We were asked to test a mid sized Irish e commerce site before a busy trading season. The brief was simple: find what an attacker would find. We found enough to take the whole platform, and the customer database with it.
SQL Injection
The product search box passed user input straight into a database query. A single crafted string dumped the entire customer table, including names, addresses, and order history. This class of flaw is decades old and still everywhere.
Broken Authorisation
Changing the order number in the URL revealed other customers' invoices. There was no check that the logged in user actually owned the record. Insecure direct object references like this leak data quietly and at scale.
Weak Password Storage
Passwords were hashed with MD5 and no salt. On modern hardware that is barely better than plaintext. A single database leak would expose every account, and people reuse passwords everywhere.
Recommendations
Use parameterised queries. Enforce authorisation checks on every object. Replace MD5 with bcrypt or Argon2. Add rate limiting and a web application firewall. The test cost four thousand euro and probably saved them from a Data Protection Commission investigation.
Written by Shreesh, Shamrock Security