Security Audit

Comprehensive Guide On Magento Penetration Testing – Tools, Checklist & Sample Report

Updated on: July 21, 2023

Comprehensive Guide On Magento Penetration Testing – Tools, Checklist & Sample Report

Magento 1 & 2 Penetration Testing

Magento has simplified the way how e-commerce is done and its open-source nature has made it accessible to all. Though e-commerce is convenient, it also has a big responsibility to secure each and every transaction from cyber attack. Magento has been repeatedly targeted through attacks dubbed as ‘Magecart Attacks‘ to steal credit card info. In such a scenario, the Magento security audit becomes necessary to fix present loopholes. Whereas to discover such loopholes Magento penetration testing is important. According to Tim Cook, the CEO of Apple Inc.,

If you put a key under the mat for the cops, a burglar can find it, too. Criminals are using every technology tool at their disposal to hack into people’s accounts. If they know there’s a key hidden somewhere, they won’t stop until they find it.

Magento Penetration Testing: Prerequisites

Magento penetration testing requires some specialized tools to find vulnerabilities. A collection of such tools can be found in the Kali Linux OS. This is a Debian based OS specially designed to hunt for vulnerabilities in Magento and other systems. If you have some space to spare on your hard disk then, you can install Kali Linux in the dual boot along with windows. However, this may become complex for an average user. So, we shall install kali in Virtual Box for this article. Otherwise, Kali Linux can be installed even on the android phone thanks to Kali Nethunter project.

Installing Kali Linux for Magento Security Audit

  • Step1: Firstly, download Virtual box from the official site and install it using the instruction (any other emulator of your choice can also be used).
  • Step2: Next step is to download and install the latest version of Kali Linux on Virtual Box for Magento penetration testing.
  • Step3: After the installation is done, install more “guest addition” tools for Kali Linux to function efficiently on Virtual Box.
  • Step4: In case you still failing to install Kali Linux on Virtual box, simply use a Kali VM image for Magento penetration testing.
website penetration testing infographic by Astra Security
Website Penetration Testing [Infographic]

Magento Pentesting – A Word of Caution!

Conducting a Magento penetration testing without permission of the site owner can lead to jail time! Therefore, always sign a consent contract with the site owner before doing it. In case you are the site owner, make sure to take permission from the site hosting company. Also, never venture out of your domain i.e. don’t conduct pentest on routers that you do not own. In case something goes wrong during Magento penetration testing, neither this article nor Kali Linux is responsible.

It is one small security loophole v/s your entire website or web application

Get your web app audited with Astra’s Continuous Pentest Solution

Also Read: 11 Top Penetration Testing Tools/Software of 2022 | A Complete Guide to Cloud Penetration Testing

Magento Penetration Testing: Reconnaissance

In this article, we shall follow the black-box approach of Magento penetration testing which means we know nothing about the underlying technologies. So, the first step is to try to uncover the maximum underlying technologies. Because it’s not always Magento core files that are vulnerable. At times it could be a buggy server. Some great tools to conduct reconnaissance for Magento penetration testing are:

Network Mapper(Nmap)

Nmap can give a large amount of info regarding the Magento target. It is a must-have tool for complete fingerprinting of the system. Nmap can reveal:

  • Open ports on the server.
  • Services running on those ports.
  • Use NSE scripts for Magento vulnerability detection.

Nmap can do all this quite stealthily and has lots more to offer. To usee Nmap, fire your Kali on the VM and in the command line terminal and type ‘nmap‘.

Magento Penetration testing and Magento Security Audit using NMAP
Image: Magento Penetration testing and Magento Security Audit using NMAP

In the above image, the -sV option of the Nmap here enables version detection. In our case, it has found multiple open ports with Microsoft IIS server running on port 80. Moreover, Nmap has also found the MAC address of our local target. Also, there is a GUI version of Nmap known as Zenmap which further simplifies things.

