Security Engagement Overview
Industry Profile
A major European e-commerce platform enabling third-party sellers, customer orders, and financial transactions through web and mobile channels.
Assessment Scope
The client's accelerated growth outpaced its security defenses, leading to overlooked vulnerabilities across logic, design, and legacy components.
- SQL Injection in Authentication Workflow
- Logic Flaws in Refund and Order Processing
- Insecure Public APIs with Misconfigured Permissions
Vulnerability Analysis
- SQL Injection Entry Point: Legacy login embedded user input directly into SQL queries without validation.
- Logic Flaw in Transaction Flow: Refunds were triggered prior to delivery sync due to timing mismatches.
- API Weaknesses: Absence of verification, rate limits, and filtering exposed internal systems and enabled fake listings.
Mitigation Strategy
- Replaced raw SQL with parameterized queries and ORM standards
- Added delivery status locks and abuse detection within workflows
- Hardened APIs using OAuth2, schema validation, and authentication layers
Strategic Takeaways
- Security must evolve with business logic—traditional scans aren't enough
- APIs need robust access control and layered defenses
- Manual testing reveals business-level exploits missed by automation
- Proactive security embedded into dev workflows saves time and cost