/
API / Server challenges

API / Server challenges

Owned by Andrew Watkins
Last updated: 23-02-2020
1 min read

Penetration tests should attempt the following:

  • promotion of a volunteer to Admin or OrgAdmin

  • promotion of a volunteer to OP or AP roles. ( i.e. membership of an OP/AP org)

  • creation of an organisation except by invitation or admin access.

  • membership of a person to an organisation except through invitation or OrgAdmin

  • listing of all people in the system - names and emails.

  • access to the phone number of a person except where an interest or membership relationship exists.

  • modification of another person’s profile

  • impersonation of another person

  • any direct database listing

  • shell on a server container

  • listing of env vars from a server container

  • access to any secrets - AWS API key, MONGODB credentials etc.

  • issuing an unwarranted badge or assigning a badge to another person

  • access to members, interests, activities and any other non-public information by a non signed-in person

  • access to any /admin page by non-admin person

  • modification of any web page.

  • spoofing of sign in.

  • execution of malicious javascript on client browser entered by another person on the site.

  • listing, access or modification of the S3 store holding people’s uploaded images

  •  

 

Related content

Exclusions
Exclusions
Voluntarily Product
More like this
Penetration Testing
Penetration Testing
Voluntarily Product
More like this
Automated Testing
Automated Testing
Voluntarily Product
More like this
Verifidentity
Verifidentity
Voluntarily Product
More like this
Security Design Principles
Security Design Principles
Voluntarily Product
More like this
Performance Testing
Performance Testing
Voluntarily Product
More like this