Ping Identity

target_in_scope

asset_identifier asset_type availability requirement confidentiality requirement eligible for bounty eligible for submission integrity requirement max_severity
https://api-staging.pingone.com/* URL high high high critical
* **What it is:** * REST API for configuring and managing your PingOne For Customers organization * **Specific things to look for:** * Privilege escalation (role descriptions) * Data exfiltration * Mass assignment vulnerabilities * **Test Plan:** * Spider the API endpoints * Fuzzing input values * Probe authorization and permissions * Examine any service-to-service interactions for potential CSRF/SSRF Please note that this documentation points to **PROD**, which is out of scope for this engagement. To access the ORT environment URLs will have to be appended with -staging like the console link above.
https://apps-staging.pingone.com/* URL high high high critical
* **What it is:** * Cloudfront distribution for the PingOne for Customers login/authentication flow orchestration and self-service account/profile management user interfaces * **What it does:** * Provides user interface for administrators to configure authentication flows and assign different authentication policies * Provides interface for end users to manage their account profiles and settings * **Specific things to look for:** * Test UI for XSS * CSRF/SSRF * User Impersonation * Privilege Escalation * Session Management (Logout, account takeover, or impersonation issues) * Access Control Misconfigurations * Data Exfiltration * Spider the site * Authentication or authorization issues * **Test Plan:** * To access apps-staging.pingone.com * Log in to console-staging.pingone.com/?env={YOUR_ENVIORNMENT_ID_HERE} * Click on the user icon in the top right corner * Navigate to one of the My Account pages in the dropdown menu, either: Profile, Authentication, or Change Password, and the user will then be taken to the apps-staging.pingone.com endpoint.
https://console-staging.pingone.com/* URL high high high critical
* **What it is:** * Administrative console to the PingOne For Customers platform that manages user access, authentication types, and connected applications. * **Here's how to add an application to your PingOne For Customer environment:** https://youtu.be/TBA5VTfnsSE * **Sample client-side app (Please note that the content of the github repository is out of scope):** https://github.com/pingidentity/pingone-customers-sample-oidc * **What it does:** * Allows administrators to configure authentication workflows and assign different authentication policies (SAML, OAuth2, and OpenID Connect are supported) to each of your applications. * Supports Single-Sign-On (SSO) and Multi-Factor Authentication (MFA) across all connected applications. * Offers robust user-management capabilities. * **Specific things to look for:** * XSS * CSRF/SSRF * User token compromise that is kept in session storage * Event passing to and from the iframe that hosts the app that bundles and renders the main page content. * **Test Plan:** * Spider the site * Test UI for XSS * Check for client-side controls * Check for authentication or authorization issues * Check session management for: * Logout, account takeover, or impersonation issues * **You will be emailed a test account with a one-time-use password. Your login sign-on URL will include your environment ID. E.g. https://console-staging.pingone.com/?env=ENV_ID.**
https://ort-admin.pingone.com/* URL low high high critical
* **What it is:** * Administrative web portal for PingOne For Enterprise (P14E) * **What it does:** * Allows P14E administrators to manage all aspects of their enterprise user accounts * **Specific things to look for:** * Privilege escalation ([role descriptions](https://documentation.pingidentity.com/pingone/employeeSsoAdminGuide/index.shtml#changeAdminRoles.html)) * XSS * SSRF * **Test Plan:** * [Typical web app test plan](https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Web_Service_Security_Cheat_Sheet.md)
https://ort-authenticator.pingone.com/* URL none medium low high
* **What it is:** * Multi-factor Authentication (MFA) authenticator service * MFA is configured via the PingOne Desktop > Devices > My Device > Add. * Ping Authenticator used for Multi-Factor Authentication (MFA) * The authenticator is a service which provides multi-factor via PingID mobile applications available in the iTunes and Android app stores, Yubikey Series 4, PingID Desktop apps for OS X and Windows, or email. * The authenticator service is a back-end hosted service. * The client MFA applications are not in scope but the protocol data and authenticator service are, this includes requests and responses. * **What it does:** * Employs MFA (typically [PingID](https://www.pingidentity.com/en/cloud/pingid.html)) to authenticate users and then pass control back to PingOne for Enterprise * **Specific things to look for:** * Ways to break the authentication flow between the authenticator and other services * MITM and replay attacks * **Test Plan:** * Try to manually forge or alter JSON web tokens (JWT) * MFA bypass * MFA is configured via the PingOne Desktop > Devices > My Device > Add. * The authenticator service is a back-end hosted service. * The client MFA applications are not in scope but the protocol data and authenticator service are, this includes requests and responses.
https://ort-desktop.pingone.com/* URL none medium low high
* **What it is:** * Central hub of Ping One For Enterprise, a cloud-based dock that provides users with secure SSO access to an expansive library of applications * **What it does:** * Provides many pre-existing integrations with popular SaaS applications * Leverages SAML, OIDC and other secure identity standards to integrate with any other cloud-based applications Provides the option of storing user identity data in PingOne’s cloud directory * **Specific things to look for:** * User impersonation * Privilege escalation ([role descriptions](https://documentation.pingidentity.com/pingone/employeeSsoAdminGuide/index.shtml#changeAdminRoles.html)) * Session management * **Test Plan:** * [Typical web app test plan](https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Web_Service_Security_Cheat_Sheet.md)

target_out_of_scope

asset_identifier asset_type availability requirement confidentiality requirement eligible for bounty eligible for submission integrity requirement max_severity
https://*.pingidentity.com URL none
https://*.pingidentity.io URL none
https://*.pingidentity.net URL none
https://admin.pingone.com URL none
https://api.pingone.com URL none
https://authenticator.pingone.com URL none
https://console.pingone.com URL none
https://desktop.pingone.com URL none none none none
https://developer.pingidentity.com/* URL none low low none
https://test-desktop.pingone.com URL none none none none
https://test-sso.connect.pingidentity.com URL none none none none
https://uploads-staging.pingone.com URL none
https://uploads.pingone.com URL none