Banner object (1)

Hack and Take the Cash !

805 bounties in database
  Back Link to program      
12/12/2019
Mastercard (VDP Extension) logo
Thanks
Gift
Hall of Fame
Reward

Mastercard (VDP Extension)

This is an extension of the greater Mastercard Vulnerability Disclosure Program, you can view that programhere.

Program Information:

This program consists of both MasterCard Digital Experience Platform (DXP) and Mastercard Receipt Management.

Mastercard Digital Experience Platform (DXP) is a componentized approach to building front end applications for multiple channels using industry standard technologies. DXP provides both a development framework and a library of ready-to-use customizable components for web and mobile. It has its own CLI for web and mobile development. Also having cli for services development purpose.

At Mastercard, we consider the security of our systems to be a top priority. With that said, we recognize that no matter how much effort we put into security - there might still be vulnerabilities present. With that being said, if you discover a vulnerability, we would like to know about it so that we can take steps to address it as quickly as possible.

Program Rules:

  • Observe strict adherence to the program scope.
  • Test ONLY against your own accounts – testing must not disrupt or compromise any data or data access that is not yours. Furthermore, never run tests against users or accounts that are not yours.
  • Confidentiality: Privacy of information is very important, please do not share any program information or vulnerability information outside of this program.
  • Exploitation: Do NOT exploit discovered security issues. ALL vulnerability reports should include a Proof of Concept.
  • Scanners: Automated scanners/tools are strictly prohibited (not allowed).
  • Program Scope: Make all reasonable efforts to adhere to the defined scope of the program. Refer to the Out of Scope section for more information; Out-of-Scope submissions will not be rewarded.
  • Disclosure: Private and public disclosure of any vulnerabilities is strictly prohibited (not allowed).
  • Social Engineering: Non-technical attacks such as social engineering, phishing or unauthorized access to infrastructure is not allowed.
  • If you inadvertently cause a privacy violation or disruption (such as accessing account data, service configurations, or other confidential information) while investigating an issue, please be sure to disclose this in your report.
  • Production Environment: Never perform any attack that could harm Mastercard services (E.g.: DDoS/Spam). If a researcher is found violating any of these guidelines, they will be banned from the Mastercard program.
  • By submitting the vulnerability, you affirm that you have not disclosed - and agree that you will not disclose - your finding (or the existence of your submission) other than via the MasterCard Bug Bounty Process.

Rewards/Ratings:

This program adheres to the Bugcrowd Vulnerability Rating Taxonomy for the prioritization/rating of findings. Rewards will be facilitated through Payoneer ONLY (setup payment methods).

This program only awards points for VRT based submissions.

Targets

In scope

Target name | Type
---|---
<https://stage.services.mastercard.com/dxp/send/email> | API
<https://stage.services.mastercard.com/dxp/form/submit> | API
<https://stage.services.mastercard.com/dxp/twitter/timeline?screenName=MastercardUK> | API
<https://stage.services.mastercard.com/dxp/twitter/hashtag?hashtag=Priceless> | API
<https://stage.services.mastercard.com/dxp/search/dm-mccom> | API
<https://stage.services.mastercard.com/dxp/suggest/dm-mccom> | API
<https://stage.services.mastercard.com/dxp/captcha/generate> | API
<https://stage.services.mastercard.com/dxp/offers/getofferdetails/8e6a1d47-0489-4cd6-9263-b349b30b91fc> | API
<https://stage.services.mastercard.com/dxp/offers/getofferdetails/774cc452-1f91-49d9-8a95-5c896ee70b63> | API
<https://stage.services.mastercard.com/dm/ugc/user/reply> | API
<https://stage.services.mastercard.com/dm/ugc/user/comment/dislike> | API
<https://stage.services.mastercard.com/dm/ugc/user/comment/like> | API
<https://stage.services.mastercard.com/dm/ugc/user/reply/like> | API
<https://stage.services.mastercard.com/dm/ugc/user/reply/dislike> | API
<https://stage.services.mastercard.com/dm/ugc/user/feedback?> | API
<https://stage.services.mastercard.com/dm/ugc/user/feedback> | API
<https://stage.services.mastercard.com/dm/ugc/user/comment> | API
<https://stage.services.mastercard.com/dm/ugc/moderator/comment> | API
<https://stage.services.mastercard.com/dm/ugc/moderator/comment/pending> | API
Mastercard Receipt Management iOS Application | iOS
Mastercard Receipt Management Android Application | Android

