Tech Stack - REDACTED

• Aquisition by REDACTED
• Framework & Language - Cowboy webserver, Erlang, rails. Cookies signed using rails.
• User levels
  • Stock analyst
  • Admin
  • View only
  • Support
• 3rd party components, Examples:
  • Billing libraries (rubygem, npm, jar, etc.)
  • JavaScript widgets - (marketing tracking, sales chat widget)
  • Reliant upon other applications - such as receiving webhook events

Brainstorming / Risks - REDACTED

Lots of IDs referenced in variables. Try type confusion with objects, requesting with user_id cookie set to target user, mass assignment with duplicate params in body and url

• Cookie signed using rails (signed_user_id) but can be removed. Research attacks on rails cookie signing
  • [ ] Attack cookie
  • [ ] Research cookie
• Try mass assignement/ param pollution on user endpoint patch - returns all user objects, try to include in request object too?
  • [ ] Try assigning other objects such as ID, created at, attempts etc in request
• IDOR testing - IDs used everywhere
  • [ ] Standard IDOR testing
  • [ ] include ID in post body too
  • [ ] Secondary context esque bugs
• Trigger an exercise window
• Add secondary email functionality
  • [ ] Try CSRF
  • [ ] Try mass assignment - multiple IDs, object of IDs
• Password reset functionality
  • Password reset causes logout, and a redirect with a url= parameter in the url
  • [ ] Try CSRF
  • [ ] Try mass assignment - multiple IDs, object of IDs
• Export/import account functionality
  • Error caused a 500 when importing a HTML file
  • [x] Test functionality to see what is imported / exported across
  • [x] Use it as a vector to attack other users?
• About you about page and file upload
  • [ ] Find where this is reflected to other REDACTED users
  • [ ] Upload profile picture, file upload tests
• Bank payment info
  • [ ] Find where this is reflected to other REDACTED users
  • [ ] HTMLI/XSS
• Main /api/data/actor/user/users/ path accepts both JSON and multipart form. Multipart form for file uploads on profile picture and about, all other use for endpoints is json
  • [ ] CSRF testing, change content types
  • [ ] Mass assignment testing on PUT /api/data/actor/6.json - send to organizer sample request
  • [ ] Privilege escalation on args
• All url/open redirect, try relapse (tool from sam curry pod talk) to generate url wordlist for open redirect
  • [ ] Generate wordlist
  • [ ] Test all for open redirect