Banner object (1)

Hack and Take the Cash !

833 bounties in database
  Back Link to program      
22/10/2019
Ping Identity logo
Thanks
Gift
Hall of Fame
Reward

Reward

125 $ 

Ping Identity

Ping Identity looks forward to working with the security community to find and

solve vulnerabilities.

Thank you for helping us keep our business and customers safe.

[Getting Access (Test Credentials)

__](https://docs.google.com/forms/d/1_vDG94czMJQKXBLX8rwVuVazByTqWOtaFjNNUNsdwYA)

Please [fill out the form

__](https://docs.google.com/forms/d/1_vDG94czMJQKXBLX8rwVuVazByTqWOtaFjNNUNsdwYA)to

receive test credentials for our ort-admin.pingone.com and **console-

staging.pingone.com** environments.

Response times

Ping Identity strives to respond to reports as follows:

  • First response - 5 business days from submission

  • Triage - 10 business days from submission

  • Bounty payout - 10 business days from triage We try to keep submitters informed throughout the process.

Disclosure Policy

Program Rules

  • Provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue is not eligible for a reward.

  • Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.

  • When duplicates occur, we only award the first eligible report that we receive.

  • When multiple vulnerabilities are caused by one underlying issue, we award a single bounty.

  • Social engineering (e.g. phishing, vishing, smishing) is prohibited.

  • Avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or have explicit permission to interact with.

Common vulnerabilities to look for across all endpoints:

  • Information disclosure (cluster health, internal hostnames, passwords)

  • Exploitable TLS vulnerabilities or misconfiguration

  • Components with exploitable security vulnerabilities

  • Unauthorized or elevated persistent store access

  • Sensitive AWS metadata exposure

  • Cross-tenant administrative access or information disclosure

  • OWASP Top 10 vulnerabilities __

  • CWE-SANS Top 25 Dangerous Bugs __

The following issues are considered out of scope:

  • All example code and public repository code at https://github.com/pingidentity __

  • All public docker images at https://hub.docker.com/u/pingidentity __

  • Clickjacking on pages with no sensitive actions.

  • Unauthenticated/logout/login CSRF.

  • Attacks requiring MITM or physical access to a user's device.

  • Previously known vulnerable libraries without a working Proof of Concept.

  • Comma Separated Values (CSV) injection without demonstrating a vulnerability.

  • Missing best practices in SSL/TLS configuration.

  • Any activity that could lead to the disruption of our service (DoS).

  • Content-spoofing and text injection issues without showing an attack vector or without being able to modify HTML/CSS.

  • All on-premises Ping downloadable products: PingFederate, PingAccess, PingDirectory, PingDataSync PingDataGovernance, PingID mobile apps in the App Stores, and PingID Desktop MFA apps.

  • Other customer-downloadable products or components, such as SDKs, including PingID SDK.

  • Any customizations, Ping adapters, or integration kits.

In Scope

Scope Type Scope Name
android_application
  • What it is: * Multi-factor Authentication (MFA) authenticator service * MFA is configured via the PingOne Desktop > Devices > My Device > Add. * Ping Authenticator used for Multi-Factor Authentication (MFA) * The authenticator is a service which provides multi-factor via PingID mobile applications available in the iTunes and Android app stores, Yubikey Series 4, PingID Desktop apps for OS X and Windows, or email. * The authenticator service is a back-end hosted service. * The client MFA applications are not in scope but the protocol data and authenticator service are, this includes requests and responses.
android_application
  • The authenticator is a service which provides multi-factor via PingID mobile applications available in the iTunes and Android app stores, Yubikey Series 4, PingID Desktop apps for OS X and Windows, or email.
web_application

