Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

Penetration tests should attempt the following:

  • promotion of a volunteer to Admin or OrgAdmin

  • promotion of a volunteer to OP or AP roles. ( i.e. membership of an OP/AP org)

  • creation of an organisation except by invitation or admin access.

  • membership of a person to an organisation except through invitation or OrgAdmin

  • listing of all people in the system - names and emails.

  • access to the phone number of a person except where an interest or membership relationship exists.

  • modification of another person’s profile

  • impersonation of another person

  • any direct database listing

  • shell on a server container

  • listing of env vars from a server container

  • access to any secrets - AWS API key, MONGODB credentials etc.

  • issuing an unwarranted badge or assigning a badge to another person

  • access to members, interests, activities and any other non-public information by a non signed-in person

  • access to any /admin page by non-admin person

  • modification of any web page.

  • spoofing of sign in.

  • No labels

0 Comments

You are not logged in. Any changes you make will be marked as anonymous. You may want to Log In if you already have an account.