Professional Documents
Culture Documents
Ethical Hacker - Test Case
Ethical Hacker - Test Case
Program Rules
Any type of denial of service attacks is strictly forbidden, as well as any interference
with network equipment and Alef Education infrastructure.
Any type of intrusive attack in nature has to report early to avoid Alef Educations
platform service impacts.
The test should take more than one day to come up with a details report as brief below
with findings.
The vulnerability must be a qualifying vulnerability (see below)
You must send a clear textual description of the report along with steps to reproduce
the issue, including attachments such as screenshots or proof of concept code as
necessary. And its remediation proposal to developers.
You must avoid tests that could cause degradation or interruption of our service
(refrain from using automated tools and limit yourself to about 5 requests per
second).
You must not leak, manipulate, or destroy any user data.
USER-AGENT
Please append to your user-agent header the following value: 'EthicalHacker-
<yourname>’
Out of scopes
All domains not listed In-Scope
All vulnerabilities reported by standard discovery tools (Ex : Qualyguard and SCA tools)
Scope of Work
Demo.alefed.com
Qualifying vulnerabilities
Remote code execution (RCE)
Local files access and manipulation (LFI, RFI, XXE, SSRF, XSPA)
Code injections (HTML, JS, SQL, PHP, ...)
Cross-Site Scripting (XSS)
Cross-Site Requests Forgery (CSRF) with real security impact
Open redirect
Broken authentication & session management
Insecure direct object references
CORS with real security impact
Horizontal and vertical privilege escalation
Log4j
Authorization with JWT token across different roles
1) **Web & API**
• SQL Injection (SQLi)
• Cross-Site Scripting (XSS)
• Remote Code Execution (RCE)
• Insecure Direct Object Reference (IDOR)
• Horizontal and vertical privilege escalation
• Authentication bypass & broken authentication
• Business Logic Errors vulnerability with real security impact
• Local files access and manipulation (LFI, RFI, XXE, SSRF, XSPA)
• Cross-Origin Resource Sharing (CORS) with real security impact
• Cross-site Request Forgery (CSRF) with real security impact
• Open Redirect
• Sensitive Information Exposure Through insecure data storage on device
• Leaked information from Mobile (without rooting)
• Insecure Communication
• Insecure Authentication
• Insecure Authorization
• Insufficient Cryptography
• Hardcoded secrets
Non-qualifying vulnerabilities
All vulnerabilities reported by standard discovery tool (Ex : Qualyguard and SCA tools)
"Self" XSS
Missing cookie flags
SSL/TLS best practices
Mixed content warnings
Denial of Service attacks
"HTTP Host Header" XSS
Clickjacking/UI redressing
Software version disclosure
Stack traces or path disclosure
Physical or social engineering attempts
Recently disclosed 0-day vulnerabilities
Presence of autocomplete attribute on web forms
Vulnerabilities affecting outdated browsers or platforms
Issues that require physical access to a victim’s computer/device
Logout and other instances of low-severity Cross-Site Request Forgery
Missing security-related HTTP headers which do not lead directly to a vulnerability
Reports from automated web vulnerability scanners (Acunetix, Vega, etc.) that have not
been validated
Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing
SPF/DKIM/DMARC)
1) **Web & API**
• Tabnabbing
• Missing cookie flags
• Content/Text injections
• Mixed content warnings
• Clickjacking/UI redressing
• Denial of Service (DoS) attacks
• Known CVEs without working PoC
• Open ports without real security impact
• Social engineering of staff or contractors
• Presence of autocomplete attribute on web forms
• Vulnerabilities affecting outdated browsers or platforms
• Self-XSS or XSS that cannot be used to impact other users
• Outdated libraries without a demonstrated security impact
• Any hypothetical flaw or best practices without exploitable PoC
• Expired certificate, best practices and other related issues for TLS/SSL certificates
• Unexploitable vulnerabilities (ex: XSS or Open Redirect in HTTP Host Header)
• Reports with attack scenarios requiring MITM or physical access to victim's device
• Missing security-related HTTP headers which do not lead directly to a vulnerability
• Unauthenticated / Logout / Login and other low-severity Cross-Site Request Forgery
(CSRF)
• Invalid or missing SPF (Sender Policy Framework), DKIM, DMARC records
• Session expiration policies (no automatic logout, invalidation after a certain time or
after a password change)
• Disclosure of information without direct security impact (e.g. stack traces, path
disclosure, directory listings, software versions, IP disclosure, 3rd party secrets)
• CSV injection
• HTTP Strict Transport Security Header (HSTS)
• Subdomain takeover without a full working PoC
• Blind SSRF without direct impact (e.g. DNS pingback)
• Lack of rate-limiting, brute-forcing or captcha issues
• User enumeration (email, alias, GUID, phone number)
• Password requirements policies (length / complexity / reuse)
• Ability to spam users (email / SMS / direct messages flooding)
• Disclosed / misconfigured Google API key (including Google Maps)
• Recently disclosed 0-day vulnerabilities (less than XX days since patch release)
• Password reset token leak on trusted third-party website via Referer header (eg Google
Analytics, Facebook…)
2) **Mobile Apps**
• Vulnerabilities requiring physical access to a user’s smartphone
• Exploits that are only possible on Android version 7 and below (à voir en fonction du
parc de vos utilisateurs et de la rétrocompatibilité des apps)
• Exploits that are only possible on IOS version 10 and below (à voir en fonction du parc
de vos utilisateurs et de la rétrocompatibilité des apps)
• Exploits that are only possible on a jailbroken device*
• Exploiting a generic Android or iOS vulnerability.
• Lack of code obfuscation
• Lack of binary protection / jailbreak and root detection / anti-debugging controls
• Crashing your own application
• Non important secrets (such as 3rd party secrets)
• SSL cypher suites
• Vulnerable version of libraries (for example ‘jquery’) without demonstrable attack
vector
• SSL Pinning