Contact us
Case Study: Aromatic Scents Lab – Web Application Security Assessment

Overview

Aromatic Scents Lab serves as an e-commerce platform that operates in both staging and production environments, providing fragrance products to a diverse user base. In March 2026, TestVox conducted a thorough web application security assessment to ensure the platform’s security and reliability.

The assessment utilized a black-box penetration testing methodology, integrating automated tools with manual validation to uncover vulnerabilities within the application, infrastructure, and integrations. The objective was to assess the platform’s security posture, identify potential risks, and offer actionable recommendations to protect user data and business operations.

Challenges We Faced

During the evaluation, numerous significant and practical security challenges were recognized:

  • Exposure of Essential Services Crucial services like MySQL (port 3306) and FTP (port 21) were accessible to the public, heightening the risk of unauthorized access and potential data breaches.
  • Authentication & Session Management Concerns Inadequate authentication methods were found, including the acceptance of JWT tokens without signatures and session tokens that remained valid post-logout.
  • Outdated Components & Dependencies The platform was utilizing outdated plugins (WooCommerce, multilingual plugins) and JavaScript libraries, which heightened vulnerability to known exploits.
  • Insecure Data Management Sensitive tokens, including access and refresh tokens, were revealed in API responses, rendering them susceptible to interception or misuse.
  • Misconfigured Security Measures Problems such as a weak Content Security Policy, absent security headers, and outdated TLS versions diminished the overall security robustness of the application.

Our Solution

In order to tackle these challenges, a systematic and risk-oriented remediation strategy was put into action:

  1. Critical Vulnerability Fixes

    2. Immediate measures were taken to safeguard exposed services by limiting public access to database and FTP ports and substituting insecure protocols with secure alternatives.

  2. Secure Authentication Implementation

    3. Authentication was fortified by mandating proper JWT validation, disallowing insecure algorithms, and establishing server-side session invalidation mechanisms.

  3. Dependency & Patch Management

    4. Outdated plugins and libraries were updated to their latest secure versions, and a routine patch management process was introduced.

  4. Secure Data Handling Practices

    5. Token security was enhanced by relocating sensitive data to secure storage solutions such as Http Only cookies and reducing exposure in API responses.

  5. Enhanced Security Configurations

    6. Robust Content Security Policies were implemented, missing security headers were added, and TLS configurations were upgraded to meet modern standards.

Result

Decreased Critical Risk Exposure

High-severity vulnerabilities, including exposed services and authentication weaknesses, were detected and prioritized for prompt remediation.

Enhanced Data Protection

Sensitive customer and transactional information became more secure through improved encryption and token management practices.

Reinforced Application Security

Security configurations such as CSP, TLS, and headers bolstered protection against prevalent web attacks like XSS and MITM.

Improved System Reliability & Compliance

The platform advanced towards industry standards such as OWASP and PCI-DSS, thereby enhancing trust and compliance preparedness.

Conclusion

The security evaluation of the Aromatic Scents Lab underscores the necessity of proactive security testing within contemporary e-commerce platforms. By pinpointing and rectifying critical vulnerabilities—ranging from exposed services to authentication weaknesses—the platform has notably enhanced its overall security stance. With a well-defined remediation strategy and an emphasis on best practices, the application is now more capable of safeguarding user data, thwarting unauthorized access, and facilitating secure business expansion. Ongoing monitoring, routine updates, and regular security evaluations will be crucial for sustaining this elevated security standard in the long run.

Related Resources