2019.11 — Security audit by SektionEins

Edit on GitHub

Between October 7th and November 22nd, 2019 SektionEins performed a source code audit and penetration test of the two variants of the Spryker Framework, called Spryker B2B and Spryker B2C.

SektionEins conducted the audit.

The evaluation of the Commerce OS was done without having prior knowledge of the source code, to protect it from attackers. Where it was the case, the found vulnerabilities were verified using the B2B and B2C Demo Shops.

Here is the summary of the security audit report:

Procedure

The security audit followed the steps below:

  • Source code audit: This step mainly consisted of the manual reading of the source code with added support from using pattern scanning tools that search for specific functions known to add vulnerabilities to the system.
  • Penetration testing: The Spryker Commerce OS was tested manually as well as with automated attack tools to detect the most obvious security issues.
  • Risk assessment A risk evaluation was performed on all the vulnerabilities that were found during the previous two steps.

Commerce OS security audit results

During the source code audit and penetration testing, no actual vulnerabilities could be identified within the Spryker code. Most of the findings are either marked as comments or have only low and medium impact. The functional problems are related to permissive regular expressions, unsafe file creation, instantiation of objects, and problems with some missing but recommended HTTP headers.

The safe use of functions and the lack of critical vulnerabilities such as SQL injection and Cross-Site Scripting show that the frameworks seem robust against a great range of attacks. The source code of Spryker is well structured and easy to read and extend. We use functionality to make sure that no critical PHP functions are used which can easily be extended to cover other probable issues. It also contains PHPStan, a static analysis tool for PHP code.

For each of the security vulnerabilities, a detailed risk analysis has been performed that is documented throughout the report. For more information, please reach out for a more extended version of this report to Spryker Systems.

For a list of secure coding recommendations, see Secure Coding Practices.