Security audit
for e-commerce stores
E-commerce security goes beyond OWASP Top 10. The actual risks are business-logic abuse (price=0, currency switch, coupon stacking), Magecart-style payment skimmers, exposed admin panels, abandoned-cart endpoints leaking PII, and increasingly — being invisible to ChatGPT Shopping. AuditCore covers all of it in one report from $99.
The e-commerce threat model is its own thing
Generic web vulnerability scanners look for SQL injection, XSS and broken auth. E-commerce-specific attacks look different. Price manipulation: send price=0 or price=-1 in checkout. Currency switching: change to weak currencies like VND or IDR mid-flow. Coupon stacking: apply the same first-time-buyer code 50 times. Quantity tampering: order quantity=999999 or quantity=-1 (the negative gets you a refund). Workflow skip: GET /order/confirm directly without paying. None of these match the SQLi-shaped patterns scanners look for — they need targeted business-logic testing.
AuditCore's Business Logic scanner specifically probes these vectors. We auto-discover 12 checkout-path patterns + 8 confirmation-path patterns, then attempt the full e-commerce attack matrix on each. We also analyze captured POST bodies from the crawler — if your /api/checkout accepts a price field in the request body, we test what happens when price is 0, -1, 0.001, or includes JS. Findings come with reproduction steps and the exact field that's vulnerable.
Beyond business logic, e-commerce sites have unique exposure to Magecart-style attacks (payment-form skimmers injected via 3rd-party scripts), PCI-DSS-relevant security headers (specific to where card data flows), abandoned-cart endpoints leaking customer PII (email + items + sometimes payment status), and admin panels reachable from the internet (often /admin, /backend, /manage paths that should be IP-restricted).
And in 2026, e-commerce has a new SEO problem: AI shopping. ChatGPT, Perplexity and Claude increasingly drive product discovery — users ask 'recommend a hammock under $200' instead of searching Google. AuditCore's AI-Readiness Scanner specifically tests if your store is visible to AI shopping agents — checking robots.txt rules, Schema.org Product+Offer markup, JS-only rendering issues, and the unique bot-vs-browser pricing test (some stores hide prices from AI bots via Cloudflare anti-bot rules without realizing it, making them recommendable as 'no price found' — losing the recommendation).
The problems we see
From hundreds of audits — the pain points that come up over and over.
Price manipulation in checkout — $0 or negative orders
Send price=0 in /checkout body. Server trusts client-side price. Order processes for $0. Common in custom checkouts; rare on Shopify but happens with custom apps.
Currency switching mid-flow
Add to cart in USD ($100), change currency to VND mid-checkout (rate confused), pay 100 VND ($0.004). Common in multi-currency stores with custom currency switchers.
Coupon abuse — single-use codes applied multiple times
Race condition between coupon validation and order creation lets attackers apply the same first-time-buyer code 50x in parallel.
Magecart-style payment-form skimmers
3rd-party JS injected into checkout (compromised analytics tool, ad SDK) reads card-form values and exfiltrates to attacker. Affects PCI-DSS compliance.
Exposed admin panels and backend paths
/admin, /backend, /manage, /wp-admin all reachable from the internet. Brute-forced or fingerprinted to identify CMS version, then exploited.
Bot-vs-browser pricing breaks AI shopping
Cloudflare anti-bot rules block GPTBot/ClaudeBot from your product pages. AI sees 403 / no price; recommends a competitor. Estimated 15-30% of AI shopping traffic lost silently.
Schema.org Product/Offer missing or wrong
Without Product schema, AI agents can't extract price/availability/SKU. Your products show up as 'unknown price', users skip them in recommendations.
Abandoned-cart endpoints leaking PII
Endpoints like /api/cart/<id> or /api/checkout/abandoned often have weak authz, leaking customer email + items + payment status to anyone with a guessable cart ID.
How AuditCore helps
Every solution below maps to a specific scanner or feature in our pipeline.
Business Logic scanner — 7 attack categories
Probes price manipulation, quantity tampering, currency switching, checkout step skip, status tampering (paid_status=true), role elevation, and captured-body parameter tampering across 20 e-commerce endpoint patterns.
Magecart / 3rd-party script audit
Inventories all 3rd-party JS on your checkout pages. Flags scripts loaded from non-allow-listed domains and unsigned scripts (no SRI hash). Catches the typical Magecart entry vector.
PCI-aligned security headers + SSL
Tests the headers and TLS config PCI-DSS expects on card-handling pages: HSTS, CSP for inline-script blocking, no TLS 1.0/1.1, strong cipher suites, certificate validity.
Admin panel discovery + brute-force resistance
Discovers exposed admin paths (/admin, /backend, /wp-admin, /magento-admin) via 200+ fingerprint patterns. Tests for default credentials, brute-force protection, IP allow-listing.
Bot-vs-browser pricing diff (UNIQUE)
Fetches your product page as a browser AND as ClaudeBot/GPTBot/PerplexityBot. Compares HTML — flags pages where prices/SKUs are visible to browsers but missing or different for AI bots.
Schema.org Product + Offer validation
Crawls your product pages, extracts JSON-LD, validates Product schema includes name + image + offers (price + priceCurrency + availability). Flags missing/incomplete markup that hurts AI discovery.
AI-Readiness for e-commerce
Tests robots.txt access for 8 AI bots, checks for llms.txt presence, validates JS-rendering doesn't hide product info from AI agents, audits OpenGraph for share-link previews.
Cart / checkout endpoint authz testing
Multi-role replay tests cart-related endpoints across guest, logged-in customer, and admin roles. Catches the abandoned-cart-PII-leak class of bugs.
