Comprehensive Guide On Magento Penetration Testing – Tools, Checklist & Sample Report
Magento 1 & 2 Penetration Testing
Magento has simplified the way how e-commerce is done and its open-source nature has made it accessible to all. Though e-commerce is convenient, it also has a big responsibility to secure each and every transaction from cyber attack. Magento has been repeatedly targeted through attacks dubbed as ‘Magecart Attacks‘ to steal credit card info. In such a scenario, the Magento security audit becomes necessary to fix present loopholes. Whereas to discover such loopholes Magento penetration testing is important. According to Tim Cook, the CEO of Apple Inc.,
If you put a key under the mat for the cops, a burglar can find it, too. Criminals are using every technology tool at their disposal to hack into people’s accounts. If they know there’s a key hidden somewhere, they won’t stop until they find it.
Magento Penetration Testing: Prerequisites
Magento penetration testing requires some specialized tools to find vulnerabilities. A collection of such tools can be found in the Kali Linux OS. This is a Debian based OS specially designed to hunt for vulnerabilities in Magento and other systems. If you have some space to spare on your hard disk then, you can install Kali Linux in the dual boot along with windows. However, this may become complex for an average user. So, we shall install kali in Virtual Box for this article. Otherwise, Kali Linux can be installed even on the android phone thanks to Kali Nethunter project.
Installing Kali Linux for Magento Security Audit
- Step1: Firstly, download Virtual box from the official site and install it using the instruction(any other emulator of your choice can also be used).
- Step2: Next step is to download and install the latest version of Kali Linux on Virtual Box for Magento penetration testing.
- Step3: After the installation is done, install more “guest addition” tools for Kali Linux to function efficiently on Virtual Box.
- Step4: In case you still failing to install Kali Linux on Virtual box, simply use a Kali VM image for Magento penetration testing.
Magento Pentesting – A Word of Caution!
Conducting a Magento penetration testing without permission of the site owner can lead to jail time! Therefore, always sign a consent contract with the site owner before doing it. In case you are the site owner, make sure to take permission from the site hosting company. Also, never venture out of your domain i.e. don’t conduct pentest on routers which you do not own. In case something goes wrong during Magento penetration testing, neither this article nor Kali Linux is responsible.
When was the last time you had a Magento security audit? Click here to avail Magento Penetration Testing now.
Magento Penetration Testing: Reconnaissance
In this article, we shall follow the black-box approach of Magento penetration testing which means we know nothing about the underlying technologies. So, the first step is to try to uncover the maximum underlying technologies. Because it’s not always Magento core files that are vulnerable. At times it could be a buggy server. Some great tools to conduct reconnaissance for Magento penetration testing are:
Scan your website for 140+ security issues like header security, cookie security, CORS tests, HTTPS security etc.
Nmap can give a large amount of info regarding the Magento target. It is a must-have tool for complete fingerprinting of the system. Nmap can reveal:
- Open ports on the server.
- Services running on those ports.
- Use NSE scripts for Magento vulnerability detection.
Nmap can do all this quite stealthily and has lots more to offer. To usee Nmap, fire your Kali on the VM and in the command line terminal and type ‘
In the above image, the -sV option of the Nmap here enables version detection. In our case, it has found out multiple open ports with Microsoft IIS server running on port 80. Moreover, Nmap has also found the MAC address of our local target. Also, there is a GUI version of Nmap known as Zenmap which further simplifies things.
OSINT Collection Tool: The Harvester
When it comes to reconnaissance for Magento penetration testing, there is a wealth of information available on the internet. This includes things like ownership info, nameservers, etc. which can help in mapping out the complete organization. This info is known as open-source intelligence and is very helpful for social engineering attacks.
The harvester can collect data from sources like Shodan, Google, Whois, DNS servers, etc. Therefore, the Harvester is a one-stop solution for OSINT. Hence, it is advisable to use the Harvester instead of visiting each of these sites individually.
Magento Penetration Testing: Discovery
Now once, the technologies have been identified, the next step is to look actively for Magento website vulnerabilities. Although earlier, there was an open-source Magento specific vulnerability scanner, post-2018 it went commercial and is no longer maintained. Some other helpful tools are:
One of the best tools to discover vulnerabilities in any Magento site is the OpenVAS framework. Moreover, most part of the OpenVAS is GNU general public license. This framework is a powerful vulnerability scanner which conducts some 50,000 odd Network Vulnerability Tests to find loopholes. OpenVAS is a free framework gives the feel of a commercial security solution.
