]
Olivier Dony
 
PPTX
How to Test for The OWASP Top Ten
Security Innovation
 
PDF
Web hackingtools 2015
ColdFusionConference
 
PDF
Web hackingtools 2015
devObjective
 
ODP
How secure is your code?
Mikee Franklin
 
PPTX
Fraud Engineering, from Merchant Risk Council Annual Meeting 2012
Nick Galbreath
 
PPT
Data Driven Security, from Gartner Security Summit 2012
Nick Galbreath
 
PDF
Getting Inside Common Web Security Threats
Andy Longshaw
 
PPTX
Open Source Security
Sander Temme
 
KEY
Do it-yourself-audits
Johann-Peter Hartmann
 
Security@ecommerce
Om Vikram Thapa
 
«(Без)опасный Python», Иван Цыганов, Positive Technologies
it-people
 
(Un)safe Python
Ivan Tsyganov
 
Web Security
KHOANGUYNNGANH
 
persentation
vinaykumarmahla
 
Plant_Ecommerce_Security_Presentation.pptx
LaxmipujaBiradar
 
Owasp Top 10 And Security Flaw Root Causes
Marco Morana
 
Session10-PHP Misconfiguration
zakieh alizadeh
 
logicaltrust-report-opnsense-1.0.pdf
nattamailru
 
Detailed Developer Report.pdf
nalla14
 
Safer Odoo Code [Odoo Experience 2017]
Olivier Dony
 
How to Test for The OWASP Top Ten
Security Innovation
 
Web hackingtools 2015
ColdFusionConference
 
Web hackingtools 2015
devObjective
 
How secure is your code?
Mikee Franklin
 
Fraud Engineering, from Merchant Risk Council Annual Meeting 2012
Nick Galbreath
 
Data Driven Security, from Gartner Security Summit 2012
Nick Galbreath
 
Getting Inside Common Web Security Threats
Andy Longshaw
 
Open Source Security
Sander Temme
 
Do it-yourself-audits
Johann-Peter Hartmann
 
Ad

Recently uploaded (20)

PDF
1_English_Language_Set_2.pdf probationary
emailjagmeetsingh9
 
PPTX
Introduction-to-Literarature-and-Literary-Studies-week-Prelim-coverage.pptx
EricaRamos80
 
PPTX
Introduction to Building Materials
Mrunali Vasava
 
PPTX
Radiologic_Anatomy_of_the_Brachial_plexus [final].pptx
atiaruhi95
 
PDF
احياء السادس العلمي - الفصل الثالث (التكاثر) منهج متميزين/كلية بغداد/موهوبين
S LS
 
PPTX
A powerpoint presentation on the Revised K-10 Science Shaping Paper
JericEstaco2
 
PPTX
Unit 4 Skeletal System.ppt.pptxopresentatiom
umair817123
 
PDF
Indian roads congress 037 - 2012 Flexible pavement
offersjackpot
 
PPTX
Chinmaya Tiranga Azadi Quiz (Class 7-8 )
Nitin Suresh
 
PDF
SOIL: Factor, Horizon, Process, Classification, Degradation, Conservation
Sipra Biswas
 
PDF
A GUIDE TO GENETICS FOR UNDERGRADUATE MEDICAL STUDENTS
DrBincy A. S
 
PDF
Empowerment Technology for Senior High School Guide
solthereseamericandr
 
PPTX
Orientation - ARALprogram of Deped to the Parents.pptx
JeromeTamayoSantiago1
 
PDF
Paper A Mock Exam 9_ Attempt review.pdf.
SameeraNaveed2
 
PDF
Black Hat USA 2025 - Micro ICS Summit - ICS/OT Threat Landscape
Chris Sistrunk
 
PPTX
Final Presentation General Medicine 03-08-2024.pptx
ZaheerAhmad228692
 
PDF
ChatGPT for Dummies - Pam Baker Ccesa007.pdf
Demetrio Ccesa Rayme
 
PDF
Practical Manual AGRO-233 Principles and Practices of Natural Farming
MilindKhedekar2
 
PDF
RMMM.pdf make it easy to upload and study
sajedul2
 
PDF
Hazard Identification & Risk Assessment .pdf
estagiarioprotegesms
 
1_English_Language_Set_2.pdf probationary
emailjagmeetsingh9
 
Introduction-to-Literarature-and-Literary-Studies-week-Prelim-coverage.pptx
EricaRamos80
 
