Invision Power Services, Inc.

target_in_scope

asset_identifier asset_type availability requirement confidentiality requirement eligible for bounty eligible for submission integrity requirement max_severity
https://d18papeh5u7ohm.cloudfront.net URL low none medium high
We are in the alpha testing phase of the latest release of our community platform: Invision Community 4.5. We are launching this campaign for penetration and vulnerability testing. We ask that the scope of your testing be focused on the following: - The AdminCP area of the software. This version removes session IDs from URLs and instead utilizes cookie and database based session management. Every actionable link in the AdminCP should be protected by CSRF tokenization. The scope would involve bypassing CSRF protection which could allow for an unsuspecting administrator to follow a destructive link. - Platform and infrastructure security. It should not be possible to execute any arbitrary code that would access the infrastructure or permit "breaking out" of the test environment, which is housed in /var/www/html - Please alert us if you have found a way to circumvent these protections. - GraphQL This version includes a GraphQL API, accessible by guests (via Basic authentication with an API key) and members (via an OAuth2 authorization code). It should not be possible to access any data or system settings to which the authenticated user (or guest) does not have access normally, or to perform any mutation/action for which the authenticated user (or guest) does not have permission normally. In addition, GraphQL requests should not have the ability to impact the integrity or stability of the site in general. GraphQL requests are only accepted at the https://d18papeh5u7ohm.cloudfront.net/api/graphql/ endpoint. An API key has been set up to access the site as a guest user: 21b746f7d5411ddc112636e8df6eb59f You may exclusively use https://d18papeh5u7ohm.cloudfront.net for the purpose of your testing. Admin username: admin Password: password123 All other URLs are considered out of scope.

target_out_of_scope

asset_identifier asset_type availability requirement confidentiality requirement eligible for bounty eligible for submission integrity requirement max_severity