Company

Alef Education is the leader in the EduTech industry.

Program Rules
 Any type of denial of service attacks is strictly forbidden, as well as any interference
with network equipment and Alef Education infrastructure.
 Any type of intrusive attack in nature has to report early to avoid Alef Educations
platform service impacts.
 The test should take more than one day to come up with a details report as brief below
with findings.
 The vulnerability must be a qualifying vulnerability (see below)
 You must send a clear textual description of the report along with steps to reproduce
the issue, including attachments such as screenshots or proof of concept code as
necessary. And its remediation proposal to developers.
 You must avoid tests that could cause degradation or interruption of our service
(refrain from using automated tools and limit yourself to about 5 requests per
second).
 You must not leak, manipulate, or destroy any user data.

USER-AGENT
 Please append to your user-agent header the following value: 'EthicalHacker-
<yourname>’

Functionality of Platform and brief to access roles

 Alef education platform is a primary mode of learning platform along with teachers in
the classrooms
 its have four level of access student role, teacher, principal and super admins
 it's cover learning, assessment, and gamification to students and teacher can track
their progress with L-based assessments
 Loaded on AWS and Azure platforms and integrated with various third-party cloud
providers

Out of scopes
 All domains not listed In-Scope
 All vulnerabilities reported by standard discovery tools (Ex : Qualyguard and SCA tools)
Scope of Work
 Demo.alefed.com

Qualifying vulnerabilities
 Remote code execution (RCE)
 Local files access and manipulation (LFI, RFI, XXE, SSRF, XSPA)
 Code injections (HTML, JS, SQL, PHP, ...)
 Cross-Site Scripting (XSS)
 Cross-Site Requests Forgery (CSRF) with real security impact
 Open redirect
 Broken authentication & session management
 Insecure direct object references
 CORS with real security impact
 Horizontal and vertical privilege escalation
 Log4j
 Authorization with JWT token across different roles
 1) **Web & API**
 • SQL Injection (SQLi)
 • Cross-Site Scripting (XSS)
 • Remote Code Execution (RCE)
 • Insecure Direct Object Reference (IDOR)
 • Horizontal and vertical privilege escalation
 • Authentication bypass & broken authentication
 • Business Logic Errors vulnerability with real security impact
 • Local files access and manipulation (LFI, RFI, XXE, SSRF, XSPA)
 • Cross-Origin Resource Sharing (CORS) with real security impact
 • Cross-site Request Forgery (CSRF) with real security impact
 • Open Redirect
 • Sensitive Information Exposure Through insecure data storage on device
 • Leaked information from Mobile (without rooting)
 • Insecure Communication
 • Insecure Authentication
 • Insecure Authorization
 • Insufficient Cryptography
 • Hardcoded secrets

Non-qualifying vulnerabilities
 All vulnerabilities reported by standard discovery tool (Ex : Qualyguard and SCA tools)
 "Self" XSS
 Missing cookie flags
 SSL/TLS best practices
 Mixed content warnings
 Denial of Service attacks
 "HTTP Host Header" XSS
 Clickjacking/UI redressing
 Software version disclosure
 Stack traces or path disclosure
 Physical or social engineering attempts
 Recently disclosed 0-day vulnerabilities
 Presence of autocomplete attribute on web forms
 Vulnerabilities affecting outdated browsers or platforms
 Issues that require physical access to a victim’s computer/device
 Logout and other instances of low-severity Cross-Site Request Forgery
 Missing security-related HTTP headers which do not lead directly to a vulnerability
 Reports from automated web vulnerability scanners (Acunetix, Vega, etc.) that have not
been validated
 Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing
SPF/DKIM/DMARC)
 1) **Web & API**
 • Tabnabbing
 • Missing cookie flags
 • Content/Text injections
 • Mixed content warnings
 • Clickjacking/UI redressing
 • Denial of Service (DoS) attacks
 • Known CVEs without working PoC
 • Open ports without real security impact
 • Social engineering of staff or contractors
 • Presence of autocomplete attribute on web forms
 • Vulnerabilities affecting outdated browsers or platforms
 • Self-XSS or XSS that cannot be used to impact other users
 • Outdated libraries without a demonstrated security impact
 • Any hypothetical flaw or best practices without exploitable PoC
 • Expired certificate, best practices and other related issues for TLS/SSL certificates
 • Unexploitable vulnerabilities (ex: XSS or Open Redirect in HTTP Host Header)
 • Reports with attack scenarios requiring MITM or physical access to victim's device
 • Missing security-related HTTP headers which do not lead directly to a vulnerability
 • Unauthenticated / Logout / Login and other low-severity Cross-Site Request Forgery
(CSRF)
 • Invalid or missing SPF (Sender Policy Framework), DKIM, DMARC records
 • Session expiration policies (no automatic logout, invalidation after a certain time or
after a password change)
 • Disclosure of information without direct security impact (e.g. stack traces, path
disclosure, directory listings, software versions, IP disclosure, 3rd party secrets)
 • CSV injection
 • HTTP Strict Transport Security Header (HSTS)
 • Subdomain takeover without a full working PoC
 • Blind SSRF without direct impact (e.g. DNS pingback)
 • Lack of rate-limiting, brute-forcing or captcha issues
 • User enumeration (email, alias, GUID, phone number)
 • Password requirements policies (length / complexity / reuse)
 • Ability to spam users (email / SMS / direct messages flooding)
 • Disclosed / misconfigured Google API key (including Google Maps)
 • Recently disclosed 0-day vulnerabilities (less than XX days since patch release)
 • Password reset token leak on trusted third-party website via Referer header (eg Google
Analytics, Facebook…)
 2) **Mobile Apps**
 • Vulnerabilities requiring physical access to a user’s smartphone
 • Exploits that are only possible on Android version 7 and below (à voir en fonction du
parc de vos utilisateurs et de la rétrocompatibilité des apps)
 • Exploits that are only possible on IOS version 10 and below (à voir en fonction du parc
de vos utilisateurs et de la rétrocompatibilité des apps)
 • Exploits that are only possible on a jailbroken device*
 • Exploiting a generic Android or iOS vulnerability.
 • Lack of code obfuscation
 • Lack of binary protection / jailbreak and root detection / anti-debugging controls
 • Crashing your own application
 • Non important secrets (such as 3rd party secrets)
 • SSL cypher suites
 • Vulnerable version of libraries (for example ‘jquery’) without demonstrable attack
vector
 • SSL Pinning