Real scenarios
Scenario 1 — Custom checkout on a $5M ARR DTC brand
You're a $5M ARR DTC brand running a custom Next.js checkout (not Shopify Checkout). You're worried about price manipulation but don't have AppSec staff. AuditCore Growth ($99) covers your full checkout flow plus business-logic abuse testing — you find: discount code stacking (race condition), price field accepted in client request body, currency switch mid-flow.
Each finding has reproduction steps. Your engineering team fixes them in a sprint. Re-scan confirms the fixes. With unlimited rescans, you also schedule weekly diff scans — diff alerts catch the day a new feature regresses one of these bugs. Total spend: $99. Pentest equivalent: $5-10k.
Scenario 2 — WooCommerce store losing AI shopping traffic
Your WooCommerce store sells outdoor gear. Google Search Console shows healthy organic. But your direct-to-store referrals from ChatGPT are zero — you suspect AI agents can't see your products. AuditCore's AI-Readiness Scanner runs 8 different AI bots against your site.
Result: GPTBot and ClaudeBot get 403 from Cloudflare's Bot Fight Mode. PerplexityBot reaches the page but Schema.org Product is missing offers (no price visible to AI). Apple Applebot-Extended is blocked entirely. The fixes: Cloudflare > Bots > toggle Block AI Bots off, add WooCommerce Schema enhancement plugin (free), add Allow rules for the specific bots in robots.txt. Re-scan in 60 seconds confirms all 8 bots see your products with prices.
Scenario 3 — Shopify store with custom apps and risk surface
You're on Shopify (which handles core checkout security) but have 12 custom apps installed. Each app introduces JS, sometimes auth flows, sometimes data exposure. Your AppSec concern: which apps are leaking customer data?
AuditCore Business ($299) covers up to 500 pages including your custom Shopify app endpoints. Findings: one app's /api/customer-export endpoint accepts ?customer_id=N without authz check (BOLA — any customer's order history reachable). Another app's webhook configuration is reachable without HMAC signature validation. You file issues with both app developers; they patch in days.
Growth ($99) for sub-100 page stores · Business ($299) for full coverage
Single domain, sub-100 product pages, no mobile app: Growth at $99 covers it including business logic, Nuclei (8000+ CVEs), AI-readiness, and 50/day AI Fix quota. Larger catalog (>100 pages), mobile app, multi-tenant infrastructure, or agency white-label needs: Business at $299 unlocks full pentest stack, multi-role replay, mobile APK/IPA, and custom-branded PDF reports.
Frequently asked questions
Is AuditCore PCI-DSS certified?+
AuditCore itself isn't a PCI-DSS-certified scanner provider (yet — that's a specific certification under the PCI-SSC ASV program). Our reports map findings to PCI-DSS controls and are accepted by auditors as evidence of regular vulnerability scanning under requirement 11.3. For full PCI-DSS-required ASV scanning (quarterly external scans by certified provider), use a PCI-ASV like Trustwave or Qualys for that specific compliance need; use AuditCore for everything else.
Can AuditCore scan Shopify stores?+
Yes — Shopify exposes a public storefront which we crawl like any web app. We don't have access to Shopify's internal admin (that would require Shopify Partner API integration), but we can scan the storefront, custom apps' public surfaces, and any custom code you've added via Liquid templates or theme modifications. Most Shopify-store risks are in custom apps and themes, not Shopify Core itself.
Will scans break my checkout flow?+
No. We use safe scan profiles — no destructive payloads. Our business-logic scanner sends test requests but ALWAYS with our 'AuditCore-Test' user-agent header, and we don't actually complete checkout (no card processing). For high-risk endpoints (admin panels), we're rate-limited and respect retry-after. You can rescan during business hours without affecting customers.
Do you check for Magecart specifically?+
Yes — our 3rd-party JS audit identifies all external scripts loaded by checkout pages, flags scripts from non-allow-listed origins, checks for Subresource Integrity (SRI) hashes, and runs Trivy against detected JS bundle versions to find known compromised libraries. The Free Trial covers homepage; Pro/Business covers your full checkout flow.
How does bot-vs-browser pricing testing work?+
We make 8 separate HTTP requests to your product page — one as a normal browser (Chrome user-agent), seven as different AI bots (GPTBot, ClaudeBot, PerplexityBot, etc). We compare the rendered HTML and extracted Schema.org data. If browser sees '$89' but ClaudeBot's response is a 403 page or missing the price, we flag it as a critical AI-readiness finding with reproduction steps.
What about mobile e-commerce — your iOS / Android apps?+
Business tier ($299) includes APK/IPA static analysis. We test for hardcoded API keys, weak certificate pinning, debuggable builds, exposed components, and 14 tracker SDKs commonly found in retail apps (often violating GDPR). Drag-and-drop your .apk/.ipa to /scan.
Do you cover BigCommerce / Magento / WooCommerce specifically?+
Yes — our app-type detector identifies your platform on first crawl and runs platform-specific tests. WooCommerce gets the WordPress 11-test suite plus woo-specific checkout tests. Magento gets admin-path enumeration + magento-version-specific Nuclei templates. BigCommerce, Squarespace, Wix get custom-app-surface analysis. Shopify gets storefront + custom-app testing.
Can I run continuous scans without manual setup?+
Yes — Scheduled Scans (Growth and Business tiers) lets you set daily/weekly/monthly auto-scans. Diff alerts via email + webhook when new findings appear. Pair with the GitHub Action if you have a CI pipeline (deploys block on critical findings). For Shopify-only stores without CI, weekly scheduled scans + email alerts is the typical setup.