PrestaShop has simplified online business for netizens. Be it shopping or selling, e-commerce sites could not have been more in demand. E-commerce rose to prominence and soon turned into an ore of data. Both personal and financial. PrestaShop websites are a quintessential example of this.
The web is full of possibilities as well as threats. PrestaShop hacking stats show that as many as 40% of PrestaShop websites are vulnerable to XSS attacks. Other 26.7% sites are vulnerable to Code injection, 20% to Gain Information attacks, 6.7% to SQL injection, etc. Additionally, a good number of PrestaShop websites run on outdated versions.
| Vulnerabilities | % Of All |
|---|---|
| XSS | 6 |
| DoS | 0 |
| Code Execution | 4 |
| Sql Injection | 1 |
| Directory Traversal | 0 |
| Http Response Splitting | 1 |
| Bypass something | 0 |
| Gain Information | 3 |
| Gain Privileges | 0 |
| CSRF | 0 |
| File Inclusion | 0 |
Operating your business on a vulnerable site can be a costly affair. This is where the need of a PrestaShop Security Audit & Penetration Testing comes in. A Security Audit can help you identify and fix underlying vulnerabilities in your site.
In today’s post, we are going to talk about how you can do complete a PrestaShop Security audit & penetration testing on your website. You will also find important tools that can make the whole process a breeze.
What is a PrestaShop Security Audit?
A security audit is the systematic analysis of the security of a software (PrestaShop in our case). It includes a thorough analysis of security issues that can be exploited by hackers in order to gain unauthorized access to your infrastructure.
Most PrestaShop sites are easy targets because they are not tested against real-life attacks. Hence, it is recommended to perform a full PrestaShop Security Audit on your site before deploying it for public access.
Also Read: Software Penetration Testing: A Complete Guide
Why do you need a PrestaShop Security Audit?
Data Breach is the worst thing that can happen to your company. It will ruin your customer’s trust in you forever. There are enough instances where a hack brought complete debacle to a business.
Hackers are interested in data such as email addresses, phone numbers, account numbers, etc. This makes all sites a target. When you throw financial data into the picture the propensity of a hacker towards it go up the roof.
Being a desirable target and being vulnerable at the same time can be disastrous, to say the least. To protect your website and eventually your business, it is necessary to patch each and every vulnerability on your website. PrestaShop Security Audits and Penetration Tests do exactly that.
Get the ultimate Prestashop security checklist with 300+ test parameters
Steps to carry-out a PrestaShop Security Audit
A good security audit will analyze every asset on your website (including add-ons, themes, core, etc.) for security vulnerabilities that can be exploited by hackers. It will map out all the security issues in a detailed report containing how to reproduce them. A PrestaShop penetration test, then, exploit these vulnerabilities. This step is crucial to estimate the weight of a vulnerability.
The first step is – Manual enumeration.
During this step, you will enumerate all the information that you can about the target i.e PrestaShop Website. This includes things like:
- the version of the software
- usernames
- login pages
- webpages
- any hidden information available on the site
There are various automated tools available for this. However, it is recommended that you follow the automated enumeration with some manual inspection.
A few of the automated tools are mentioned below:
1. Mozilla Observatory: Uncover CVE’s
Mozilla HTTP Observatory is one of the best online vulnerability scanners on the web. It is was made by the Mozilla Foundation. This vulnerability scanner will use different methods to identify security vulnerabilities and offer a fix to them.
In order to scan your site follow these steps:
1. Got to https://observatory.mozilla.org/
2. Enter your site URL in the ‘Scan Me‘ bar. That’s it!
3. The site will show you, your PrestaShop installation report.
This is will be a good starting point for your PrestaShop Security Audit. This will point out all the low-level security misconfigurations and version based CVEs that hackers can exploit against your site.
2. GoBuster: Detect Vulnerable Files & Directories
The method of trying common directories or file paths on a website to retrieve hidden file paths or directory is called Directory Busting or Dir Busting.
The tool we are going to use is GoBuster. It is simple and fast. It requires two arguments to run. First, the website you wanna attack (in our case is the PrestaShop Installation) and second, the wordlist you wanna attack it with.
The wordlist I’ll recommend is this one. It has a decent length and has all the common file paths and names that are generally exposed.
Now run the tool with the following command:
gobutser dir -u http://example.com -w wordlist
Once you find all the exposed file names, hide the sensitives ones and you are good to go.
3. LFI/RFI check
Local File Inclusion or Remote File Inclusion flaw allows an attacker to include a local file such as “/etc/passwd” or a remote file (mostly a malicious script) to be hosted on the server. This attack can allow an attacker to read source code file which may help in further exploitation or get Remote Code Execution(RCE).
The trick to noticing this attack is pretty simple. Since this attack depends on improper validation which can be exploited, you may be able to leak contents of file “/etc/passwd” on a Linux server.
If the above payload works you have potential LFI/RFI vulnerability. Try out some of these payloads to increase damage.
4. Password Brute Forcing
If the login form you found is not vulnerable to SQL Injection, Password Brute Forcing might get you access. The idea is to try all common passwords for a user until one of them works. The tool used for this process is Hydra.
Hydra is a popular brute-forcing tool used for this attack. You also can write your own script but hydra is optimized for speed thus will lot quicker. To use hydra simply run the command:
hydra [some command line options] [-s PORT] TARGET PROTOCOL [MODULE-OPTIONS]
PrestaShop Security Audit & Penetration Testing by Astra
I hope you did a successful security audit with the steps above. In case you didn’t, we are here to help.
Astra offers PrestaShop VAPT services that will make sure all the security vulnerabilities in your PrestaShop Site are corrected before it is deployed.
Sign up with Astra’s Vulnerability and Penetration Testing and leave the hard part to us. Astra’s hacker style security testing offers real-world attacks to the website and provides precise results of the vulnerabilities in your website.
Additional Read: WooCommerce Security Audit
This VAPT program covers detailed code analysis, business logic error testing, infrastructure testing, server configuration testing, and more.
The expert team of Astra makes sure no damage to the infrastructure is done during the audit. Astra makes sure that no security bug or vulnerability in your website is gone unseen. Thus provides rock-solid protection to your website and infrastructure from hackers.
Conclusion
The blog talked about why PrestaShop Security Audit is important for your company and how you can perform it in simple steps. Hackers are waiting for you to make one mistake. It’s better to secure your website before that.
If all this seems a hassle to you, you should check out Astra. Astra provides rock-solid security to your company’s infrastructure.