Automation Technology: Mini Pentest of a Typo3 E-Commerce System

A German company in the automation technology sector (part of WISAG Group) planned to launch a new Typo3-based online shop for repair services and component sales. Before going live, an 8-hour mini pentest was commissioned to check the custom extensions for security vulnerabilities.

Objective

The mini pentest aimed to identify critical security vulnerabilities in the custom-developed shop extensions before production launch. Focus areas included:

• Input Validation: Testing all form fields and search parameters for injection vulnerabilities
• Authentication & Authorization: Checking access control for user profiles and shopping carts
• Business Logic: Validating price calculations and quantity management
• Email Security: Testing email templates for HTML/XSS injections

Result

All 5 identified findings were fixed within 2 business days. A re-test confirmed successful implementation of security measures. The shop launched securely into production.

The company sells automation technology (repair and sales) through the new Typo3 shop. The custom extensions include:

• Component Search with complex filter and sorting options
• Shopping Cart System with quantity and price management
• User Profiles with first/last name, address, and postal code
• Email Templates for order confirmations and notifications
• Database Integration with direct SQL queries in custom code

Why Mini Pentest?

The company wanted a quick and cost-effective security check of the most critical custom functionality before launch. An 8-hour mini pentest offered the ideal balance between depth and budget.

The mini pentest utilized the full 8 hours for manual security testing focused on typical e-commerce and Typo3 vulnerabilities.

Test Approach

Testing was performed from the perspective of a guest user as well as a registered user with the goal to identify:

• Remote Code Execution (RCE) in custom extensions
• SQL Injection via search parameters and form fields
• Cross-Site Scripting (XSS) - Reflected, Stored, and Blind XSS
• Insecure Direct Object Reference (IDOR) when accessing shopping carts
• Business Logic Bugs in price and quantity management
• Email Template Injection for phishing attacks

Tools & Techniques

Manual testing with Burp Suite, custom payloads for SQL Injection and XSS, as well as Blind XSS monitoring.

We documented 5 findings with low to medium severity. No critical vulnerabilities found. The development team fixed all issues within two business days.

The identified vulnerabilities focused on typical challenges in e-commerce custom extensions.

The mini pentest provided a clear security status in 8 hours before go-live and prevented potential security incidents in the production environment.

Direct Value

• Pre-Launch Security Baseline: Confirmation that no critical vulnerabilities exist
• Focused Findings: Clear prioritization of the 5 findings for quick remediation
• Cost-Effective: 8-hour package ideal for budget-conscious pre-launch tests
• Fast Implementation: All findings were fixed within 2 business days

Prevented Risks

Without the test, the following scenarios would have been possible:

This engagement demonstrated that custom e-commerce systems can achieve a high security level when security testing is integrated before launch.

Recommendations for the Roadmap

• Input Validation & Output Encoding: Strict filtering of all user inputs and consistent escaping of outputs in frontend, backend, and emails.
• Security Hardening for Production: Disable debug modes, use prepared statements, implement security headers (CSP, HSTS).
• Regular Mini Pentests: After feature releases and custom extension updates - especially for changes to authentication or database integration.
• Security Awareness in Dev Team: Training on OWASP Top 10 and CMS-specific risks for sustainable improvement of code quality.