Magento Vulnerability & Penetration Testing

Magento has simplified the way how e-commerce is done and its open source nature has made it accessible to all. Though e-commerce is convenient, it also is a big responsibility to secure each and every transaction from cyber attack. Magento has been repeatedly targeted through attacks dubbed as ‘Magecart Attacks‘ to steal credit card info. In such a scenario, the Magento security audit becomes necessary to fix the loopholes. Whereas to discover such loopholes Magento penetration testing is important. According to Tim Cook, the CEO of Apple Inc.,

If you put a key under the mat for the cops, a burglar can find it, too. Criminals are using every technology tool at their disposal to hack into people’s accounts. If they know there’s a key hidden somewhere, they won’t stop until they find it.

Magento Penetration Testing: Prerequisites

Magento penetration testing requires some specialized tools to find vulnerabilities. A collection of such tools to uncover vulnerabilities in Magento can be found in the Kali Linux OS. This is a Debian based OS specially designed to hunt for vulnerabilities in Magento and other systems. If you have some space to spare on your hard disk then, Kali can be installed in the dual boot along with windows. However, this may become complex for an average user, so, we shall install kali in Virtual Box for this article. Otherwise, Kali Linux can be installed even on the android phone thanks to Kali Nethunter project.

Installing Kali Linux for Magento Security Audit

  • Step1: Firstly, Download Virtual box from the official site and install it using the instruction(any other emulator of your choice can also be used).
  • Step2: Next step is to download and install the latest version of Kali Linux on Virtual Box for Magento penetration testing.
  • Step3: After the installation is done, install more “guest addition” tools for Kali linux to function efficiently on Virtual Box.
  • Step4: In case you still failing to install Kali Linux on Virtual box, simply use a Kali VM image for Magento penetration testing.

Magento Penetration Testing: A Word of Caution!

Conducting a Magento penetration testing without permission of the site owner can lead to jail time!. Therefore, always get a contract signed from the site owner before doing it. In case you are the site owner, make sure to take permission from the site hosting company. Also, never venture out of your domain i.e. don’t conduct pentest on routers which you do not own. In case something goes wrong during Magento penetration testing, neither this article nor Kali Linux is responsible.

When was the last time you had a Magento security audit? Drop us a message on the chat widget, and we’d be happy to help you. Help me with Magneto Penetration Testing now.

Magento Penetration Testing: Reconnaissance

In this article, we shall follow the back box approach of Magento penetration testing which means we know nothing about the underlying technologies. So, the first step is to try to uncover the maximum underlying technologies. Because it’s not always Magento core files that are vulnerable, at times it could be a buggy server. Some great tools to conduct reconnaissance for Magento penetration testing are:

Network Mapper(Nmap)

Nmap can give a large amount of info regarding the Magento target. It is a must-have tool for complete fingerprinting of the system. Nmap can reveal:

  • Open ports on the server.
  • Services running on those ports.
  • Use NSE scripts for Magento vulnerability detection.

Nmap can do all this quite stealthily and has lots more to offer. To usee Nmap, fire your Kali on the VM and in the command line terminal and type ‘nmap’.

Magento Penetration testing and Magento Security Audit using NMAP

 

In the above-given image, the -sV option of the Nmap here enables version detection and in our case, it has found out multiple open ports with Microsoft IIS server running on port 80. Moreover, Nmap has also found the MAC address of our local target. Also, there is a GUI version of Nmap known as Zenmap which further simplifies things.

Magento Penetration testing and Magento Security Audit using Zenmap

OSINT Collection Tool: The Harvester

When it comes to reconnaissance for Magento penetration testing, there is a wealth of information available on the internet. This includes things like ownership info, nameservers, etc. which can help in mapping out the complete organization. This info is known as open source intelligence and is very helpful for social engineering attacks.

Related article: Credit Card hack in Prestashop Opencart Magento

The harvester can collect data from sources like Shodan, Google, Whois, DNS servers, etc. Therefore, the Harvester is one stop solution for OSINT. So, it is advisable to use the Harvester instead of visiting each of these sites individually.

Magento Penetration testing and Magento Security Audit using harvester

Magento Penetration Testing: Discovery

Now once, the technologies have been identified, the next step is to look actively for Magento website vulnerabilities. Although earlier, there was an open source Magento specific vulnerability scanner but, post-2018 it went commercial and is no longer maintained. Some other helpful tools are:

OpenVAS

One of the best tools to discover vulnerabilities in any Magento site is the OpenVAS framework. Moreover, most part of the OpenVAS is GNU general public license. This framework is a powerful vulnerability scanner which conducts some 50,000 odd Network Vulnerability Tests to find loopholes. OpenVAS is a free framework gives the feel of a commercial security solution.

