The challenge
A growing online store with no prior security testing: and a PCI audit on the horizon
The client had been operating their e-commerce platform for four years, processing thousands of card transactions annually. The platform had grown organically: features added by different developers, plugins installed and forgotten, and an admin interface that had never been reviewed for external exposure. A payment processor audit notice triggered the decision to finally test.
Their development team had strong product instincts but no dedicated security resource. There had been no penetration test, no code review for injection vulnerabilities, and no formal process for evaluating third-party plugins before installation. By the time we engaged, the attack surface was larger than anyone on the team realised.
No prior penetration testing
Platform had never been formally assessed: attack surface unknown and unmanaged
PCI scope flagged by payment processor
Audit requirement triggered with no existing documentation or remediation baseline
Admin panel accessible without authentication
A legacy admin endpoint was reachable from the public internet with no login required
Legacy database with no access controls
Order and customer data stored in a legacy DB with overly permissive query access
Plugins with known CVEs still active
Five installed plugins carried unpatched CVEs: one with a public exploit available since 2022
No WAF or rate limiting in place
Checkout and login endpoints had no brute-force protection or web application firewall coverage
Our findings
What the penetration test uncovered
garrisonOne conducted a black-box and grey-box assessment across the web application, REST API, and payment flow. Testing covered authentication, session management, injection flaws, access control, business logic, and third-party component security.
3
SQL injection points found in product search and checkout parameters
1
Unauthenticated admin panel accessible from the public internet
IDOR
Broken object-level authorization on order history API: any order accessible by ID
5
Installed plugins carrying unpatched CVEs, one with a live public exploit
The most critical finding was the unauthenticated admin endpoint: reachable directly via URL and exposing order management, customer data export, and discount code generation with no credentials required. Combined with the IDOR vulnerability on the order API, a low-sophistication attacker could enumerate and export the entire customer transaction history without ever authenticating to the application.
What we did
A structured four-phase penetration test
Scoped to cover the full web application, REST API, and payment processing flow: delivered over five days with a remediation walkthrough and retest included.
Phase 1
Reconnaissance & Attack Surface Mapping
Enumerated the full application surface: all endpoints, API routes, third-party integrations, and exposed admin interfaces. Identified subdomain structure, server headers, technology stack, and all publicly accessible components before active testing began.
Phase 2
Web Application Testing
Tested all application functionality against OWASP Top 10: covering injection flaws, broken authentication, session management, access control, security misconfigurations, and cross-site scripting. SQLi testing across all parameterized inputs identified three exploitable injection points in product search, checkout, and URL parameters.
Phase 3
API & Payment Flow Testing
Tested all REST API endpoints for broken object-level authorization, mass assignment vulnerabilities, and authentication bypass. Reviewed the payment integration for improper order total handling, discount stacking, and card data exposure. Identified IDOR on the order history API and a discount logic bypass allowing negative-value orders.
Phase 4
Report, Remediation Walkthrough & Retest
Delivered a full penetration test report with CVSS scoring, proof-of-concept evidence, and step-by-step remediation guidance for every finding. Ran a live walkthrough session with the development team. Conducted a retest 21 days later to confirm all 14 vulnerabilities were closed and document closure for PCI submission.
Key deliverables
-
Full penetration test report: CVSS-scored with proof-of-concept evidence and prioritised remediation guidance for all 14 findings
-
Immediate out-of-band disclosure for critical findings: admin panel issue communicated within 2 hours of discovery
-
Developer remediation walkthrough covering SQL injection fixes, access control patterns, and plugin patching approach
-
Retest confirmation report verifying closure of all 14 vulnerabilities: suitable for submission to payment processor
-
Plugin audit log with CVE references, patch status, and recommendations for ongoing third-party component management
-
WAF deployment guidance and rate limiting configuration recommendations for checkout, login, and API endpoints
Outcomes
From zero security testing to a clean PCI pre-audit in 30 days
The client entered remediation immediately after the initial report. Within 30 days, all 14 findings were closed: verified by garrisonOne's retest. The payment processor pre-audit was passed, and the development team adopted a formal security review process for all future plugin installations and API changes.
Passed
PCI pre-audit by payment processor
Retest report submitted directly: audit passed with no outstanding findings.
14 / 14
Vulnerabilities closed within 30 days
Every critical, high, and medium finding remediated and verified by retest.
Zero
Unauthenticated admin access
Legacy endpoint locked down and moved behind authenticated, IP-restricted access.
Closed
SQL injection across all 3 parameters
Parameterized queries implemented throughout: injection surface fully eliminated.
WAF live
Web application firewall deployed
Rate limiting and WAF rules active on checkout, login, and all API endpoints.
5 / 5
CVE plugins patched or removed
All vulnerable plugins updated or replaced: plugin audit process now formalised.
"When garrisonOne told us there was an admin panel anyone on the internet could reach without a password, I thought they were mistaken. They weren't. Having everything fixed and verified before the PCI audit was a weight off the entire team."
: CTO, Mid-Size E-Commerce Retailer
