我找到了“测试指南”,但它有300 页。阅读它并为自己测试会很好,但我想知道是否有人已经完成了这项工作。当我搜索这个时,我在 OC论坛上找到了一个关于 PCI 合规性的帖子,但这是一个切题。
那么,有谁知道,具体来说,OpenCart 是否针对 OWASP 前 10 名威胁列表进行了强化?
问问题
459 次
1 回答
4
AFAIK, and from my poor testing (and because I know how the OC is written), I could say, that base OC (without any 3rd party extensions) is safe from:
- broken access control
- all user input is validated, thus safe from SQL or other injection
- XSS
- insecure cryptographic storage - OC does not store any sensitive data and default online payment options are processed via SSL
- DoS (indirectly - nowadays server firewalls distinguish a DoS attack and block the communication from that IPs)
- insecure direct object references (only allowed types of resources could be uploaded and downloaded unless direct access to an FTP)
- security misconfiguration - OC config files are not accessible, users should keep their stores up to date themselves...
What I did not check/encounter so far:
- Buffer overflow due to a foreign language (different encoding set) input
Weaker points (not defects!):
- OC frontend is not well protected against CSRF, backend is
- session management - problem with possibility of decrypting the session information is the same as over the 95% of web applications
- until directly set/unset, OC will report and display any error message that may occur that helps an attacker to easily find possible exploits...
From my view, OC is very well safe-written open source e-commerce solution! (Unless compromited with a poorly written extensions...)
于 2012-12-19T10:14:14.077 回答