HackenProof

In-Scope Vulnerabilities

---

We are interested in next web vulnerabilities:

• Business Logic
• Remote code execution (RCE)
• Database vulnerability, SQLi
• Cross Site Scripting (XSS)
• Privilege escalation
• Sensitive data exposure (IDOR, etc.)
• Authentication bypass
• Obtaining sensitive information
• Password attacks
• Cross-Site Request Forgery (CSRF)
• Server Side Request Forgery (SSRF)

Out-of-Scope Vulnerabilities

---

In general, the following vulnerabilities do not correspond to the severity threshold:

• Known problems: 2FA session issues
• UI and UX bugs and spelling or localization mistakes.
• Descriptive error messages (e.g. Stack Traces, application or server errors)
• Open redirects. 99% of open redirects have low security impact. For the rare cases where the impact is higher, e.g., stealing auth tokens, we do still want to hear about them
• Vulnerabilities in third-party applications
• Publicly accessible login panels without proof of exploitation.
• Reports that state that software is out of date/vulnerable without a proof of concept.
• Host header issues without proof-of-concept demonstrating the vulnerability.
• HTTP codes/pages or other HTTP non-codes/pages.
• Fingerprinting/banner disclosure on common/public services.
• Disclosure of known public files or directories, (e.g. robots.txt).
• Clickjacking/Tapjacking and issues only exploitable through clickjacking/tapjacking.
• CSRF in forms that are available to anonymous users (e.g. the contact form).
• Login & Logout CSRF
• Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.
• Lack of Secure/HTTPOnly flags on non-security-sensitive Cookies.
• OPTIONS HTTP method enabled
• Lack of Security Speed bump when leaving the site.
• Weak Captcha
• Broken links (including social media)
• Content injection issues.
• HTTPS Mixed Content Scripts
• Content Spoofing without embedded links/html
• Self-XSS that cannot be used to exploit other users (this includes having a user paste JavaScript into the browser console).
• Reflected File Download (RFD).
• Best practices concerns.
• Highly speculative reports about theoretical damage. Be concrete.
• Missing HTTP security headers, specifically, For e.g.
• Missing rate limit in forms, fields
• Cookie reusing

• Strict-Transport-Security
• X-Frame-Options
• X-XSS-Protection
• Host Header
• X-Content-Type-Options
• Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP
• Content-Security-Policy-Report-Only

• Infrastructure vulnerabilities, including:

• Certificates/TLS/SSL related issues
• DNS issues (i.e. mx records, SPF records, DMARC records, etc.)
• Server configuration issues (i.e., open ports, TLS, etc.)

• Outdated web browsers: vulnerabilities contingent upon outdated or unpatched browsers will not be honored, including Internet Explorer all versions
• Vulnerabilities involving active content such as web browser add-ons
• XSS issues that affect only outdated browsers (like Internet Explorer)
• Issues that require physical access to a victim’s computer.
• Physical or social engineering attempts (this includes phishing attacks against employees).
• Recently disclosed 0day vulnerabilities.
• Microsites with little to no user data
• Most brute forcing issues
• Denial of service
• Spamming!
• Session fixation