Banner object (1)

4217 policies in database
  Back Link to program      
17/10/2018
Dreamland logo
Thanks
Gift
Hall of Fame
Reward

Reward

Dreamland

The family and seasonal store has a spacious and diverse offer: from (outside) toys, multimedia and gifts about school supplies and sports accessories to children's bedrooms and decorative material. Dreamland inspires children from 0 to 14 year and their parents, family and friends and encourages them to play together.

To make it even easier for online customers Dreamland integrated in the fall of 2016 it's new webshop in his website. That makes online shopping even easier, improves online search results and provides more visitors on the site.### IMPORTANT:

The websites Beenhouwerij, Dreamland, Dreambaby and Collishop partially share the same codebase. They can contain common issues. If a specific issue has already been found in another one of these websites it will be treated as a duplicate for this one.

We're interested to hear about any issue that potentially compromises our company or its user's security. Before submitting a vulnerability, make sure to check that it's not listed in our out of scope policy (which you can find below). If you have additional questions about our program feel free to contact us through intigriti's support by using the button on the right-hand side (Ask scope question).

Application

  • Self-XSS that cannot be used to exploit other users¬†

  • Verbose messages/files/directory listings without disclosing any sensitive information

  • CORS misconfiguration on non sensitive endpoints

  • Missing cookie flags on non sensitive cookies

  • Missing security headers which do not present an immediate security vulnerability

  • Cross-site Request Forgery with no or low impact

  • Presence of autocomplete attribute on web forms.

  • Reverse tabnabbing

  • Bypassing rate-limits or the non-existence of rate-limits.

  • Best practices violations (password complexity, expiration, re-use, etc.)

  • Clickjacking on pages without sensitive actions

  • CSV Injection

  • Host Header Injection

  • Sessions not being invalidated (logout, enabling 2FA, ..)

  • Hyperlink injection/takeovers

  • Mixed content type issues

  • Cross-domain referer leakage

  • Anything related to email spoofing, SPF, DMARC or DKIM

  • Content injection

  • Username / email enumeration

  • E-mail bombing

  • HTTP Request smuggling without any proven impact

  • Homograph attacks

  • XMLRPC enabled

  • Banner grabbing /Version disclosure

  • Open ports without an accompanying proof-of-concept demonstrating vulnerability

  • Weak SSL configurations and SSL/TLS scan reports

  • Not stripping metadata of images

  • Disclosing API keys without proven impact

General

  • In case that a reported vulnerability was already known to the company from their own tests, it will be flagged as a duplicate.

  • Theoretical security issues with no realistic exploit scenario(s) or attack surfaces, or issues that would require complex end user interactions to be exploited, may be excluded or be lowered in severity

  • Spam, social engineering and physical intrusion

  • DoS/DDoS attacks or brute force attacks.

  • Vulnerabilities that are limited to non-current browsers (older than 3 versions) will not be accepted

  • Attacks requiring the usage of shared computers, man in the middle or compromised user accounts

  • Recently disclosed zero-day vulnerabilities in commercial products where no patch or a recent patch (< 2 weeks) is available. We need time to patch our systems just like everyone else - please give us 2 weeks before reporting these types of issues.

  • Attacks requiring unrealistic user interaction

All our rewards are impact based, therefore we kindly ask you to carefully evaluate a vulnerability's impact when picking a severity rating. To give you an idea of what kind of bugs belong in a certain severity rating we've put some examples below. Note that depending on the impact a bug can sometimes be given a higher/lower severity rating.

Exceptional

  • Remote Code Execution

Critical

  • Access to all customer personal details

  • SQL injection

High

  • Stored XSS without user interaction

  • Privilege escalation

  • Authentication bypass on critical infrastructure

Medium

  • XSS that requires user interaction

Low

  • CSRF

  • Open redirect

  • DKIM, DMARC, SPF issues

Guidelines

  • Provide detailed but to-the point reproduction steps

  • Include a clear attack scenario, a step by step guide in the PoC is highly appreciated

  • Abide with the "Colruyt Policy for investigation of security problems" set of rules.

  • Please do NOT discuss bugs before they are fixed (including PoC's on youtube and vimeo)

In Scope

Scope Type Scope Name
web_application

www.dreamland.be

Out of Scope

Scope Type Scope Name
undefined

Self-XSS that cannot be used to exploit other users

undefined

Verbose messages/files/directory listings without disclosing any sensitive information

undefined

CORS misconfiguration on non sensitive endpoints

undefined

Missing cookie flags on non sensitive cookies

undefined

Missing security headers which do not present an immediate security vulnerability

undefined

Cross-site Request Forgery with no or low impact

undefined

Presence of autocomplete attribute on web forms.

undefined

Reverse tabnabbing

undefined

Bypassing rate-limits or the non-existence of rate-limits.

undefined

Best practices violations (password complexity, expiration, re-use, etc.)

undefined

Clickjacking on pages without sensitive actions

undefined

CSV Injection

undefined

Host Header Injection

undefined

Sessions not being invalidated (logout, enabling 2FA, ..)

undefined

Hyperlink injection/takeovers

undefined

Mixed content type issues

undefined

Cross-domain referer leakage

undefined

Anything related to email spoofing, SPF, DMARC or DKIM

undefined

Content injection

undefined

Username / email enumeration

undefined

E-mail bombing

undefined

HTTP Request smuggling without any proven impact

undefined

Homograph attacks

undefined

XMLRPC enabled

undefined

Banner grabbing /Version disclosure

undefined

Open ports without an accompanying proof-of-concept demonstrating vulnerability

undefined

Weak SSL configurations and SSL/TLS scan reports

undefined

Not stripping metadata of images

undefined

Disclosing API keys without proven impact

undefined

In case that a reported vulnerability was already known to the company from their own tests, it will be flagged as a duplicate.

undefined

Theoretical security issues with no realistic exploit scenario(s) or attack surfaces, or issues that would require complex end user interactions to be exploited, may be excluded or be lowered in severity

undefined

Spam, social engineering and physical intrusion

undefined

DoS/DDoS attacks or brute force attacks.

undefined

Vulnerabilities that are limited to non-current browsers (older than 3 versions) will not be accepted

undefined

Attacks requiring the usage of shared computers, man in the middle or compromised user accounts

undefined

Recently disclosed zero-day vulnerabilities in commercial products where no patch or a recent patch (< 2 weeks) is available. We need time to patch our systems just like everyone else - please give us 2 weeks before reporting these types of issues.

undefined

Attacks requiring unrealistic user interaction


Firebounty have crawled on 2018-10-17 the program Dreamland on the platform Intigriti.

FireBounty © 2015-2020

Legal notices