Also Read: Why Firewall Penetration Testing is Essential to Your Security Strategy

Magento Penetration testing and Magento Security Audit using Zenmap
Image: Magento Penetration testing and Magento Security Audit using Zenmap

OSINT Collection Tool: The Harvester

When it comes to reconnaissance for Magento penetration testing, there is a wealth of information available on the internet. This includes things like ownership info, nameservers, etc. which can help in mapping out the complete organization. This info is known as open-source intelligence and is very helpful for social engineering attacks.

The harvester can collect data from sources like Shodan, Google, Whois, DNS servers, etc. Therefore, the Harvester is a one-stop solution for OSINT. Hence, it is advisable to use the Harvester instead of visiting each of these sites individually.

Magento Penetration testing and Magento Security Audit using harvester
Image: Magento Penetration testing and Magento Security Audit using Harvester

Also Read: API Penetration Testing: What You Need to Know

Magento Penetration Testing: Discovery

Now once, the technologies have been identified, the next step is to look actively for Magento website vulnerabilities. Although earlier, there was an open-source Magento specific vulnerability scanner, post-2018 it went commercial and is no longer maintained. Some other helpful tools are:


One of the best tools to discover vulnerabilities in any Magento site is the OpenVAS framework. Moreover, most part of the OpenVAS is GNU general public license. This framework is a powerful vulnerability scanner which conducts some 50,000 odd Network Vulnerability Tests to find loopholes. OpenVAS is a free framework gives the feel of a commercial security solution.

Magento Penetration testing and Magento Security Audit using OpenVAS
Image: Magento Penetration testing and Magento Security Audit using OpenVAS


Nikto is an open-source vulnerability scanner which offers around 6700 test for server misconfigs and 1250 test for outdated server versions. Not only this, Nikto can scan for server-specific vulnerabilities of around 270 servers. However, for best results make sure to disable your WAF or firewall before using Nikto for Magento penetration testing. To scan a target using Nikto, simply open Kali and type in command terminal: nikto -h 'your-target

Magento Penetration testing and Magento Security Audit using Nikto
Image: Magento Penetration testing and Magento Security Audit using Nikto

Magento Penetration Testing: Exploitation

Now once the vulnerabilities are identified, it is time to remove false positives. This is done during the exploitation process. Only, a serious vulnerability could exploit a Magento store. This can be done via the following tools:


Written in Ruby, Metasploit is one of the most popular frameworks used for exploitation. Rapid 7, the company that own Metasploit, maintains and keeps updating a large database of exploits which can be run from the Metasploit framework. Metasploit can be updated for your Kali Linux by typing the command ‘msfupdate’. Metasploit can also be accessed via GUI from the Armitage tool of Kali Linux. To launch Metasploit from the terminal, type ‘msfconsole

Magento Penetration testing and Magento Security Audit using Metasploit
Image: Magento Penetration testing and Magento Security Audit using Metasploit


Started by Stamparm on Github, Sqlmap is one of the best SQL injection exploitation tool available today. Sqlmap can be used to automatically fuzz and find vulnerable targets. Not only vulnerable parameters but Sqlmap can also inject in data fields and forms on a web page. Sqlmap can exploit SQLi vulnerabilities to read the contents of a database, alter them and in some cases to even get a reverse shell form the Magento store. To test a target for SQLi using this tool, type:

sqlmap -u 'your target URL' --batch

The –batch command automates the task and chooses default values during testing process as shown in the image below.

Magento Penetration testing and Magento Security Audit using SQLMAP
Image: Magento Penetration testing and Magento Security Audit using Sqlmap


To exploit an XSS vulnerability in the Magento store, Xsser is one of the best and lightweight tools. To obtain the GUI interface of Xsser, in the terminal type:

xsser –gtk

For more help type:

xsser -h

Magento Penetration testing and Magento Security Audit using Nikto Xsser


Commix is a tool to exploit command injection vulnerabilities in a Magento store. For further info, fire up your Kali and in the terminal write: commix -h


Also Read: Top 5 Software Security Testing Tools in 2022 [Reviewed]

Magento Security Audit

PCI Compliance

Magento store owners can choose from a wide variety of payment methods like PayPal, SagePay, Google Checkout, etc. But the important thing here is that the payment methods need to be PCI compliant which means that the method has adequate security measures to protect the transaction data from hacking.

