Pricing

How WeTest's Expert Penetration Testing Helped Identify Major Transaction Vulnerabilities in E-commerce Mini Programs

Discover how WeTest's expert penetration testing helped identify major transaction vulnerabilities in E-commerce mini programs

Overview

In this case, WeTest's penetration testing service helped a well-known retail company identify and address 8 security risks in their online shopping mini program, including high-risk vulnerabilities such as "free purchase" economic loss risk and employee privacy information leakage risk. Our security experts provided the customer with a detailed vulnerability report and a clear and comprehensive security reinforcement plan. In the regression testing, all medium and high-risk issues were resolved, reducing the overall security risk level of the mini program to low risk.

Customer Introduction

The client is a well-known retail company with an online shopping mini program focusing on providing innovative digital solutions and personalized shopping experiences. The client realized that their mini program was facing various potential cyberattacks and data leakage risks. To protect their business and the interests of their clients, they decided to conduct a comprehensive security penetration test to evaluate the security risks and reinforcement plans of the mini program system.

Business Pain Points

  • Lack of security capabilities in internal technical personnel: The client's in-house technical development personnel are relatively unfamiliar with security testing and do not have a deep understanding of various penetration tools and testing methods. They also lack experience and knowledge of common system and business vulnerabilities in the industry, making it difficult for them to conduct a comprehensive system penetration test on their own, which could potentially overlook security vulnerabilities.

  • High cost of security tools and learning: Market security tools and security policies iterate quickly, and different tools focus on different types of vulnerabilities. With the growth of the black and gray markets, various capabilities are also being updated at all times. If internal development personnel were to start learning immediately, both time and financial costs would be significant.

  • Business blind spots due to self-development: Internal employees have a good understanding of the mini program system and inherent knowledge of their business. However, this high level of understanding may lead to blind spots in detection and penetration testing.

WeTest Solution

  • Professional hacker mindset and adaptive methods: WeTest's penetration experts conducted static and dynamic manual penetration testing on the client's mini program, focusing on general web security, server system security, service component security, program code security, business logic security, and other aspects. This aimed to obtain security risks in the mini program's data usage, user data input, storage processing, network transmission, and system environment, providing a professional and reliable basis for mini program security reinforcement.

  • Customized inspection items for retail business: WeTest leveraged its experience in retail/online shopping mini programs' business vulnerabilities and customized 92 inspection items for the client's mini program and key business processes, including baseline inspection, data validation, data transmission, authorization, authentication, and session management.

  • Reverse analysis from a business development perspective: WeTest's security team reverse-engineered the mini program and analyzed the program's business logic from a developer's perspective. This allowed them to deeply study the internal logic and implementation details of the application, discovering potential vulnerabilities and security issues. By analyzing the source code, they could identify potential input validation deficiencies, buffer overflows, authentication issues, etc., which might not be discovered through traditional black-box testing methods.

  • Advanced attacks and vulnerability exploitation: WeTest's security team has extensive penetration testing skills and experience and has demonstrated excellent capabilities in advanced attacks and vulnerability exploitation. By deeply understanding the internal workings and logic of the target system, they were able to develop customized attack tools and exploit code to verify the system's security, such as discovering two security vulnerabilities of 0 yuan purchase of gifts through reverse engineering, guessing, and combining multiple security risks.

  • Clear and detailed penetration test report and interpretation: WeTest's security team provided a detailed test report and repair suggestions, and explained the principles, exploitation methods, risks, and repair suggestions for each security risk to the client through remote meetings. They are committed to helping clients improve the security of their programs and data assets.

Business Results

After a comprehensive security assessment, WeTest's penetration testing team rated the client's online shopping mini program risk level as high risk.

  • 8 security risks were discovered in the test results: 2 high-risk, 5 medium-risk, and 1 low-risk.

  • Some examples are as follows:

    • Order interface risk of free riding
    • Shopping cart interface risk of free riding
    • Bypassing front-end restrictions to add an excessive amount to the shopping cart

 

  • WeTest provided corresponding solutions for the vulnerabilities in the mini program. 

  • Some examples are as follows:

    • Vulnerability 1: WeTest's security team found that the shopping cart interface's parameter verification was not strict, allowing users to bypass the restriction of not being able to add gifts to the shopping cart and purchase gifts for 0 yuan, causing significant economic losses. Repair suggestion: Strengthen server-side parameter verification logic, prohibit gift IDs from being added to the shopping cart  as product IDs.
    • Vulnerability 2: WeTest's security team cracked the encryption method of the order interface and found that by forging data, gifts could be purchased directly for 0 yuan. Repair suggestion: Increase the complexity of the signature method, and have the order interface verify scenarios where only gifts are present and products are empty.
    • Vulnerability 3: WeTest's security team discovered a crawler vulnerability by reverse engineering and forging the mini program's request token, leading to product information being crawled. Repair suggestion: Strengthen the mini program's source code to increase the difficulty of cracking or move the token generation logic to the server-side.

 

WeTest Products & Services Used

Customer Testimonial

In our developed online shopping mini program, WeTest team discovered and helped fix system vulnerabilities that could potentially lead to significant economic losses and user data leaks. We sincerely thank the professional team at WeTest for their efforts and expertise in providing important security guarantees for our system. In the future, we will continue to focus on the security of our applications, conduct regular inspections, and carry out point-to-point reinforcement.

订阅新功能推广裂变活动
Latest Posts
1Enhancing Game Quality with Tencent's automated testing platform UDT, a case study of mobile RPG game project We are thrilled to present a real-world case study that illustrates how our UDT platform and private cloud for remote devices empowered an RPG action game with efficient and high-standard automated testing. This endeavor led to a substantial uplift in both testing quality and productivity.
2How can Mini Program Reinforcement in 5 levels improve the security of a Chinese bank mini program? Let's see how Level-5 expert mini-reinforcement service significantly improves the bank mini program's code security and protect sensitive personal information from attackers.
3How UDT Helps Tencent Achieve Remote Device Management and Automated Testing Efficiency Let's see how UDT helps multiple teams within Tencent achieve agile and efficient collaboration and realize efficient sharing of local devices.
4WeTest showed PC & Console Game QA services and PerfDog at Gamescom 2024 Exhibited at Gamescom 2024 with Industry-leading PC & Console Game QA Solution and PerfDog
5Purchase option change notification Effective from September 1, 2024, the following list represents purchase options will be removed.