Penetration tests should attempt the following:
promotion of a volunteer to Admin or OrgAdmin
promotion of a volunteer to OP or AP roles. ( i.e. membership of an OP/AP org)
creation of an organisation except by invitation or admin access.
membership of a person to an organisation except through invitation or OrgAdmin
listing of all people in the system - names and emails.
access to the phone number of a person except where an interest or membership relationship exists.
modification of another person’s profile
impersonation of another person
any direct database listing
shell on a server container
listing of env vars from a server container
access to any secrets - AWS API key, MONGODB credentials etc.
issuing an unwarranted badge or assigning a badge to another person
access to members, interests, activities and any other non-public information by a non signed-in person
access to any /admin page by non-admin person
modification of any web page.
spoofing of sign in.
execution of malicious javascript on client browser entered by another person on the site.
Add Comment