Penetration Testing

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.
10 years ago
Hi,

I was wondering if anyone has performed a penetration test on 3.10?

I just ran it through HP Fortify on demand free and it came back with some issues relating to cross-site scripting, open redirect, code injection and header manipulation.

I used a clean build from source.

Regards,

David
0
10 years ago
Hi David,

I request you to share your findings privately with the Andrei, creator of nopCommerce.
Pls up-vote the answer, if it helps you! :)

nopAccelerate - Faster, Reliable & Scalable nopCommerce

http://www.nopAccelerate.com | http://www.xcellence-it.com | http://shop.xcellence-it.com

Need any professional assistance? Drop us your requirements on sales(at)nopaccelerate.com
0
10 years ago
Please share your results here
Interested in the dedicated Premium support services provided by core developers? Please visit https://www.nopcommerce.com/nopcommerce-premium-support-services

Regards,
Andrei Mazulnitsyn
nopCommerce team
2
10 years ago
The findings of the report outlined 84 security vulnerabilities overall, majority being low

The breakdown is as follows:

Cross-Site Scripting: DOM  Critical  4  
Cross-Site Request Forgery  Low  6  
Cross-Site Scripting: DOM  Critical  1  
Cross-Site Request Forgery  Low  9  
Cross-Site Scripting: DOM  Critical  5  
Open Redirect  Critical  10  
Dynamic Code Evaluation: Code Injection  High  8  
Header Manipulation: Cookies  High  1  
Cross-Site Request Forgery  Low  40  

As the scan was a free scan, it provides limited scanning and only provided details for the first 10 vulnerabilities.

XSS in the public.onepagecheckout.js lines 292, 228, 455 and 99.

cross-site request forgery vulnerabilities in:

anchor.htm:9
cite.htm:15
ins.htm:15
jquery-1.7.1-vsdoc.js:1932
jquery-1.7.1-vsdoc.js:1945
jquery-1.7.1-vsdoc.js:1932

I was mainly wondering if anyone had pen tested and had similar results or whether fortify was giving me silly results.

Regards,

David
0
10 years ago
Just wondering if anyone had had any thoughts on this?

Regards,

David
0
10 years ago
I think this software (HP Fortify) is a bit weird and currently useless. What does this list of "vulnerable" file names mean? jQuery library? How exactly these vulnerabilities could be used?
Interested in the dedicated Premium support services provided by core developers? Please visit https://www.nopcommerce.com/nopcommerce-premium-support-services

Regards,
Andrei Mazulnitsyn
nopCommerce team
0
10 years ago
a.m. wrote:
I think this software (HP Fortify) is a bit weird and currently useless. What does this list of "vulnerable" file names mean? jQuery library? How exactly these vulnerabilities could be used?


you're absolutely right Andrei. the most complete and widely used penetration testing software is the Acunetix Vulnerability Scanner and believe me, i do run it for every release build and every upgrade. it has never found anything to worry about,
something really hard to maintain with the frequent releases and/or fixes nop has.
0
10 years ago
Just recently passed PCI Complience with McAffee (excluding SSL as it was not installed at that moment). That was really heavy bombing our website with dangerous requests. So, NopCommerce is safe to use.
Kind Regards

Vadim
4
This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.