https://console-staging.pingone.com/*

web_application
web_application
  • Administrative console to the PingOne For Customers platform that manages user access, authentication types, and connected applications.
web_application
web_application
web_application
  • What it does: * Allows administrators to configure authentication workflows and assign different authentication policies (SAML, OAuth2, and OpenID Connect are supported) to each of your applications. * Supports Single-Sign-On (SSO) and Multi-Factor Authentication (MFA) across all connected applications. * Offers robust user-management capabilities.
web_application
  • Allows administrators to configure authentication workflows and assign different authentication policies (SAML, OAuth2, and OpenID Connect are supported) to each of your applications.
web_application
  • Supports Single-Sign-On (SSO) and Multi-Factor Authentication (MFA) across all connected applications.
web_application
  • Offers robust user-management capabilities.
web_application
  • Specific things to look for: * XSS * CSRF/SSRF * User token compromise that is kept in session storage * Event passing to and from the iframe that hosts the app that bundles and renders the main page content.
web_application
  • XSS
web_application
  • CSRF/SSRF
web_application
  • User token compromise that is kept in session storage
web_application
  • Event passing to and from the iframe that hosts the app that bundles and renders the main page content.
web_application
  • Test Plan: * Spider the site * Test UI for XSS * Check for client-side controls * Check for authentication or authorization issues * Check session management for: * Logout, account takeover, or impersonation issues * You will be emailed a test account with a one-time-use password. Your login sign-on URL will include your environment ID. E.g. https://console-staging.pingone.com/?env=ENV_ID __.
web_application
  • Spider the site
web_application
  • Test UI for XSS
web_application
  • Check for client-side controls
web_application
  • Check for authentication or authorization issues
web_application
  • Check session management for: * Logout, account takeover, or impersonation issues
web_application
  • Logout, account takeover, or impersonation issues
web_application
web_application

https://api-staging.pingone.com/*

web_application
  • What it is: * REST API for configuring and managing your PingOne For Customers organization
web_application
  • REST API for configuring and managing your PingOne For Customers organization
web_application
  • Specific things to look for: * Privilege escalation (role descriptions) * Data exfiltration * Mass assignment vulnerabilities
web_application
  • Privilege escalation (role descriptions)
web_application
  • Data exfiltration
web_application
  • Mass assignment vulnerabilities
web_application
  • Test Plan: * Spider the API endpoints * Fuzzing input values * Probe authorization and permissions * Examine any service-to-service interactions for potential CSRF/SSRF
web_application
  • Spider the API endpoints
web_application
  • Fuzzing input values
web_application
  • Probe authorization and permissions
web_application
  • Examine any service-to-service interactions for potential CSRF/SSRF
web_application

https://ort-admin.pingone.com/*

web_application
  • What it is: * Administrative web portal for PingOne For Enterprise (P14E)
web_application
  • Administrative web portal for PingOne For Enterprise (P14E)
web_application
  • What it does: * Allows P14E administrators to manage all aspects of their enterprise user accounts
web_application
  • Allows P14E administrators to manage all aspects of their enterprise user accounts
web_application
web_application
web_application
  • XSS
web_application
  • SSRF
web_application
web_application
web_application

https://apps-staging.pingone.com/*

web_application
  • What it is: * Cloudfront distribution for the PingOne for Customers login/authentication flow orchestration and self-service account/profile management user interfaces
web_application
  • Cloudfront distribution for the PingOne for Customers login/authentication flow orchestration and self-service account/profile management user interfaces
web_application
  • What it does: * Provides user interface for administrators to configure authentication flows and assign different authentication policies * Provides interface for end users to manage their account profiles and settings
web_application
  • Provides user interface for administrators to configure authentication flows and assign different authentication policies
web_application
  • Provides interface for end users to manage their account profiles and settings
web_application
  • Specific things to look for: * Test UI for XSS * CSRF/SSRF * User Impersonation * Privilege Escalation * Session Management (Logout, account takeover, or impersonation issues) * Access Control Misconfigurations * Data Exfiltration * Spider the site * Authentication or authorization issues
web_application
  • Test UI for XSS
web_application
  • CSRF/SSRF
web_application
  • User Impersonation
web_application
  • Privilege Escalation
web_application
  • Session Management (Logout, account takeover, or impersonation issues)
web_application
  • Access Control Misconfigurations
web_application
  • Data Exfiltration
web_application
  • Spider the site
web_application
  • Authentication or authorization issues
web_application
  • Test Plan: * To access apps-staging.pingone.com * Log in to console-staging.pingone.com/?env={YOUR_ENVIORNMENT_ID_HERE} * Click on the user icon in the top right corner * Navigate to one of the My Account pages in the dropdown menu, either: Profile, Authentication, or Change Password, and the user will then be taken to the apps-staging.pingone.com endpoint.
web_application
  • To access apps-staging.pingone.com
web_application
  • Log in to console-staging.pingone.com/?env={YOUR_ENVIORNMENT_ID_HERE}
web_application
  • Click on the user icon in the top right corner
web_application
  • Navigate to one of the My Account pages in the dropdown menu, either: Profile, Authentication, or Change Password, and the user will then be taken to the apps-staging.pingone.com endpoint.
web_application

