YouCustomizeIt
E-Commerce (Custom Products)
The Client
YouCustomizeIt is a US-based family-owned e-commerce business allowing customers to design and order fully personalised products. Founded by Narmin Parpia, the company has grown into a platform serving thousands of customers worldwide with a lean development team focused on building features and scaling the business.
The Problem
Small and mid-sized e-commerce businesses are among the most frequently targeted by cybercriminals – precisely because they often lack in-house security expertise while still storing valuable customer data. YouCustomizeIt’s platform had several characteristics that made professional penetration testing important:
- User account system – registration, login, password management, and profile data
- Custom product builder – complex user input flows vulnerable to injection attacks
- Order history and personal data – a target for data theft and account takeover
- Third-party integrations – payment processors, shipping APIs, and marketing tools
- Small development team – no dedicated security engineer to review code
The Engagement: How Bugstrix Approached the Test
The scope covered:
- Authentication and session management – login, registration, password reset, session tokens
- User input validation – all form fields, search parameters, and URL parameters
- Account authorisation – whether users could access other users’ data or orders
- API endpoints – data exposure, missing authorisation checks, parameter manipulation
- Custom product builder inputs – injection vulnerabilities in user-generated content flows
- Business logic – pricing manipulation, order abuse, and workflow bypass
Vulnerabilities Discovered
Authentication Weaknesses
Vulnerabilities in password reset flows and missing rate limiting on login endpoints created viable paths to account takeover without knowing the original password. For an e-commerce platform with saved addresses and order history, account takeover is one of the most damaging attack types.
Cross-Site Scripting (XSS)
Multiple XSS vulnerabilities were identified across user input fields. In an e-commerce context, XSS can steal session cookies, redirect users to phishing pages, or capture payment card data at checkout. Stored XSS – where the malicious script persists in the database – is particularly dangerous on a high-traffic platform.
Injection Vulnerabilities
Injection vulnerabilities were found in the product builder and search functionality. When successful injection attacks can manipulate database queries, expose internal data, or in severe cases provide access to the underlying server infrastructure.
Chained Vulnerabilities
Multiple lower-severity findings were identified that could be combined into higher-impact attack paths – exactly how sophisticated attackers operate in the real world, and exactly why manual testing catches
what automated tools miss.
Results
| Metric | Result |
|---|---|
| Authentication security | Weaknesses identified and remedied |
| XSS exposure | All identified XSS vulnerabilities fixed |
| Injection vulnerabilities | Remediated with proper input validation |
| Security testing process | Formal penetration test completed |
| Team security awareness | Improved through remediation guidance |
| Confidence in platform security | Validated by independent experts |
Client Testimonial
They found bugs we wouldn’t have found otherwise and guided us through fixing them. Bugstrix knows what they’re doing.
– Caleb, YouCustomizeIt
Key Takeaways for Small E-Commerce Businesses
- Lean teams are not an excuse – they’re a reason. A small team focused on shipping features is more likely to introduce vulnerabilities unintentionally.
- You cannot test your own application objectively. Developers know how it’s supposed to work. A penetration tester tries to make it do things it was never supposed to do.
- The cost of a test is a fraction of the cost of a breach – one successful account takeover or XSS-based card skimming attack costs far more than a professional pentest