I have built a website to publish blogs. You can find it over at https://hackxpert.com/pentest/ and I want to iron out the security flaws before we go live. The functionality is as follows:
- Access control to who can edit, delete and create posts
- Ability to create a post
- Ability to delete a post
- Ability to edit a post
- Only admin can view and create users
- No editing of users is included - out of scope
- Posts can belong to categories
- The domain you will be assigned after emailing this document
Out of scope
- Port scanning
- Brute forcing
The following users are available but feel free to create more:
- Can do everything
- Can only edit
- Can only delete
I want you to report on any and all flaws you find, no matter how small they might be. Thank you for taking on this assignment.
The ethical hacker: Please do mail this contract of engagement, the signed NDA and a test plan to firstname.lastname@example.org.
The requester: Within 48 hours of receiving the signed and in order documents, the requester will send out the unique environment information to the participant.
After the test is over the participant will provide:
- A test report to which they will get feedback
- A debriefing voice/video message
The requesting party will provide feedback on any step of the process if required.
This constitutes a contract of engagement.
Signed:_________________________________ Name: _________________________________ Title: __________________________________ Date: ________________ RECIPIENT (The XSS Rat) Signed:_________________________________ Name: The XSS Rat (Wesley Thijs) Title: President / Security Engineer Date: ________________