Nikto is an open-source vulnerability scanner which offers around 6700 test for server misconfigs and 1250 test for outdated server versions. Not only this, Nikto can scan for server-specific vulnerabilities of around 270 servers. However, for best results make sure to disable your WAF or firewall before using Nikto for Magento penetration testing. To scan a target using Nikto, simply open Kali and type in command terminal:
nikto -h 'your-target‘
When was the last time you had a Magento security audit? Drop us a message on the chat widget, and we’d be happy to help you. Help me with Magneto Penetration Testing now.
Magento Penetration Testing: Exploitation
Now once the vulnerabilities are identified, it is time to remove false positives. This is done during the exploitation process. Only, a serious vulnerability could exploit a Magento store. This can be done via the following tools:
Written in Ruby, Metasploit is one of the most popular frameworks used for exploitation. Rapid 7, the company that own Metasploit, maintains and keeps updating a large database of exploits which can be run from the Metasploit framework. Metasploit can be updated for your Kali Linux by typing the command ‘
msfupdate’. Metasploit can also be accessed via GUI from the Armitage tool of Kali Linux. To launch Metasploit from the terminal, type ‘
Started by Stamparm on Github, Sqlmap is one of the best SQL injection exploitation tool available today. Sqlmap can be used to automatically fuzz and find vulnerable targets. Not only vulnerable parameters but Sqlmap can also inject in data fields and forms on a web page. Sqlmap can exploit SQLi vulnerabilities to read the contents of a database, alter them and in some cases to even get a reverse shell form the Magento store. To test a target for SQLi using this tool, type:
sqlmap -u 'your target URL' --batch
The –batch command automates the task and chooses default values during testing process as shown in the image below.
For more help type:
Commix is a tool to exploit command injection vulnerabilities in a Magento store. For further info, fire up your Kali and in the terminal write:
Magento Security Audit
Magento store owners can choose from a wide variety of payment methods like PayPal, SagePay, Google Checkout, etc. But the important thing here is that the payment methods need to be PCI compliant which means that the method has adequate security measures to protect the transaction data from hacking.
Secure Hosting and SSL
Another crucial thing to check during the Magento security audit is the hosting provider. Is the hosting service safe? Is there subnetting on the shared web space? Going for VPS would be a recommendation here. Moreover, the use of certified SSL certificates needs to be checked. Remember to take an SSL certificated only from a valid certifying authority.
Ensure that the site is running on the latest version of Magento. Magento stops releasing security patches for older versions so outdated sites are a security risk. Moreover, check that all the extensions are up to date. If the site is using the latest version then ensure that all the security patches are installed.
Enabling two-factor authentication adds an extra layer of security to the Magento store. You can implement this via services like Google Authenticator, Authy, U2F Keys, Duo Security.
Users and File Permissions in Magento
Make sure to set a limit on the resources different users can access. In Magento 2.3, set permissions through the following instructions. Visit:
System>Permission>User Roles>Click “Administrators”>Role Information>Role Resources>Role Access>Custom
From here on assign roles accordingly. Moreover, file permissions are also necessary. To set them, log into the server and use any file manager to assign file permissions.
If the Magento store logs every activity, this can help in determining the cause of a hack. Moreover, check for the availability of backups of the website during a Magento security audit. Ensure that at least 3-4 backups of the Magento store and its database are available. While using cloud hosting for Magento store, make use of automatic backup provided by the service provider.
Make sure that the Magento store is safe from bots and spam. To do this, you can implement captcha on every input form like contact, feedback form, etc. In Magento 2.3, add captcha by visiting:
Ensure that the Magento store uses a firewall to filter bad requests. If not then get one today. Astra offers just the right security solution customized for Magento users. Moreover, Astra is an expert at Magento Penetration testing and security audit. A vetted team of hackers will scan your Magento store in and out for any vulnerabilities. Experience Magento security like never before.
Don’t forget to download our Comprehensive Magento Security Checklist developed by our security experts