Testing is only authorized on the targets listed as In-Scope. Any domain/property of Mastercard not listed in the targets section is out of scope. This includes any/all subdomains not listed above. If you believe you've identified a vulnerability on a system outside the scope, please reach out to support@bugcrowd.com before submitting.


Target Info:

Mastercard Digital Experience Platform (DXP)

In scope APIs
https://stage.services.mastercard.com

API Endpoints |
---|---
Send email | /dxp/send/email
Salesforce submit | /dxp/form/submit
Twitter screen name | /dxp/twitter/timeline?screenName=MastercardUK
Twitter hashtag | /dxp/twitter/hashtag?hashtag=Priceless
SOLR search | /dxp/search/dm-mccom
Arithmetic captcha generate | /dxp/captcha/generate
Get offer details en-US | /dxp/offers/getofferdetails/8e6a1d47-0489-4cd6-9263-b349b30b91fc
Get offer details ar-AE | /dxp/offers/getofferdetails/774cc452-1f91-49d9-8a95-5c896ee70b63
New API Endpoints |
---|---
create comment | /dm/ugc/user/comment
create reply | /dm/ugc/user/reply
dislikeCommnet | /dm/ugc/user/comment/dislike
likeCommnet | /dm/ugc/user/comment/like
likeReply | /dm/ugc/user/reply/like
dislikeReply | /dm/ugc/user/reply/dislike
AddFeedback | /dm/ugc/user/feedback?
FetchFeedback | /dm/ugc/user/feedback
Fetch approved comments | /dm/ugc/user/comment
Fetch all comments and Replies | /dm/ugc/moderator/comment
Fetch pending comments and replies | /dm/ugc/moderator/comment/pending

DXP Access:

To access the API’s you'll need to download the json file here.

All above mentioned API’s are publicly accessible. No specific credentials are required to access these API’s.


Mastercard Receipt Management:

  • Mastercard Receipt Management - Android and iOS mobile applications
    • The Mastercard Receipt Management iOS mobile application IPA file can be downloaded directly here.
    • The Mastercard Receipt Management Android mobile application APK file can be downloaded directly here.
  • Please note the provided builds are newer than what is available on the app store, please test these builds.
  • The MasterCard Receipt Management application code (in the APK/ iOS) and any data it creates and saves on the device. Main focus of the bounty program is to bypass certificate pinning, finding sensitive data through code obfuscation and any other valid findings

Mobile Application Guidelines:

  • Mastercard Receipt Management mobile application download
  • Android device 5.0 and up is required
  • Researchers can use their own MIFI/WIFI Network
  • It's recommended to use a real mobile device over emulators

Set up User Account:-

  • To set up user account, you need to download the android and/or iOS applications.
  • While creating account enter First eight digit of card number as 10000000
  • Enter your name
  • Set Security Questions
  • Create your profile
  • The account is then set up and ready for use

Known Issues:

  • Jailbreak / Root Detection is missing
  • Certificate pinning bypass

Focus Areas:

Eligible Submissions will include vulnerabilities of following types:

  • Breaking the encryption
  • Code obfuscation revealing any sensitive data
  • Cross Site Scripting (XSS)
  • Cross Site Request Forgery (CSRF)
  • Insecure Data Storage
  • Insecure direct object references
  • Injection Vulnerabilities
  • Authentication Vulnerabilities
  • Server-side Code Execution
  • Privilege Escalation
  • Significant Security Misconfiguration (when not caused by Researcher)
  • Any out of the box issues which could lead to compromise or leakage of data and directly affect the confidentiality or integrity of Researcher data of which affects their privacy. Only Security findings will be accepted. [Reference OWASP]
  • Review panel reserves the right to reject any submission at their sole discretion that does not meet the above criteria.