Magento Penetration testing and Magento Security Audit using OpenVAS

Nikto

Nikto is an open source vulnerability scanner which offers around 6700 test for server misconfigs and 1250 test for outdated server versions. Not only this, Nikto can scan for server specific vulnerabilities of around 270 servers. However, for best results make sure to disable your WAF or firewall before using Nikto for Magento penetration testing. To scan a target using Nikto, simply open Kali and type in command terminal: nikto -h ‘your-target’

Magento Penetration testing and Magento Security Audit using Nikto

 

When was the last time you had a Magento security audit? Drop us a message on the chat widget, and we’d be happy to help you. Help me with Magneto Penetration Testing now.

Magento Penetration Testing: Exploitation

Now once the vulnerabilities are identified, it is time to remove false positives. This is done during the exploitation process. Only, serious vulnerabilities can be leveraged to exploit a Magento store. This can be done via the following tools:

Metasploit

Written in Ruby, Metasploit is one of the most popular frameworks used for exploitation. Rapid 7, the company that own Metasploit, maintains and keeps updating a large database of exploits which can be run from the Metasploit framework. Metasploit can be updated for your Kali Linux by typing the command ‘msfupdate’. Metasploit can also be accessed via GUI from the Armitage tool of Kali Linux. To launch Metasploit from the terminal, type ‘msfconsole’

Magento Penetration testing and Magento Security Audit using Metasploit

Sqlmap

Started by Stamparm on Github, Sqlmap is one of the best SQL injection exploitation tool available today. Sqlmap can be used to automatically fuzz and find vulnerable targets. Not only vulnerable parameters but Sqlmap can also inject in data fields and forms on a web page. Sqlmap can exploit SQLi vulnerabilities to read the contents of a database, alter them and in some cases to even get a reverse shell form the Magento store. To test a target for SQLi using this tool, type:

sqlmap -u ‘your target URL’ –batch

The –batch command automates the task and chooses default values during testing process as shown in the image below.

Magento Penetration testing and Magento Security Audit using SQLMAP

Xsser

To exploit an XSS vulnerability in the Magento store, Xsser is one of the best and lightweight tools. To obtain the GUI interface of Xsser, in the terminal type:

xsser –gtk

For more help type:

xsser -h

Magento Penetration testing and Magento Security Audit using Nikto Xsser

Commix

Commix is a tool to exploit command injection vulnerabilities in a Magento store. For further info, fire up your Kali and in the terminal write: commix -h

Commix

Magento Security Audit

PCI Compliance

Magento store owners can choose from a wide variety of payment methods like PayPal, SagePay, Google Checkout, etc. But the important thing here is that the payment methods need to be PCI compliant which means that the method has adequate security measures to protect the transaction data from hacking.

Secure Hosting and SSL

The next thing to be seen during the Magento security audit is the hosting provider. Is the hosting service safe? Is there subnetting on the shared web space? It is recommended to go for a VPS. Moreover, the use of certified SSL certificates needs to be checked. Remember to take an SSL certificated only from a valid certifying authority.

Software Version

Ensure that the site is running on the latest version of Magento. Magento stops releasing security patches for older versions so outdated sites are a security risk. Moreover, check that all the extensions are up to date. If the site is using the latest version then ensure that all the security patches are installed.

Two-Factor Authentication

Enabling two-factor authentication adds an extra layer of security to the Magento store. This can be implemented via services like Google Authenticator, Authy, U2F Keys, Duo Security.

Users and File Permissions in Magento

Make sure to set a limit on the resources different users can access. This can be done in Magento 2.3, through the following instructions. Visit:

System>Permission>User Roles>Click “Administrators”>Role Information>Role Resources>Role Access>Custom

From here on assign roles accordingly. Moreover, file permissions are also necessary. They can be set by logging into the server and using any file manager to assign file permissions.

Backup

If the Magento store logs every activity, it can be used to determine the cause of a hack. Moreover, check for the availability of backups of the website during a Magento security audit. Ensure that at least 3-4 backups of the Magento store and its database are available. While using cloud hosting for Magento store, make use of automatic backup provided by the service provider.

Automation Prevention

Make sure that the Magento store is safe from bots and spam. This can be done by implementing captcha on every input form like contact, feedback form, etc. In Magento 2.3, this can be done by visiting:

Stores>Configuration>Customer>Customer Configuration>Captcha

Security Solution

Ensure that the Magento store uses a firewall to filter bad requests. If not then get one today. Astra offers just the right security solution customized for Magento users. Moreover, Astra is an expert at Magento Penetration testing and security audit. A vetted team of hackers will scan your Magento store in and out for any vulnerabilities. Experience Magento security like never before. Try Astra now!

Waiting to Get Hacked?

Get security tips & latest vulnerability fixes right in your inbox:

About The Author

A computer nerd. Loves working with Sqlmap and BeEF (the software) ;) Has experience in wireless pen tests. Owns a chatbot on Pandorabots named Mark1. In free time he can be found saving some goals.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Close