2020.11 — Penetration test by Port Zero (executive summary)

Edit on GitHub

During October and November 2020 the “Spryker Commerce B2C” & “Spryker Commerce B2B” of Spryker Systems GmbH were tested for security vulnerabilities and risks. The penetration testers of Port Zero GmbH rated all security vulnerabilities and gave tips for improving and fixing the issues in the penetration test report.

The penetration test was conducted voluntarily and is based on the recognized industry standard of the “OWASP Testing Guide v4.1 (2020)” as well as on the “Implementation Concept for Penetration Tests” of the German Federal Office for Information Security. Overall, the security of Spryker Commerce B2C and Spryker Commerce B2B gave a positive impression. The penetration test revealed some information leakages, including subdomain names, software in use, version numbers, and TCP timestamps (all available without login). However, regarding Transport Layer Security (TLS), a very high-security standard (see Appendix) is in place. The security of the central authentication mechanisms and session management is working well.

image

During the penetration test, a few medium- and high-rated vulnerabilities such as weak password policies, persistent Cross-Site-Scripting (XSS), and Cross-Site-Request-Forgery (CSRF) were discovered. Due to the general security concept, it was not possible to harm the security in such a manner that the server or complete was taken over. There are several mitigation mechanisms like the security header in place, and it made use of the best practice like using secure and the HttpOnly flag on each cookie. In summary, the security of the shop systems is ensured by effective protection measures and can be enhanced at some points.

For each of the security vulnerabilities, a detailed risk analysis has been performed that is documented throughout the report. For more information, please reach out for a more extended version of this report to Spryker Systems.