Why Us
Products
Featured
Hot
Functional Testing
New
Live Testing
Automated Testing
Security Solution
Compatibility Testing
New
Performance Testing
New
Localization Testing Service
New
Featured
Real Device
Hot Instant access to a wide range of iOS and Android real devices
Automation
Hot Perform mobile app automated testing in popular frameworks
WeTest Monkey
Hot Quickly find basic compatibility issues
PerfDog
Hot An expert client-side performance testing tool
Game QA
Benchmark
PC Specification Benchmark New
Provide realtime market data and analysis on computer hardware and software such as GPU, CPU, RAM, etc.
PC Game Performance Benchmark New
Provide performance testing data for top games in main game genre, along with market data, user feedback, and system requirements, to offer in-depth industry performance insights.
Game Solution
Mobile Game Solution
Cutting-edge testing tools and unmatched QA services across the entire mobile game life cycle.
PC Game Solution
The most advanced testing tools and the most efficient QA service help co-creating high quality PC games with you.
Overseas Local User Testing
Test your digital products anytime, anywhere with real overseas testers and environments.
Game QA
WeTest provides one-stop solutions for the gaming industry.
Get the latest industry information through the instantly updated benchmark.
By leveraging our advanced testing tools and the most efficient expert service, you can unlock new opportunities, and ultimately drive success in the competitive gaming industry.
App QA
App Solution
Overseas Local User Testing
Test your digital products anytime, anywhere with real overseas testers and environments.
UDT Solution
UDT, Auto-Testing Device Farm, Revolutionize Testing Experience: Share, Auto-Testing, Debug, Manage, and Deploy Seamlessly.
App QA
WeTest App QA Solution offers a rapid, scalable, and reliable mobile testing solution that covers the entire development lifecycle, from inception to post-launch.
Our comprehensive suite of services includes real device cloud, automated testing capabilities, resource management, and localization quality testing.
Pricing
Resources & Community
Developers
Tech Community
Contact
Why Us Products Solution App QA Game QA Pricing Resources&Support Contact
WeTest/The WeTest Blog/How WeTest's Expert Penetration Testing Helped Identify Major Transaction Vulnerabilities in E-commerce Mini Programs/

How WeTest's Expert Penetration Testing Helped Identify Major Transaction Vulnerabilities in E-commerce Mini Programs

Case Study 2024-07-02 17:40 35
Discover how WeTest's expert penetration testing helped identify major transaction vulnerabilities in E-commerce mini programs

Overview

In this case, WeTest's penetration testing service helped a well-known retail company identify and address 8 security risks in their online shopping mini program, including high-risk vulnerabilities such as "free purchase" economic loss risk and employee privacy information leakage risk. Our security experts provided the customer with a detailed vulnerability report and a clear and comprehensive security reinforcement plan. In the regression testing, all medium and high-risk issues were resolved, reducing the overall security risk level of the mini program to low risk.

Customer Introduction

The client is a well-known retail company with an online shopping mini program focusing on providing innovative digital solutions and personalized shopping experiences. The client realized that their mini program was facing various potential cyberattacks and data leakage risks. To protect their business and the interests of their clients, they decided to conduct a comprehensive security penetration test to evaluate the security risks and reinforcement plans of the mini program system.

Business Pain Points

  • Lack of security capabilities in internal technical personnel: The client's in-house technical development personnel are relatively unfamiliar with security testing and do not have a deep understanding of various penetration tools and testing methods. They also lack experience and knowledge of common system and business vulnerabilities in the industry, making it difficult for them to conduct a comprehensive system penetration test on their own, which could potentially overlook security vulnerabilities.

  • High cost of security tools and learning: Market security tools and security policies iterate quickly, and different tools focus on different types of vulnerabilities. With the growth of the black and gray markets, various capabilities are also being updated at all times. If internal development personnel were to start learning immediately, both time and financial costs would be significant.

  • Business blind spots due to self-development: Internal employees have a good understanding of the mini program system and inherent knowledge of their business. However, this high level of understanding may lead to blind spots in detection and penetration testing.

WeTest Solution

  • Professional hacker mindset and adaptive methods: WeTest's penetration experts conducted static and dynamic manual penetration testing on the client's mini program, focusing on general web security, server system security, service component security, program code security, business logic security, and other aspects. This aimed to obtain security risks in the mini program's data usage, user data input, storage processing, network transmission, and system environment, providing a professional and reliable basis for mini program security reinforcement.

  • Customized inspection items for retail business: WeTest leveraged its experience in retail/online shopping mini programs' business vulnerabilities and customized 92 inspection items for the client's mini program and key business processes, including baseline inspection, data validation, data transmission, authorization, authentication, and session management.

