OpenCart Website Security Audit

Our company is engaged in the development, support and maintenance of sites of any complexity. From simple one-page sites to large-scale cluster systems built on micro services. Experience of developers is confirmed by certificates from vendors.

8+Years of workmore info 900+Completed projectsmore info 100+In house employeesmore info 19+Partnersmore info

Development and maintenance of all types of websites:

Informational websites or web applications

Business card websites, landing pages, corporate websites, online catalogs, quizzes, promo websites, blogs, news resources, informational portals, forums, aggregators

E-commerce websites or web applications

Online stores, B2B portals, marketplaces, online exchanges, cashback websites, exchanges, dropshipping platforms, product parsers

Business process management web applications

CRM systems, ERP systems, corporate portals, production management systems, information parsers

Electronic service websites or web applications

Classified ads platforms, online schools, online cinemas, website builders, portals for electronic services, video hosting platforms, thematic portals

These are just some of the technical types of websites we work with, and each of them can have its own specific features and functionality, as well as be customized to meet the specific needs and goals of the client.

Offered services

Showing 1 of 1 servicesAll 2065 services

OpenCart Website Security Audit

Medium

~2-3 business days

FAQ

Our competencies:

Free consultation

Book a free consultation if you have any questions. A dedicated specialist will advise you.

Cost calculation

If you know what exactly you need to develop, or you already have a ready-made technical task.

Development stages

Latest works

Development of a web application for FEEDME
1161
Development of an online store for the company FURNORO
1041
Development of a web application for Enviok
822
CRM development for Chasseurs
847
Website development for SBH Partners
999
Website development for Red Pear
451

Show more works

OpenCart Site Security Audit

OpenCart is a frequent attack target due to its popularity and predictable admin panel paths. Main vectors: outdated extensions with vulnerabilities, weak passwords, unprotected admin path, open phpMyAdmin.

Scanning Tools

# Directory scanning
ffuf -w /usr/share/wordlists/dirb/common.txt -u https://shop.com/FUZZ -mc 200,301

# Check headers
curl -I https://shop.com/ | grep -i "x-powered\|server\|x-content\|x-frame"

# SSL configuration
testssl.sh --fast https://shop.com/

Checklist

Admin Panel Path:

Default: /admin/ — first thing bots check
Change in admin/config.php:
define('HTTP_SERVER', 'https://shop.com/my_secret_admin_path/');

# Nginx: restrict admin access by IP
location /admin {
    allow 1.2.3.4;
    deny all;
}

Files to Delete:

# Must delete after installation
rm -rf install/
ls /var/www/shop.com/install/  # should not exist

# Close phpinfo if exists
find /var/www/shop.com -name "phpinfo.php" -type f -delete

File Permissions:

find /var/www/shop.com -name "config.php" -type f
stat /var/www/shop.com/config.php
# 644 maximum, better 444

# PHP in upload directory
find /var/www/shop.com/image/ -name "*.php"
find /var/www/shop.com/system/storage/upload/ -name "*.php"

# Forbid PHP in upload directories
location ~* /image/.*\.(php|phtml)$ { deny all; }
location ~* /system/storage/upload/.*\.(php|phtml)$ { deny all; }

OpenCart Version and Extensions:

# Version in file
grep "VERSION" /var/www/shop.com/catalog/controller/startup/startup.php
# Current: github.com/opencart/opencart/releases

Check Extensions for CVE: Search in vulnerability database: https://nvd.nist.gov/vuln/search?query=opencart

SQL Injection Protection in Custom Extensions:

// Unsafe (common error in old extensions)
$result = $this->db->query("SELECT * FROM " . DB_PREFIX . "product WHERE sku = '" . $_GET['sku'] . "'");

// Correct
$sku = $this->db->escape($_GET['sku']);
$result = $this->db->query("SELECT * FROM " . DB_PREFIX . "product WHERE sku = '" . $sku . "'");

CSRF Protection: OpenCart uses tokens in forms. Custom forms without tokens are vulnerable:

// Token validation in custom controller
if (!isset($this->session->data['token']) || $this->session->data['token'] != $this->request->post['token']) {
    $this->response->setOutput(json_encode(['error' => 'CSRF token mismatch']));
    return;
}

Two-Factor Authentication: Install "2 Factor Authentication for OpenCart" extension from Marketplace.

Regular Backups: Automate backup: Admin → System → Settings → Backup/Restore button — only for manual backup. For automatic — cron + mysqldump.

File Change Monitoring

# Record hashes of all PHP files
find /var/www/shop.com -name "*.php" -exec md5sum {} \; > /backups/checksums-$(date +%Y%m%d).txt

# Compare with previous version
diff /backups/checksums-yesterday.txt /backups/checksums-today.txt
# Changed files — suspicious

Timeline

OpenCart site security audit with report — 1 day.