Shopify penetration test and mitigation

Highlighted
New Member
2 0 0

Hi Team

 

There was a pen-test that has been done to validate our e-com business and the security team found some issues. Can you suggestion how to resolve these?

 

 

 

Unnecessary ports open on the server

Too many open ports on the server. Understand this is a shared environment, anything we can do about this?

Possible to inject SQL queries

Users can add sql statements to forms, for example address field in shipping address

Cache control headers are not set properly

Can we set cache control to no store and pragma to no-cache?

Secure and Httponly cookie attributes are not set

Session cookies need to set to secure and httponly

My Order request can be automated to harvest customer PII data

Adding captcha to areas where login is needed

The web server contains a robots.txt file

Modify robots.txt to have non-sensitive information

CVV number is not masked on the checkout page

Can we mask ccv number during payment

 

Any suggestion on the above is highly appreciated

0 Likes
Highlighted

They didn't provide a whole lot of information. I don't work at Shopify, just a dev/ops nerd, so take this with a grain of salt:

 

1. I doubt Shopify is going to change open ports. Knowing which ports they believe need to be closed is a good start. Shopify has a lot of integrations, and the ports are likely open for a reason.

2. Do they have proof that an SQL injection is possible? That would mean they were able to read or write additional data to the server. If you have 3rd party apps that deal with shipping, they may have bugs or security issues.

 

Actually, all of the answers to the other problems are about the same - they should show some examples, cookies and headers are unlikely to change due to specific use cases of Shopify, etc.

 

https://community.shopify.com/c/Shopify-Discussion/How-can-I-edit-robots-txt/td-p/432485 has some info about robots.txt. Again, you can make minor changes, but not change the file overall.

 

CVV I have no answer to, maybe there's an app or plugin that masks it.

Want to increase conversions or get more social media attention? Try Brisa Video Creator to quickly and easily create videos that engage your viewers!
0 Likes
Highlighted
New Member
2 0 0

Hi Andrew

 

Thanks for your suggestions.

 

The team did provide clear examples for each and every issue. I could not post them here for security reasons.

I assumed shopify is not going to do any changes at their end to satisfy a single customer's needs. But was hoping there is a work around to this.

 

Regards

0 Likes