Trustwave achieves verified MXDR solution and FastTrack ready partner status from Microsoft. Learn More

Trustwave achieves verified MXDR solution and FastTrack ready partner status from Microsoft. Learn More

Managed Detection & Response

Eradicate cyberthreats with world-class intel and expertise

Managed Security Services

Expand your team’s capabilities and strengthen your security posture

Consulting & Professional Services

Tap into our global team of tenured cybersecurity specialists

Penetration Testing

Subscription- or project-based testing, delivered by global experts

Database Security

Get ahead of database risk, protect data and exceed compliance requirements

Email Security & Management

Catch email threats others miss with layered security & maximum control

Co-Managed SOC (SIEM)

Eliminate alert fatigue, focus your SecOps team, stop threats fast, and reduce cyber risk

Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
The Trustwave Approach
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Platform
SpiderLabs Fusion Center
Security Operations Centers
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

TWSL2016-006: Multiple XSS Vulnerabilities reported for Zen Cart

Today Trustwave released a vulnerability advisory in conjunction with Zen Cart. Researchers from the SpiderLabs Research team at Trustwave recently found multiple Cross-Site Scripting (XSS) vulnerabilities in the popular online open source shopping cart application.

The vulnerabilities affect Zen Cart 1.5.4 and potentially prior versions. Zen Cart released a new version 1.5.5 that has fixes for the security issues reported. It is recommended to upgrade to this version, however Zen Cart has also released local patch in case upgrade is not possible right away. More details are provided below.

Vulnerability Information

Several Cross Site Scripting vulnerabilities were discovered in the admin section of Zen Cart and one issue in the non-authenticated portion of the application. Our researchers found both reflective and stored XSS in multiple parameters of number of requests. Malicious Cross-Site Scripting injections could result in access to cookies, sensitive information and site defacement, which can result into further attacks.

Vulnerability Discovery

While testing Trustwave App Scanner's newest improvements to Cross-Site Scripting SmartAttack, we started running the App Scanner on various popular open source tools. In this process we scanned Zen Cart, with it being simple to configure and a popular shopping cart application with considerable market share.

The credentials for the application and the URL were provided to Trustwave App Scanner, which then crawled through the multiple pages of the application. Once an optimized set of pages were crawled, the smart attacks were added and an assessment run which returned multiple vulnerabilities.

There were many advantages in running an automated solution in this scenario. The tool was able to scan hundreds of pages and parameters without any manual intervention. The improved Cross Site Scripting detection using dynamic analysis resulted in finding vulnerabilities quickly and accurately (Finding XSS Vulnerabilities More Quickly with Dynamic Contextual Analysis). Once an initial scan was setup and stored as a template, the same template could be reused as the patches were provided by the Zen Cart Team. No additional setup was necessary for running the subsequent scans.

Vulnerabilities Fixes

Trustwave responsibly disclosed these security issues to Zen Cart, and worked with Zen Cart team while the issues were being fixed. Zen Cart initially provided point patches that fixed all but one Cross-Site Scripting issue reported by Trustwave. Due to widespread nature of the numerous vulnerabilities we reported,we recommended that Zen Cart add global sanitization of input parameters. This input validation was eventually added and provided a more thorough solution. Further details about this can be obtained at

A single Cross-Site Scripting issue is still present in the application, but due to CSRF protection for the request, exploiting the issue would require Admin privileges for the application.

During the fixing phase, Trustwave verified multiple versions of intermediate patches provided by the Zen Cart team and advised them with some additional issues we found during this testing. Zen Cart team was responsive during this process and a joy to work with as a partner in responsible disclosure.


Affected users can patch these vulnerabilities by downloading the latest version of Zen Cart 1.5.5 from and the patch is also available at

Trustwave Web Application Firewall and ModSecurity can defend against these attacks through generic XSS rules.

The vulnerabilities were discovered by Trustwave SpiderLabs Research members Sriram Akurati and Michael Yuen.

For more details regarding this advisory please visit:

The Trustwave SpiderLabs Advisory (TWSL2016-006)

Zen Cart Release Announcement