Information

I have built a website to publish blogs. You can find it over at https://hackxpert.com/pentest/ and I want to iron out the security flaws before we go live. The functionality is as follows:

• Access control to who can edit, delete and create posts

• Ability to create a post

• Ability to delete a post

• Ability to edit a post

• Only admin can view and create users

• No editing of users is included - out of scope

• Posts can belong to categories

In scope

• The domain you will be assigned after emailing this document

Out of scope

• OSINT

• Port scanning

• Brute forcing

Credentials

The following users are available but feel free to create more:

• admin/test
  • Can do everything

• editor/test
  • Can only edit

• moderator/test
  • Can only delete

I want you to report on any and all flaws you find, no matter how small they might be. Thank you for taking on this assignment.

Deliverables

The ethical hacker: Please do mail this contract of engagement, the signed NDA and a test plan to info@thexssrat.com.

The requester: Within 48 hours of receiving the signed and in order documents, the requester will send out the unique environment information to the participant.

After the test is over the participant will provide:

• A test report to which they will get feedback

• A debriefing voice/video message

The requesting party will provide feedback on any step of the process if required.

This constitutes a contract of engagement.

Signed:_________________________________ Name: _________________________________ Title: __________________________________ Date: ________________ RECIPIENT (The XSS Rat) Signed:_________________________________ Name: The XSS Rat (Wesley Thijs) Title: President / Security Engineer Date: ________________