4

我找到了“测试指南”,但它有300 页。阅读它并为自己测试会很好,但我想知道是否有人已经完成了这项工作。当我搜索这个时,我在 OC论坛上找到了一个关于 PCI 合规性的帖子,但这是一个切题。

那么,有谁知道,具体来说,OpenCart 是否针对 OWASP 前 10 名威胁列表进行了强化?

4

1 回答 1

4

AFAIK, and from my poor testing (and because I know how the OC is written), I could say, that base OC (without any 3rd party extensions) is safe from:

  • broken access control
  • all user input is validated, thus safe from SQL or other injection
  • XSS
  • insecure cryptographic storage - OC does not store any sensitive data and default online payment options are processed via SSL
  • DoS (indirectly - nowadays server firewalls distinguish a DoS attack and block the communication from that IPs)
  • insecure direct object references (only allowed types of resources could be uploaded and downloaded unless direct access to an FTP)
  • security misconfiguration - OC config files are not accessible, users should keep their stores up to date themselves...

What I did not check/encounter so far:

  • Buffer overflow due to a foreign language (different encoding set) input

Weaker points (not defects!):

  • OC frontend is not well protected against CSRF, backend is
  • session management - problem with possibility of decrypting the session information is the same as over the 95% of web applications
  • until directly set/unset, OC will report and display any error message that may occur that helps an attacker to easily find possible exploits...

From my view, OC is very well safe-written open source e-commerce solution! (Unless compromited with a poorly written extensions...)

于 2012-12-19T10:14:14.077 回答