Your e-commerce app is preparing for launch. Run a complete security sweep before going live.
โฑ ~20 min ยท Hands-on
Your e-commerce application handles user accounts, payment processing, and order management. Launch is scheduled in two weeks. Before going live, the team must perform a comprehensive security audit to identify and remediate vulnerabilities. No critical or high-severity findings are allowed at launch.
Before scanning for specific vulnerabilities, understand what you're protecting and how it could be attacked. STRIDE gives you a systematic framework.
/agile-security-threat-modelAssets Identified:
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
1. User data (PII, emails, addresses)
2. Payment information (card tokens, billing)
3. Session tokens (JWT, cookies)
4. Admin panel access
5. Order history and transaction logsAttack Surfaces:
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
๐ Login endpoint POST /api/auth/login
๐ Public API GET/POST /api/products, /api/orders
๐ก๏ธ Admin panel GET /admin/* (role-gated)
๐ณ Payment gateway POST /api/checkout/pay
๐ฆ File uploads POST /api/users/avatarApply STRIDE to each surface:
STRIDE โ POST /api/auth/login
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
S โ Spoofing: Credential stuffing, brute force
T โ Tampering: Manipulated login payloads
R โ Repudiation: No audit log of failed attempts
I โ Info Disclosure: Error messages reveal user existence
D โ Denial of Service: No rate limiting on login
E โ Elevation: SQL injection in username fieldRisk Matrix โ Pre-Launch
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Threat Likelihood Impact Risk
SQL injection High Critical ๐ด S0
Missing rate limiting High High ๐ S1
Session token in URL Medium High ๐ S1
Verbose error messages Medium Medium ๐ก S2
Missing audit logs Low Medium ๐ต S3
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโNow scan the application against the OWASP Top 10 โ the industry standard checklist for web application security.
/agile-security-auditOWASP Top 10 Audit โ e-commerce-app
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
A01: Broken Access Control ........ โ
PASS
A02: Cryptographic Failures ....... โ
PASS
A03: Injection .................... โ FAIL
A04: Insecure Design .............. โ
PASS
A05: Security Misconfiguration .... โ ๏ธ WARNING
A06: Vulnerable Components ........ โ FAIL (see scan)
A07: Auth Failures ................ โ ๏ธ WARNING
A08: Data Integrity Failures ...... โ
PASS
A09: Logging Failures ............. โ ๏ธ WARNING
A10: SSRF ......................... โ
PASS
Findings:
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
๐ด S0 โ SQL injection in search query
Location: src/api/products/search.controller.ts:47
Detail: User input concatenated directly into SQL query
Fix: Use parameterized queries
๐ S1 โ Session tokens exposed in URL parameters
Location: src/middleware/auth.ts:23
Detail: JWT passed as ?token= query param, logged by proxies
Fix: Move token to Authorization header or HttpOnly cookie
๐ก S2 โ Missing rate limiting on login endpoint
Location: src/api/auth/login.controller.ts
Detail: No throttle โ allows unlimited login attempts
Fix: Add rate limiter (e.g., 5 attempts per minute)
๐ต S3 โ Verbose error messages in production
Location: src/middleware/errorHandler.ts:12
Detail: Stack traces and internal paths exposed in 500 errors
Fix: Return generic error message in production mode๐ด S0 (Critical) and ๐ S1 (High) findings block the launch. These must be remediated and verified before going live. No exceptions.
Third-party packages are a common attack vector. Scan all dependencies for known CVEs.
/agile-security-scanDependency CVE Scan โ e-commerce-app
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Packages scanned: 134
Vulnerabilities found: 3
๐ด Critical โ jsonwebtoken@8.5.1
CVE-2022-23529: Insecure key retrieval
Fix: upgrade to jsonwebtoken@9.0.0+
๐ก Medium โ lodash@4.17.20
CVE-2021-23337: Prototype pollution in zipObjectDeep
Fix: upgrade to lodash@4.17.21
๐ก Medium โ lodash@4.17.20
CVE-2020-28500: ReDoS in trim/trimEnd
Fix: upgrade to lodash@4.17.21
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Action Required: 1 critical, 2 medium vulnerabilitiesThe jsonwebtoken package handles authentication tokens. A critical CVE here means an attacker could forge valid tokens. Upgrade immediately.
Run a security-focused review on the authentication and authorization code โ the highest-risk area of the application.
