Rapid7 is often tasked with evaluating the security of e-commerce sites. When dealing directly with customer financials, the security of these transactions is a top concern. Fortunately, there are ample pre-built e-commerce platforms one can simply purchase or install. From an attacker’s perspective, these are annoying to attack since they're tested so often by the vendors maintaining the e-commerce platform. So how do you exploit a site that’s already been thoroughly tested? There are many ways, but we’ll go over two. One exploitation path is through insecure custom code added to the e-commerce framework. Often, the framework won't come pre-installed with a business need of the organization and it's up to your team to create custom code to perform it. If this code isn't tested and secure, there’s a chance a vulnerability can be introduced. Another way is the leaking of secrets or guessable credentials (yes, it still happens in 2024 ). Think an admin password being somewhere it shouldn't be, credentials sold underground from a data breach, or a password that’s just the company name. A web application security scanner can often find straightforward vulnerabilities, such as outdated software easily, but other types often require a more human touch. What follows are two real-world examples from the Rapid7 Penetration Testing team. Site 1 – Insecure Custom Code: The site we were testing was geared toward both businesses and consumers using a moderately customized e-commerce…Read More