Introduction to Building Materials
Mrunali Vasava
 
Radiologic_Anatomy_of_the_Brachial_plexus [final].pptx
atiaruhi95
 
احياء السادس العلمي - الفصل الثالث (التكاثر) منهج متميزين/كلية بغداد/موهوبين
S LS
 
A powerpoint presentation on the Revised K-10 Science Shaping Paper
JericEstaco2
 
Unit 4 Skeletal System.ppt.pptxopresentatiom
umair817123
 
Indian roads congress 037 - 2012 Flexible pavement
offersjackpot
 
Chinmaya Tiranga Azadi Quiz (Class 7-8 )
Nitin Suresh
 
SOIL: Factor, Horizon, Process, Classification, Degradation, Conservation
Sipra Biswas
 
A GUIDE TO GENETICS FOR UNDERGRADUATE MEDICAL STUDENTS
DrBincy A. S
 
Empowerment Technology for Senior High School Guide
solthereseamericandr
 
Orientation - ARALprogram of Deped to the Parents.pptx
JeromeTamayoSantiago1
 
Paper A Mock Exam 9_ Attempt review.pdf.
SameeraNaveed2
 
Black Hat USA 2025 - Micro ICS Summit - ICS/OT Threat Landscape
Chris Sistrunk
 
Final Presentation General Medicine 03-08-2024.pptx
ZaheerAhmad228692
 
ChatGPT for Dummies - Pam Baker Ccesa007.pdf
Demetrio Ccesa Rayme
 
Practical Manual AGRO-233 Principles and Practices of Natural Farming
MilindKhedekar2
 
RMMM.pdf make it easy to upload and study
sajedul2
 
Hazard Identification & Risk Assessment .pdf
estagiarioprotegesms
 

Opencart security testing

  • 1. Getting started with: OpenCart Security By - Vikram Vashisth
  • 2. Topics To be discussed ● Detecting bugs ● Security tools ● Remediation ● Conclusions
  • 4. A1: InjectionA1: Injection A2: Broken Authentication and Session Management A2: Broken Authentication and Session Management A3: Cross-Site Scripting (XSS) A3: Cross-Site Scripting (XSS) A4: Insecure Direct Object References A4: Insecure Direct Object References A5: Security Misconfigurati on A5: Security Misconfigurati on A6: Sensitive Data Exposure A6: Sensitive Data Exposure A7: Missing Function Level Access Control A7: Missing Function Level Access Control A8: Cross Site Request Forgery (CSRF) A8: Cross Site Request Forgery (CSRF) A9: Using Known Vulnerable Components A9: Using Known Vulnerable Components A10: Unvalidated Redirects and Forwards A10: Unvalidated Redirects and Forwards
  • 6. How to detect bugs? ● Automated testing ● Manual testing ● Log analysis ● Static code analysis ● Fatal errors
  • 7. Security Tools : ● Owasp ZAP ● RIPS ● Burp Suite ● Sqlmap ● Kibana (ELK)
  • 8. Static code analysis using RIPS :
  • 9. Manual testing using Burp Suite ● cross-site scripting ● CSRF ● code execution ● file upload ● IDOR ...
  • 12. Fatal errors : ● Fatal error occurred due to attacker activity, which needs to be taken seriously and must be fixed and analyzed for the cause. ● _id: Pg4VZGcBuP6iW0-4fR9s timestamp: 2018-11-30T09:48:20Zip: 178.62.85.75:28990level: error php-level: Fatal error php-msg: Uncaught exception 'Exception' with message 'Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' AND cp2c.commission < -9' ORDER BY c.firstname asc' at line 1<br />Error No: 1064<br />SELECT cp2c.customer_id as customer_id,cp2c.commission,c.firstname,c.lastname FROM oc_customerpartner_to_customer cp2c LEFT JOIN oc_customer c ON cp2c.customer_id = c.customer_id WHERE 1 AND LCASE(CONCAT(c.firstname, ' ', c.lastname)) LIKE '%-9'%' AND cp2c.commission > -9' AND cp2c.commission < -9' ORDER BY c.firstname asc ' in /home/ocseller/www/system/library/db/mysqli.php:40nStack