API / Server challenges

Owned by Andrew Watkins
Last updated: 23-02-2020

Penetration tests should attempt the following:

  • promotion of a volunteer to Admin or OrgAdmin

  • promotion of a volunteer to OP or AP roles. ( i.e. membership of an OP/AP org)

  • creation of an organisation except by invitation or admin access.

  • membership of a person to an organisation except through invitation or OrgAdmin

  • listing of all people in the system - names and emails.

  • access to the phone number of a person except where an interest or membership relationship exists.

  • modification of another person’s profile

  • impersonation of another person

  • any direct database listing

  • shell on a server container

  • listing of env vars from a server container

  • access to any secrets - AWS API key, MONGODB credentials etc.

  • issuing an unwarranted badge or assigning a badge to another person

  • access to members, interests, activities and any other non-public information by a non signed-in person

  • access to any /admin page by non-admin person

  • modification of any web page.

  • spoofing of sign in.

  • execution of malicious javascript on client browser entered by another person on the site.

  • listing, access or modification of the S3 store holding people’s uploaded images

  •