/agile-security-reviewSecurity Code Review โ Auth Module
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
File: src/api/auth/login.controller.ts
โ Line 22: Input not validated before use
โ Add Zod/Joi schema validation for email and password
โ Line 35: Password compared with == instead of ===
โ Use timing-safe comparison (crypto.timingSafeEqual)
File: src/config/app.config.ts
โ Line 8: JWT_SECRET hardcoded as "supersecret123"
โ Move to environment variable, use strong random secret
File: src/middleware/cors.ts
โ ๏ธ Line 5: CORS allows origin "*"
โ Restrict to known frontend domains
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Critical: 3 | Warning: 1Consolidate every finding from the audit, scan, and review. Classify what blocks launch vs. what can wait.
Launch Blockers (must fix NOW):
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
๐ด S0 SQL injection in product search
๐ด CVE jsonwebtoken critical vulnerability
๐ S1 Session tokens exposed in URL
๐ Hardcoded JWT secret
๐ Missing input validation in auth
Post-Launch (track as tech debt):
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
๐ก S2 Missing rate limiting on login
๐ก lodash prototype pollution (2 CVEs)
๐ก CORS wildcard origin
๐ต S3 Verbose error messages in productionWrite security tests first, then fix the code. This ensures the vulnerability cannot regress.
/agile-code-tdd// test/security/sql-injection.test.ts
describe("SQL Injection Prevention", () => {
it("rejects SQL in search query", async () => {
const res = await request(app)
.get("/api/products/search")
.query({ q: "'; DROP TABLE products;--" });
expect(res.status).toBe(400);
expect(res.body.results).toBeUndefined();
});
it("sanitizes special characters in search", async () => {
const res = await request(app)
.get("/api/products/search")
.query({ q: "shirt' OR '1'='1" });
expect(res.status).toBe(200);
expect(res.body.results).toHaveLength(0);
});
});
// test/security/auth-tokens.test.ts
describe("Token Security", () => {
it("rejects tokens passed as URL params", async () => {
const res = await request(app)
.get("/api/orders?token=valid.jwt.here");
expect(res.status).toBe(401);
});
it("accepts tokens in Authorization header", async () => {
const res = await request(app)
.get("/api/orders")
.set("Authorization", "Bearer valid.jwt.here");
expect(res.status).toBe(200);
});
});Tests: 4 failing โ (expected โ RED phase)// src/api/products/search.controller.ts โ FIXED
const results = await db.query(
"SELECT * FROM products WHERE name ILIKE $1",
[`%${sanitize(query)}%`] // parameterized query
);
// src/middleware/auth.ts โ FIXED
// Removed: const token = req.query.token
const token = req.headers.authorization?.replace("Bearer ", "");
// src/config/app.config.ts โ FIXED
const JWT_SECRET = process.env.JWT_SECRET;
if (!JWT_SECRET) throw new Error("JWT_SECRET must be set");Tests: 4 passing โ
(GREEN phase)Upgrade the vulnerable dependency:
npm install jsonwebtoken@9.0.2
npm install lodash@4.17.21Run the full pipeline and security scans again. Every blocker must be resolved.
/agile-code-ciCI Pipeline โ security-fixes
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Build .................. โ
PASS
Unit Tests ............. โ
156/156 passing
Integration Tests ...... โ
28/28 passing
Security Tests ......... โ
4/4 passing (new)
Lint ................... โ
0 issues
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Result: โ
ALL CHECKS PASSED/agile-security-scanDependency CVE Scan โ re-scan
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Packages scanned: 134
Vulnerabilities found: 0
โ
CLEAN โ no known vulnerabilities/agile-security-auditRe-Audit Results:
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
๐ด S0 SQL injection ............ โ
RESOLVED
๐ด CVE jsonwebtoken ............. โ
RESOLVED
๐ S1 Token in URL ............. โ
RESOLVED
๐ Hardcoded secret ......... โ
RESOLVED
๐ Missing input validation . โ
RESOLVED
Launch Blockers Remaining: 0
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ
CLEAR FOR LAUNCHEvery ๐ด S0 and ๐ S1 finding has been fixed and verified. The application is clear for launch.
The ๐ก S2 and ๐ต S3 findings don't block launch, but they must not be forgotten. Create stories for the next sprint.
Sprint Backlog โ Next Sprint:
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
๐ SEC-001: Add rate limiting to login endpoint (๐ก S2)
AC: Max 5 attempts per IP per minute, lockout after 10
๐ SEC-002: Restrict CORS to known domains (๐ก S2)
AC: Only frontend.example.com allowed
๐ SEC-003: Sanitize error messages in production (๐ต S3)
AC: No stack traces or file paths in error responses/agile-security-threat-model โ STRIDE analysis to identify assets and attack surfaces/agile-security-audit โ OWASP Top 10 scan with severity-classified findings/agile-security-scan โ dependency CVE check to catch vulnerable packages/agile-security-review โ focused security code review on high-risk modules/agile-code-tdd โ writing security tests before fixing vulnerabilitiesWhich findings block a launch?