Grabtaxi Holdings Pte Ltd

target_in_scope

asset_identifier asset_type availability requirement confidentiality requirement eligible for bounty eligible for submission integrity requirement max_severity
*.grab.co URL low low low medium
*.grab.com URL critical
*.grabtaxi.com URL low low low medium
*.myteksi.com URL none high high critical
*.myteksi.net URL critical
1257641454 APPLE_STORE_APP_ID critical
Grab Driver
1353289014 APPLE_STORE_APP_ID critical
GrabFood iOS
1354806922 APPLE_STORE_APP_ID critical
GrabCycle
1360970802 APPLE_STORE_APP_ID critical
GrabFood Driver
647268330 APPLE_STORE_APP_ID high high high critical
Grab (iOS)
com.grab.food.dax GOOGLE_PLAY_APP_ID critical
GrabFood Driver
com.grab.food.pax GOOGLE_PLAY_APP_ID critical
GrabFood
com.grabtaxi.cycle.adr GOOGLE_PLAY_APP_ID critical
GrabCycle
com.grabtaxi.driver2 GOOGLE_PLAY_APP_ID critical
Grab Driver
com.grabtaxi.passenger GOOGLE_PLAY_APP_ID critical
Grab (Android)
drive.grab.co URL critical
drivegrab.com URL critical
gamma.grab.co URL critical
grab.careers URL low low low medium
graballstars.com URL critical
hub.grab.com URL high medium high critical
**What it does:** This website allows Grab passengers to log in and view their past trips, change their payment information. This application also allows our business customers to setup/manage Grab for Work group. **What to look for:** For this service, all web vulnerabilities are a concern as well as any bug that could result in disclosure of arbitrary Grab passenger information. This relatively small app houses important functionality, such as the ability to view/download trip history, modify payment details and allow Grab for Work **What it runs on:** Ruby on Rails and React
manage.grab.co URL critical
p.grabtaxi.com URL high high high critical
**What it does:** Grab iOS and Android apps communicate with this service while you use Grab. This endpoint acts as an API gateway proxy to all of our services. This API exposes the largest attack surface of any service here at Grab. **What to look for:** Much like our external API, p.grabtaxi.com is a RESTful API performed over certificate-pinned HTTPS requests. The best way to hunt for bugs here is to use your own auth token via the X-mts-ssid header and look for authorization and access control issues, user enumeration, business logic etc. Please keep in mind that you should only ever perform this testing against accounts you own, failure to do so could result in ban from the program, which nobody wants!. **What it runs on:** Golang
*.grabpay.com URL high critical
1343620481 APPLE_STORE_APP_ID none low low medium
GrabPay Merchant
api.grabpay.com URL high high high critical
**What it does:** Grab iOS and Android apps communicate with this service while you use Grab specifically for newer payment features. This endpoint acts as an API gateway proxy to all of our services. This API exposes the largest attack surface of any service here at GrabPay. **What to look for:** Much like our external API, `api.grabpay.com` is a RESTful API performed over HTTPS requests. The best way to hunt for bugs here is to use your own auth token via the `X-mts-ssid` header and look for authorization and access control issues, business logic and etc. Please keep in mind that you should only ever perform this testing against accounts you own, accessing any data not owned by you can result in disqualification. **What it runs on:** Golang / Java
com.grabpay.merchant GOOGLE_PLAY_APP_ID low low low medium
GrabPay Merchant
mos.grabpay.com URL none low low medium
xtramile.grabpay.com URL low none high critical
jira.grab.com URL high high high critical
wiki.grab.com URL high high high critical
com.grab.merchant GOOGLE_PLAY_APP_ID medium medium medium critical

target_out_of_scope

asset_identifier asset_type availability requirement confidentiality requirement eligible for bounty eligible for submission integrity requirement max_severity
jira.grab.com URL none
parcel.grab.com URL none
wiki.grab.com URL none
kios.grab.com URL none none none none