Eligible Submissions include (but are not limited to) the following

vulnerability types:

  • Cross Site Scripting (XSS)
  • Insecure direct object references
  • Injection Vulnerabilities
  • Server-side Code Execution
  • Significant Security Misconfiguration (when not caused by user)
  • Only security vulnerability findings will be accepted. Reference: OWASP & Bugcrowd VRT
  • Any out of the box issues which could lead to compromise or leakage of data and directly affect the confidentiality or integrity of user data of which affects user privacy.
  • The Mastercard review panel reserves the right to reject any submission at their sole discretion if it does not meet the above criteria.

Out of Scope:

The following testing tactics are Out-of-Scope:

  • Self-exploitation of discovered vulnerabilities.
  • Social engineering attacks.
  • Denial of Service (DoS / DDoS) attacks.
  • Pivoting, scanning, and vulnerability exploitation.
  • Exfiltration of data from MasterCard systems.

Vulnerability Exclusions

(These vulnerability types will NOT receive a bounty reward):

  • Server version disclosures.
  • Self XSS, HTTP Host Header XSS.
  • Vulnerabilities which are already known to MasterCard and the wider security community.
  • Third Party Libraries.
  • Reports from static analysis of the binary without an accompanying PoC that exploits some business logic or security control.
  • Reports that only list exported activities discovered by static analysis. The report must be a runtime exploit that abuses the exported activity.
  • Any URIs leaked because a malicious app has permission to view URIs opened.
  • Warnings or errors only verified by static analysis.
  • Missing or incorrect SPF/DMARC/DKIM records of any kind
  • PLEASE NOTE: Due to GDPR and legal requirements. All testing must be conducted using your @bugcrowdninja.com email ID only. If you fail to use your @Bugcrowdninja.com email ID, you run the risk of getting blocked from accessing MasterCard applications.

Program rules

This program follows Bugcrowd’s standard disclosure terms.

Learn more about Bugcrowd’s VRT.

In Scope

Scope Type Scope Name
android_application

Mastercard Receipt Management Android Application

ios_application

Mastercard Receipt Management iOS Application

web_application

https://stage.services.mastercard.com/dxp/send/email

web_application

https://stage.services.mastercard.com/dxp/form/submit

web_application

https://stage.services.mastercard.com/dxp/twitter/timeline?screenName=MastercardUK

web_application

https://stage.services.mastercard.com/dxp/twitter/hashtag?hashtag=Priceless

web_application

https://stage.services.mastercard.com/dxp/search/dm-mccom

web_application

https://stage.services.mastercard.com/dxp/suggest/dm-mccom

web_application

https://stage.services.mastercard.com/dxp/captcha/generate

web_application

https://stage.services.mastercard.com/dxp/offers/getofferdetails/8e6a1d47-0489-4cd6-9263-b349b30b91fc

web_application

https://stage.services.mastercard.com/dxp/offers/getofferdetails/774cc452-1f91-49d9-8a95-5c896ee70b63

web_application

https://stage.services.mastercard.com/dm/ugc/user/reply

web_application

https://stage.services.mastercard.com/dm/ugc/user/comment/dislike

web_application

https://stage.services.mastercard.com/dm/ugc/user/comment/like

web_application

https://stage.services.mastercard.com/dm/ugc/user/reply/like

web_application

https://stage.services.mastercard.com/dm/ugc/user/reply/dislike

web_application

https://stage.services.mastercard.com/dm/ugc/user/feedback?

web_application

https://stage.services.mastercard.com/dm/ugc/user/feedback

web_application

https://stage.services.mastercard.com/dm/ugc/user/comment

web_application

https://stage.services.mastercard.com/dm/ugc/moderator/comment

web_application

https://stage.services.mastercard.com/dm/ugc/moderator/comment/pending


Firebounty have crawled on 2019-12-12 the programe Mastercard (VDP Extension) on the platform Bugcrowd.

FireBounty © 2015-2020

Legal notices