Client Overview

A rapidly growing e-commerce platform with customer storefront, seller dashboard, admin panel, and multiple third-party API integrations for payment, logistics, and inventory. They had conducted basic vulnerability scans but never a manual penetration test.

Challenge

Rapid feature releases without security reviews had created an expanding attack surface. The platform handled payment card data and personal information, making it a high-value target. PCI DSS compliance was upcoming.

Our Approach

Codesecure conducted a thorough web application VAPT covering the following areas:

• Authenticated and unauthenticated testing across all roles (customer, seller, admin)
• OWASP Top 10 testing — SQL injection, XSS, CSRF, IDOR, authentication bypass
• Business logic testing — price manipulation, coupon abuse, order tampering, privilege escalation
• Payment flow analysis covering tokenisation, callback handling, refund logic
• API testing for all REST endpoints
• Session management review
• Reporting with proof-of-concept exploits

Results

32 vulnerabilities were identified — 5 critical, 11 high, and 16 medium severity.

Critical findings included:

• IDOR allowing access to other customers' order details
• Price manipulation in cart API
• Stored XSS in seller product description
• Missing rate limiting on login enabling brute force
• Exposed admin API with no authentication

All critical and high findings were remediated. A revalidation assessment confirmed successful remediation.

Conclusion

Regular web application VAPT is essential for e-commerce platforms handling financial transactions. We helped the client protect customers and align with PCI DSS requirements. Contact Codesecure to learn how we can help safeguard your web application and customer data.