Secure Hosting and SSL

Another crucial thing to check during the Magento security audit is the hosting provider. Is the hosting service safe? Is there subnetting on the shared web space? Going for VPS would be a recommendation here. Moreover, the use of certified SSL certificates needs to be checked. Remember to take an SSL certificated only from a valid certifying authority.

Software Version

Ensure that the site is running on the latest version of Magento. Magento stops releasing security patches for older versions so outdated sites are a security risk. Moreover, check that all the extensions are up to date. If the site is using the latest version then ensure that all the security patches are installed.

Read Also: Software Penetration Testing: A Complete Guide

Two-Factor Authentication

Enabling two-factor authentication adds an extra layer of security to the Magento store. You can implement this via services like Google Authenticator, Authy, U2F Keys, Duo Security.

Users and File Permissions in Magento

Make sure to set a limit on the resources different users can access. In Magento 2.3, set permissions through the following instructions. Visit:

System>Permission>User Roles>Click “Administrators”>Role Information>Role Resources>Role Access>Custom

From here on assign roles accordingly. Moreover, file permissions are also necessary. To set them, log into the server and use any file manager to assign file permissions.


If the Magento store logs every activity, this can help in determining the cause of a hack. Moreover, check for the availability of backups of the website during a Magento security audit. Ensure that at least 3-4 backups of the Magento store and its database are available. While using cloud hosting for Magento store, make use of automatic backup provided by the service provider.

Automation Prevention

Make sure that the Magento store is safe from bots and spam. To do this, you can implement captcha on every input form like contact, feedback form, etc. In Magento 2.3, add captcha by visiting:

Stores>Configuration>Customer>Customer Configuration>Captcha

Security Solution

Ensure that the Magento store uses a firewall to filter bad requests. If not then get one today. Astra offers just the right security solution customized for Magento users. Moreover, Astra is an expert at Magento Penetration testing and security audit. A vetted team of hackers will scan your Magento store in and out for any vulnerabilities. Experience Magento security like never before.

Get the ultimate Magento Security checklist with 300+ test parameters

Also Read: Sample Penetration Testing Report | VAPT PDF Report


What is the timeline for Magento penetration Testing?

The timeline for Magento Pentesting is 7-10 days. The rescan after fixing the vulnerabilities takes 3 more days. The timeline may differ slightly based on the scope of the test.

How much does penetration testing cost?

The cost for penetration testing ranges between $99 and $399 per month for websites. The cost of pentesting for cloud infrastructure, and mobile apps differ based on the scope of the pentest.

Why choose Astra for penetration testing?

1250+ tests, adherence to global security standards, intuitive dashboard with dynamic visualization of vulnerabilities and their severity, security audit with simultaneous remediation assistance, multiple rescans, these are the features that give Astra an edge over all competitors.

Do I also get rescans after a vulnerability is fixed?

Yes, you get 1-3 rescans based on the type of Pentesting and the plan you opt for. You can avail these rescans within 30 days from the initial scan completion even after the vulnerabilities are fixed.


Vikas Kundu

Vikas is a computer science graduate with a keen interest in cybersecurity. Besides programming cool software, he also shares his knowledge on website security on niche blogs. He has written over 150 technical write-ups to date and is still actively writing. In his free time, he can be found playing football.
Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Inline Feedbacks
View all comments

Psst! Hi there. We’re Astra.

We make security simple and hassle-free for thousands
of websites and businesses worldwide.

Our suite of security products include a vulnerability scanner, firewall, malware scanner and pentests to protect your site from the evil forces on the internet, even when you sleep.

earth spiders cards bugs spiders

Made with ❤️ in USA France India Germany