Codementor Events

If you are a WeChat mini-program developer, WeTest penetration testing is a must

Published Jul 04, 2024

penetration testing

Imagine a world where your online shopping WeChat mini-program is not only user-friendly but also secure from potential threats. In this success story, we reveal how WeTest's penetration testing service transformed a renowned company's mini-program by identifying and addressing 8 security risks, including high-stake vulnerabilities like "free purchase" economic loss risk and employee privacy information leakage risk. Our security experts delivered a detailed vulnerability report and a comprehensive security reinforcement plan. The result? After regression testing, all medium and high-risk issues were resolved, reducing the overall security risk level of the mini-program to low risk. Dive in to learn more about this incredible security makeover!

About the Customer

The client is a well-known retail company with an online shopping mini program focusing on providing innovative digital solutions and personalized shopping experiences. The client realized that their mini program was facing various potential cyberattacks and data leakage risks. To protect their business and the interests of their clients, they decided to conduct a comprehensive security penetration test to evaluate the security risks and reinforcement plans of the mini program system.

Business Pain Points

  • Lack of security capabilities in internal technical personnel: The client's in-house technical development personnel are relatively unfamiliar with security testing and do not have a deep understanding of various penetration tools and testing methods. They also lack experience and knowledge of common system and business vulnerabilities in the industry, making it difficult for them to conduct a comprehensive system penetration test on their own, which could potentially overlook security vulnerabilities.
  • High cost of security tools and learning: Market security tools and security policies iterate quickly, and different tools focus on different types of vulnerabilities. With the growth of the black and gray markets, various capabilities are also being updated at all times. If internal development personnel were to start learning immediately, both time and financial costs would be significant.
  • Business blind spots due to self-development: Internal employees have a good understanding of the mini program system and inherent knowledge of their business. However, this high level of understanding may lead to blind spots in detection and penetration testing.

WeTest Solution

  • Professional hacker mindset and adaptive methods: WeTest's penetration experts conducted static and dynamic manual penetration testing on the client's mini program, focusing on general web security, server system security, service component security, program code security, business logic security, and other aspects. This aimed to obtain security risks in the mini program's data usage, user data input, storage processing, network transmission, and system environment, providing a professional and reliable basis for mini program security reinforcement.
  • Customized inspection items for retail business: WeTest leveraged its experience in retail/online shopping mini programs' business vulnerabilities and customized 92 inspection items for the client's mini program and key business processes, including baseline inspection, data validation, data transmission, authorization, authentication, and session management.
  • Reverse analysis from a business development perspective: WeTest's security team reverse-engineered the mini program and analyzed the program's business logic from a developer's perspective. This allowed them to deeply study the internal logic and implementation details of the application, discovering potential vulnerabilities and security issues. By analyzing the source code, they could identify potential input validation deficiencies, buffer overflows, authentication issues, etc., which might not be discovered through traditional black-box testing methods.
  • Advanced attacks and vulnerability exploitation: WeTest's security team has extensive penetration testing skills and experience and has demonstrated excellent capabilities in advanced attacks and vulnerability exploitation. By deeply understanding the internal workings and logic of the target system, they were able to develop customized attack tools and exploit code to verify the system's security, such as discovering two security vulnerabilities of 0 yuan purchase of gifts through reverse engineering, guessing, and combining multiple security risks.
  • Clear and detailed penetration test report and interpretation: WeTest's security team provided a detailed test report and repair suggestions, and explained the principles, exploitation methods, risks, and repair suggestions for each security risk to the client through remote meetings. They are committed to helping clients improve the security of their programs and data assets.

Business Results

After a comprehensive security assessment, WeTest's penetration testing team rated the client's online shopping mini program risk level as high risk.
We discovered 8 security risksin the test results: 2 high-risk, 5 medium-risk, and 1 low-risk.

  • Some examples are as follows:
  1. Order interface risk of free riding
  2. Shopping cart interface risk of free riding
  3. Bypassing front-end restrictions to add an excessive amount to the shopping cart

WeTest provided corresponding solutions for the vulnerabilities in the mini-program.

  • Some examples are as follows:
  1. For Vulnerability 1: WeTest's security team found that the shopping cart interface's parameter verification was not strict, allowing users to bypass the restriction of not being able to add gifts to the shopping cart and purchase gifts for 0 yuan, causing significant economic losses. Repair suggestion: Strengthen server-side parameter verification logic, prohibit gift IDs from being added to the shopping cart as product IDs.
  2. For Vulnerability 2: WeTest's security team cracked the encryption method of the order interface and found that by forging data, gifts could be purchased directly for 0 yuan. Repair suggestion: Increase the complexity of the signature method, and have the order interface verify scenarios where only gifts are present and products are empty.
  3. For Vulnerability 3: WeTest's security team discovered a crawler vulnerability by reverse engineering and forging the mini program's request token, leading to product information being crawled. Repair suggestion: Strengthen the mini program's source code to increase the difficulty of cracking or move the token generation logic to the server-side.

Customer Testimonial

"In our developed online shopping mini program, WeTest team discovered and helped fix system vulnerabilities that could potentially lead to significant economic losses and user data leaks. We sincerely thank the professional team at WeTest for their efforts and expertise in providing important security guarantees for our system. In the future, we will continue to focus on the security of our applications, conduct regular inspections, and carry out point-to-point reinforcement."

Conclusion

Don't wait any longer to safeguard your digital assets and ensure a secure environment for your customers. Experience the power of WeTest's penetration testing service and join the ranks of satisfied clients.

Click the link to get started → WeTest - Penetration Testing.

Secure your future with WeTest Global today!

Image description

Discover and read more posts from WeTest
get started