https://ort-desktop.pingone.com/*

web_application
  • What it is: * Central hub of Ping One For Enterprise, a cloud-based dock that provides users with secure SSO access to an expansive library of applications
web_application
  • Central hub of Ping One For Enterprise, a cloud-based dock that provides users with secure SSO access to an expansive library of applications
web_application
  • What it does: * Provides many pre-existing integrations with popular SaaS applications * Leverages SAML, OIDC and other secure identity standards to integrate with any other cloud-based applications Provides the option of storing user identity data in PingOne’s cloud directory
web_application
  • Provides many pre-existing integrations with popular SaaS applications
web_application
  • Leverages SAML, OIDC and other secure identity standards to integrate with any other cloud-based applications Provides the option of storing user identity data in PingOne’s cloud directory
web_application
  • Specific things to look for: * User impersonation * Privilege escalation (role descriptions __) * Session management
web_application
  • User impersonation
web_application
web_application
  • Session management
web_application
web_application
web_application

https://ort-authenticator.pingone.com/*

web_application
  • Multi-factor Authentication (MFA) authenticator service
web_application
  • MFA is configured via the PingOne Desktop > Devices > My Device > Add.
web_application
  • Ping Authenticator used for Multi-Factor Authentication (MFA)
web_application
  • The authenticator service is a back-end hosted service.
web_application
  • The client MFA applications are not in scope but the protocol data and authenticator service are, this includes requests and responses.
web_application
  • What it does: * Employs MFA (typically PingID __) to authenticate users and then pass control back to PingOne for Enterprise
web_application
  • Employs MFA (typically PingID __) to authenticate users and then pass control back to PingOne for Enterprise
web_application
  • Specific things to look for: * Ways to break the authentication flow between the authenticator and other services * MITM and replay attacks
web_application
  • Ways to break the authentication flow between the authenticator and other services
web_application
  • MITM and replay attacks
web_application
  • Test Plan: * Try to manually forge or alter JSON web tokens (JWT) * MFA bypass
web_application
  • Try to manually forge or alter JSON web tokens (JWT)
web_application
  • MFA bypass
web_application
  • MFA is configured via the PingOne Desktop > Devices > My Device > Add.
web_application
  • The authenticator service is a back-end hosted service.
web_application
  • The client MFA applications are not in scope but the protocol data and authenticator service are, this includes requests and responses.

Out of Scope

Scope Type Scope Name
web_application

https://desktop.pingone.com

web_application

https://*.pingidentity.io

web_application

https://test-desktop.pingone.com

web_application

https://test-sso.connect.pingidentity.com

web_application

https://admin.pingone.com

web_application

https://api.pingone.com

web_application

https://*.pingidentity.net

web_application

https://console.pingone.com

web_application

https://*.pingidentity.com

web_application

https://authenticator.pingone.com

web_application

https://uploads-staging.pingone.com

web_application

https://uploads.pingone.com

web_application

https://developer.pingidentity.com/*


This program have been found on Hackerone on 2019-10-22.

FireBounty © 2015-2019

Legal notices