OWASP ASVS L2 pentest on a PCI-DSS scope e-commerce platform · 3M customers · 14 business days
A full-scope Red Team over 14 business days before Black Friday for one of Turkey's top 5 e-commerce platforms. 12 services · web + mobile + API · payment + coupon + cart + admin. PCI-DSS scope · 3M MAU · 8M card records. 3 Critical + 7 High + 12 Medium · all closed before Black Friday.
01 The Challenge
With 18 days to Black Friday the CTO requested an urgent pentest · the previous year a rival platform had suffered a card data leak. 3M active customers · 8M registered cards · a PCI-DSS scope annual audit in 6 weeks. 12 services (auth · payment · card · cart · coupon · vendor · return · search · review · stock · CMS · CRM). OWASP ASVS Level 2 mandatory · a certified QSA audit also approaching. DSET would perform a full-scope test with a hybrid methodology (automated + manual business logic).
02 DSET's Approach
Week 1 · Scope + recon
260 API endpoints · 23 subdomains (4 staging exposed) · 187 cookies · CSP/HSTS audit. Repo access for SAST + a staging environment for DAST. A threat model + attack scenarios were produced.
Week 2 · Business logic tests
Critical finding #1: staging.api.* auth bypass → production user enumeration. Critical #2: a coupon stack attack 18 coupons · -97% discount. Critical #3: viewing another user's order detail via IDOR.
Week 2 · Race condition + payment
A 200ms race condition between stock check and reserve · an arbitrage attack was proven. A currency manipulation test on the payment gateway · 1 high finding.