At a Glance
- Industry: E-Commerce & Retail
- Engagement type: Web Application Penetration Test
- Tech stack: React frontend, Node.js + Java microservices, PostgreSQL + Redis, AWS infrastructure, Razorpay + Cashfree payment integrations, Salesforce CRM
- Outcome: All critical and high-severity findings remediated and re-tested with no critical issues remaining at close.
- Delivered by: ISO/IEC 27001:2022 certified consultants with OSCP, OSEP, CISA, CISM credentials.
Compliance Frameworks Satisfied
Client Overview
Industry: E-Commerce & Retail
Product: D2C e-commerce platform with payment, loyalty and inventory modules
Tech stack: React frontend, Node.js + Java microservices, PostgreSQL + Redis, AWS infrastructure, Razorpay + Cashfree payment integrations, Salesforce CRM
The client is a fast-growing Indian D2C e-commerce brand with 1.2M active customers, INR 240 crore annual GMV and 600K SKUs across home goods, electronics and apparel. Annual transaction volume tripled in the prior 12 months.
Challenge
Three factors drove the urgency of this engagement:
- PCI DSS 4.0 compliance. Payment aggregator partnership required current Level 2 merchant pentest with PCI DSS 4.0 alignment
- Coupon abuse incidents. Three confirmed coupon-fraud incidents in the prior quarter cost the business INR 47 lakh in revenue leakage
- Mobile + web parity. Major UX changes had shipped to both web and mobile with limited security review of the new checkout flow
Our Approach
Codesecure delivered a structured engagement combining automated coverage with deep manual testing focused on the specific risk areas for this client.
Scope of Testing
The engagement covered the following primary areas:
- OWASP Top 10 coverage of every authenticated and unauthenticated endpoint
- Payment flow analysis including price manipulation, race conditions and refund abuse
- Coupon and loyalty program testing for unauthorized redemption and stacking abuse
- Order workflow business logic testing covering cart, checkout, returns and refunds
- OWASP API Top 10 coverage of REST endpoints used by the mobile app
- Session management, JWT and OAuth integration security review
- Admin panel privilege escalation and role boundary testing
// Tooling Used
Reporting & Walkthrough
Executive summary delivered alongside a technical report containing reproducible PoC steps, CVSS v3.1 severity scoring and developer-actionable remediation guidance. Live walkthrough with the client team covered every critical finding with reproduction and recommended fix path.
Need a Similar Engagement?
Our ISO/IEC 27001:2022 certified consultants deliver fixed-price, named-consultant engagements with executive-ready outcomes. Free 30-minute scoping call, instant response, no delay.
Book a Free Scoping CallResults
Critical Findings
- Price manipulation via race condition in cart update API allowing INR 1,00,000 items to be purchased for INR 1
- Coupon stacking flaw enabling unlimited coupons on a single order, the same vector behind earlier fraud incidents
- IDOR in order detail endpoint allowing any user to view any other user's order data including shipping addresses
High & Medium Severity
Insecure deserialization in a legacy session handler, missing rate limit on password reset enabling enumeration, weak JWT signing key used in non-prod environments leaking into prod, exposed admin login on non-standard port, verbose error messages disclosing internal service names.
Before vs. After
Before Engagement
- Price manipulation via race condition
- Unlimited coupon stacking
- IDOR exposing all customer orders
- 3 fraud incidents costing INR 47 lakh
- PCI DSS Level 2 evidence stale
- Coupon abuse undetected for weeks
After Remediation
- Atomic cart pricing with server-side enforcement
- Single-use coupon validation with audit log
- Object-level authorization on every endpoint
- Zero fraud incidents in 90 days post-fix
- Clean PCI DSS Level 2 assessment
- Real-time fraud detection on coupon flows
"We had been losing money to coupon abuse for months without knowing why. Codesecure not only found the flaw, they reproduced the exploit pattern matching our actual fraud incidents. The fix took two days. We saved that quarter."
Anonymous, VP Engineering, Indian D2C e-commerce brand
Key Lessons
What Other Teams Can Take Away
- Business logic flaws are the real cost. Coupon abuse, refund manipulation and price race conditions are not OWASP Top 10 but cost real revenue daily.
- Race conditions are exploitable, not theoretical. Modern HTTP/2 tooling makes race conditions easy to demonstrate; test cart, payment and inventory atomicity.
- IDOR remains the #1 e-commerce risk. Server-side object-level authorization on every endpoint, no exceptions. Test exhaustively across every user role.
- PCI DSS scope reduction pays off. Tokenization and hosted payment pages dramatically reduce the cost and complexity of PCI DSS 4.0 compliance.
Conclusion
E-commerce platforms balance feature velocity with security, often losing the latter. Race conditions, business logic flaws and IDOR remain the dominant attack surface, and they cost real money in fraud and lost revenue. Codesecure's combined OWASP + business logic testing surfaced exactly the vulnerabilities the client's actual fraud incidents had been exploiting.
For Indian e-commerce, fintech and D2C brands, application VAPT is a quarterly necessity. Codesecure delivers OWASP-aligned testing with payment flow and business logic depth, mapped to PCI DSS 4.0 and DPDP Act controls, typically completing in 1-2 weeks.
Want Outcomes Like These?
Codesecure is an ISO/IEC 27001:2022 certified cybersecurity firm. We deliver fixed-price engagements with named consultants and executive-ready outcomes across India, UAE, Saudi Arabia, Australia, Singapore and Maldives.
Get a Free Consultation Explore Our Services
