You will be hacking into our staging environment.
This environment runs a copy of our production code, but will receive new features a couple of week in advance of their release to production.
We are interested in any potential vulnerability that could impact the security of the domains listed above.
Examples of issues we'd like to know about :
- Remote Code Execution
- SQL Injection
- File Inclusion / Directory Traversal
- Cross Site Scripting
- Privilege escalation
- Significant enumeration attacks
With rising privacy awareness and regulations like GDPR, we would also like to known how private our data really is. We would like to learn about every vulnerability we are facing:
- Can users see data of other users?
- Can bad guys enter without credentials?
- Can you do what you are not allowed to do?
- What can you break?
Suivo utilises a fairly complex access control system consisting of profiles containing a collection of granted permissions.
To facilitate your understanding, user accounts based on 2 of these profiles will be provided.
- Full Access -> high privilege, can view and edit anything except user management
- Driver -> low privilige, very limited subset of permissions
A detailed comparison between these 2 profiles can be found in the attached Permission Matrix. ('x' marks a granted permission)
Some remarks to keep in mind while attempting privilege escalation:
- Our basic entities (Unit, Person, Location) are visible throughout the application and by every profile
- A User is not equal to a Person. Users are logins, Persons are people who can drive around in Vehicles.
- Users are only visible to the Admin
Suivo is a SAAS platform hosting data for a variety of Customers.
The last thing we want to happen is Customer A being able to view or manipulate data from Customer B.
To facilitate testing vulnerabilities leading to this scenario, we've create a second Customer account 'Intigriti2' for you to test on.
Please keep this second Customer a clean environment and use it only to verify your actions excuted by Users linked to 'Intigriti1'.
Please refer to the FAQ for more info about test credentials.