https://stackoverflow.com/questions/13933408
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianAFAIK, and from my poor testing (and because I know how the OC is written), I could say, that base OC (without any 3rd party extensions) is safe from:
- broken access control
- all user input is validated, thus safe from SQL or other injection
- XSS
- insecure cryptographic storage - OC does not store any sensitive data and default online payment options are processed via SSL
- DoS (indirectly - nowadays server firewalls distinguish a DoS attack and block the communication from that IPs)
- insecure direct object references (only allowed types of resources could be uploaded and downloaded unless direct access to an FTP)
- security misconfiguration - OC config files are not accessible, users should keep their stores up to date themselves...
What I did not check/encounter so far:
- Buffer overflow due to a foreign language (different encoding set) input
Weaker points (not defects!):
- OC frontend is not well protected against CSRF, backend is
- session management - problem with possibility of decrypting the session information is the same as over the 95% of web applications
- until directly set/unset, OC will report and display any error message that may occur that helps an attacker to easily find possible exploits...
From my view, OC is very well safe-written open source e-commerce solution! (Unless compromited with a poorly written extensions...)
