Introduction
Please see our detailed scope and out-of-scope list. This list is subject to change without notice.
If you’ve found a vulnerability that affects an asset belonging to Zalando, but is not included in the scope, please report it to this program.
Our worst-case scenarios are:
- Extraction of Personal Identifiable Information (PII)
- Purchasing products for free
- Remote Code Executions (RCEs)
Valued Vulnerabilities
- Remote Code Execution / OS Command Injection
- Injection (SQLi, LDAP, XML, etc.)
- Business Logic Bypass
- Sensitive Data Exposure (PII, financial, credentials on GitHub, private keys, etc.)
- Significant Authentication Bypass
- Server Side Request Forgery (SSRF)
- Server Side Template Injection
- File Inclusion (Remote/Local)
- XML External Entity Injection (XXE)
- Memory leaks
- Cross Site Scripting (Stored, Reflected, Blind)
- Authorization Bypass (Privilege Escalation, IDOR, etc.)
- Subdomain Takeover
Remote Code Execution (RCE) Policy
Vulnerabilities which allow execution of code on the application server or shell command on the server itself should be run in accordance with this policy.
Prohibited actions when conducting RCE attempts:
- Altering or uploading files on the web server. (In case of file-upload functionality upload of webshells is prohibited, try uploading echo, info or any variable/info-based invocation code)
- Altering file permissions
- Reading sensitive files on the system (e.g. /etc/shadow) and/or snooping through the file/folder structure (Same applies to XXE, LFI and Path Traversal, or any other vulnerability which allows you to read underlying file/folder structure)
- Altering/Modifying/Deleting any files on the system.
- Copying any files from the system and disclosing them to a non Zalando site or entity
- Interacting with underlying OS-level data and/or databases.
- Interacting with other services running on the OS-level and/or any remote hosts residing on the network.
- Interrupting the normal operation of the server.
- Any type of establishment for persistent connection mechanisms (netcat, ssh reverse tunnel, etc) are prohibited.
Allowed actions when conducting RCE attempts - Unix:
- Executing 'ifconfig', 'hostname', 'whoami', 'uptime', 'top' or any metrics commands
- Reading content of the '/etc/passwd' file
- Using 'echo' to pipe characters into a file located in the "/tmp/", reading the file and then removing it right after confirmation.
Allowed actions when conducting RCE attempts - Windows:
- Executing 'ipconfig', 'hostname', 'whoami' or any metrics commands
- Reading content of the 'drive:/boot.ini', 'drive:/install.ini' or 'drive:/Windows/System32/drivers/etc/networks'
- Using 'echo' to pipe characters into a file located in the drive:/temp, reading the file (type) and then removing it right after confirmation.
SQL Injection (SQLi) Policy
Vulnerabilities which allow injection of attacker controlled parts of the SQL query should be run in accordance to this policy.
Prohibited actions when conducting SQLi attempts:
- Reading sensitive files on the system (e.g. /etc/shadow) and/or snooping through the file/folder structure (SELECT LOAD_FILE)
- Reading specific sensitive database records
- Creating/Altering/Modifying/Deleting any files/records on the system/database. This includes use of INTO OUTFILE
- Command Execution (xp_cmdshell, uploading .so or any action that leads to command execution)
- Creating/Deleting Users
- Reading/Altering Username and Password information (includes password hashes)
- Interrupting the normal operation of the server and the database.
Allowed actions when conducting SQLi attempts:
- Executing SELECT queries such as "@@version", "user();" "system_user();", "database();", "@@hostname"
- Listing Databases names from schema, listing Columns, Table names
- Executing Mathematical, conversion or logical queries, such as:
- ASCII Value -> Char (SELECT char(65); # returns A) Char -> ASCII Value (SELECT ascii(‘A’); # returns 65) String Concatenation (SELECT CONCAT(‘A’,'B’,'C’); # returns ABC) Case Statement (SELECT CASE WHEN (1=1) THEN ‘A’ ELSE ‘B’ END; # returns A) SELECT 0×414243; # returns ABC Time Delay (SELECT BENCHMARK(1000000,MD5(‘A’)); SELECT SLEEP(5); )
- Using Logic and time in Server Responses
- Using output responses
File-Upload Policy
- Vulnerabilities which allow upload of files through any means (e.g. PUT HTTP Method, File-upload functionality/module, etc.) are subjected to these rules
- Prohibited actions when conducting File-upload attempts:
- Altering/Modifying/Deleting/Replacing any files on the system. (e.g. defacement)
- Uploading files to the account of a user which is not owned by you and you are not authorized by (does not apply to system users or web users like www-data e.g.)
- Uploading files which deliberately introduce additional exploitation vectors (e.g. html code with cross-site scripting code on it etc.)
- Uploading files which can cause Denial of Service (e.g. over-sized files or unlimited amount of files resulting in running out of Disk Quota)
- Allowed actions when conducting File-upload attempts:
- Chained exploitation vectors allowing you to jump out from the upload folder using e.g. path traversal or path manipulation that do not violate prohibited actions mentioned in File-Upload Policy.
- Upload of a file (any extension) with no content, simple string, integer or a special character.
Feedback
Would you like to help us improve our program or have some feedback to share, please send your anonymous feedback here:
Program feedback link
Please note this form will be checked periodically and should not be used for submission or support queries.