  • Reverse analysis from a business development perspective: WeTest's security team reverse-engineered the mini program and analyzed the program's business logic from a developer's perspective. This allowed them to deeply study the internal logic and implementation details of the application, discovering potential vulnerabilities and security issues. By analyzing the source code, they could identify potential input validation deficiencies, buffer overflows, authentication issues, etc., which might not be discovered through traditional black-box testing methods.

  • Advanced attacks and vulnerability exploitation: WeTest's security team has extensive penetration testing skills and experience and has demonstrated excellent capabilities in advanced attacks and vulnerability exploitation. By deeply understanding the internal workings and logic of the target system, they were able to develop customized attack tools and exploit code to verify the system's security, such as discovering two security vulnerabilities of 0 yuan purchase of gifts through reverse engineering, guessing, and combining multiple security risks.

  • Clear and detailed penetration test report and interpretation: WeTest's security team provided a detailed test report and repair suggestions, and explained the principles, exploitation methods, risks, and repair suggestions for each security risk to the client through remote meetings. They are committed to helping clients improve the security of their programs and data assets.

Business Results

After a comprehensive security assessment, WeTest's penetration testing team rated the client's online shopping mini program risk level as high risk.

  • 8 security risks were discovered in the test results: 2 high-risk, 5 medium-risk, and 1 low-risk.

  • Some examples are as follows:

    • Order interface risk of free riding
    • Shopping cart interface risk of free riding
    • Bypassing front-end restrictions to add an excessive amount to the shopping cart

 

  • WeTest provided corresponding solutions for the vulnerabilities in the mini program. 

  • Some examples are as follows:

    • Vulnerability 1: WeTest's security team found that the shopping cart interface's parameter verification was not strict, allowing users to bypass the restriction of not being able to add gifts to the shopping cart and purchase gifts for 0 yuan, causing significant economic losses. Repair suggestion: Strengthen server-side parameter verification logic, prohibit gift IDs from being added to the shopping cart  as product IDs.
    • Vulnerability 2: WeTest's security team cracked the encryption method of the order interface and found that by forging data, gifts could be purchased directly for 0 yuan. Repair suggestion: Increase the complexity of the signature method, and have the order interface verify scenarios where only gifts are present and products are empty.
    • Vulnerability 3: WeTest's security team discovered a crawler vulnerability by reverse engineering and forging the mini program's request token, leading to product information being crawled. Repair suggestion: Strengthen the mini program's source code to increase the difficulty of cracking or move the token generation logic to the server-side.

 

WeTest Products & Services Used

Customer Testimonial

In our developed online shopping mini program, WeTest team discovered and helped fix system vulnerabilities that could potentially lead to significant economic losses and user data leaks. We sincerely thank the professional team at WeTest for their efforts and expertise in providing important security guarantees for our system. In the future, we will continue to focus on the security of our applications, conduct regular inspections, and carry out point-to-point reinforcement.

penetration-test
Related Product
Penetration Testing Simulated hacker attacks to identify program vulnerabilities
Learn More
Pricing
订阅新功能推广裂变活动
Latest Posts
1Browserstack vs Saucelabs: Detailed Overview Browserstack vs saucelabs: This article compares the top cloud-based testing tools for better cross-browser compatibility and for testing applications on real devices and real browsers.
2How to Use WeTest's Penetration Testing Services User's guide on how to try out WeTest's penetration testing services
3How WeTest's Expert Penetration Testing Helped Identify Major Transaction Vulnerabilities in E-commerce Mini Programs Discover how WeTest's expert penetration testing helped identify major transaction vulnerabilities in E-commerce mini programs
4Penetration Testing: Why You Should Choose WeTest Services Try out WeTest's Penetration Testing Services, which offer a comprehensive solution for businesses looking to identify and address vulnerabilities in their systems, networks, or apps.
5Penetration Testing: What It Is and Why It Is Important Explore the importance of penetration testing in identifying vulnerabilities and enhancing security controls in websites, systems & apps.
Popular Products
Real Device Cloud PerfDog App Compatibility Testing PC Compatibility Testing PC Performance Testing
APP QA
UDT Solution App Test Solution Overseas Local Solution
Game QA
Mobile Game Solution PC Game Solution PC Benchmark
Resources
Blog Documents Forum Webinar FAQ Download Center
WeTest
About WeTest Customers Contact Us
ISO 9001:2015
Quality Management System Certification
ISO/IEC 20000-1:2018
IT Service Management System Certification
ISO/IEC 27001:2013
ISO/IEC 27001:2013
Copyright © 1998 - 2024 Top Range Mobile Limited.(WeTest.net) All Rights Reserved
Limited Time Offer
help