Add to collection(s) Add to saved
  1. No category
Uploaded by Priyanshu

Allianz ONE Business Solution

advertisement 
Internal
InternalInternal
Allianz ONE Business Solution Bug Bounty Policy
Disclosure Policy
1
VPN Usage
1
Scope
2
Exclusions
2
RCE
3
SQL Injection (SQLi) Policy
3
File Upload Policy
3
Allowed actions when conducting File-upload attempts:
4
Safe Harbor Principle
4
No system is completely safe, and Allianz believes that working with skilled security researchers
across the globe is crucial in iden fying weaknesses in any technology or applica on we are
using and building. If you believe you've found a security issue in our product or service, we
encourage you to no fy us. We welcome working with you to resolve the issue promptly.
Disclosure Policy
● As this is a private program, please do not discuss this program or any vulnerabili es
(even resolved ones) outside of the program without express consent from the
organiza on.
● Follow HackerOne's disclosure guidelines
VPN Usage
To take part in our Bug Bounty program you need to use the HackerOne Gateway to connect to
our applica ons.
ti
ti
tt
ti
fi
ti
ti
ti
ti
The instruc ons on how to con gure the VPN can be found here: h ps://docs.hackerone.com/
hackers/hackerone-vpn-root-ca.html
Internal
InternalInternal
Bounty grid
Scope
Asset
Instruction
You can register at
h ps://cim.allianz.de/registrierung/azd/
personaldata, and the sign in page is
h ps://cim.allianz.de/ui/login/de/allianz/start
h ps://cim.allianz.de/ui/login/de/allianz/
h ps://altersvorsorge-rechner.allianz.de/
h ps://www.allianz.de/service/schaden-melden/formular/
#/
h ps://www.allianz.de/auto/tools/
raba verlustrechner
h ps://www.allianz.de/service/tools/
kilometerstandsmeldung
h ps://www.allianz.de/gesundheit/privatekrankenversicherung/rechner/
Exclusions
When repor ng vulnerabili es, please consider (1) a ack scenario / exploitability, and
(2) security impact of the bug. The following issues are considered out of scope:
● For the me being, we are making all vulnerabili es in Flash les out of scope
● Reports from automated tools or scans
● Reports a ec ng outdated browsers
● Denial of Service A acks
tt
ti
fi
tt
ti
fi
ti
ti
ti
tt
ti
ti
ti
ti
ff
ti
tt
tt
tt
tt
tt
tt
tt
tt
tt
● Issues without clearly iden ed security impact (such as clickjacking on a sta c website)
or specula ve theore cal exploitability - for example using UXSS to steal the auth
cookies, iden fying Apache Tomcat 8.0.43 but not being able to perform any a ack.
Internal
InternalInternal
● Missing security best prac ces and controls (rate-limi ng/thro ling, lack of CSRF
protec on, lack of security headers, missing ags on cookies, descrip ve errors, server/
technology disclosure - without clear and working exploit)
● Lack of crossdomain.xml, p3p.xml, robots.txt or any other policy les and/or wildcard
presence/miscon gura ons in these.
● Lack of HTTPS
● Reports about insecure SSL / TLS con gura on
● Publicly accessible login panels
● Clickjacking
● CSS Injec on a acks. (Unless it gives your ability to read an -CSRF tokens or other
sensi ve informa on)
● Tab nabbing
● Host Header Injec on (Unless it gives you access to interim proxies or can be used to
change the applica on ow and impact security )
● Re ec ve File Download
● Cross-Origin Resource Sharing (CORS) Access-Control-Allow-Origin: * or accep ng of
custom Origin header that do not speci cally show a valid a ack scenario
● PRSSI - Path-rela ve stylesheet import vulnerabili es (without a impac ul exploita on
scenario - for example stealing CSRF-tokens)
● Our policies on presence/absence of SPF / DKIM / DMARC records
● Lack of DNS CAA and DNS-related con gura ons
● Weak Cer
cate Hash Algorithm
● Any physical/wireless a empt against property or data centers
RCE
Vulnerabili es which allow execu on of code on the applica on server or shell command on
the server itself should be run in accordance to this policy.
ti
ti
tf
ti
fi
fi
tt
tt
ti
ti
ti
ti
fl
ti
ti
fi
fi
fi
ti
fi
ti
fl
tt
ti
ti
ti
fi
ti
ti
tt
fi
ti
ti
ti
ti
ti
ti
ti
fl
Exploita on of possible RCE vectors is only allowed to show the basic impact of the
vulnerability. E.g. issue ipcon g + whoami on Windows or ifcon g + whoami/id on Unix.
Internal
InternalInternal
SQL Injec on (SQLi) Policy
Vulnerabili es which allow injec on of a acker controlled parts of the SQL query should be run
in accordance to this policy.
Exploita on of SQLi is only allowed to show the basic impact of the vulnerability. E.g. by issuing
SELECT queries such as @@version.
File Upload Policy
If le uploads are possible in the applica on through any means (e.g. PUT HTTP Method,
FileUpload func onality, etc.) please s ck to the following rules:
The following ac ons are prohibited ● Altering/Modifying/Dele ng/Replacing any les on the system. (e.g. defacement)
○ Excep on: if it's explicitly given in the target scope to test for defacement
possibili es replace one symbol/image on the site with a di erent colored ones
for proof and replace it back a erwards.
● Uploading les to the account of a user which is not owned by you and you are not
authorized by (does not apply to system users or web users like www-data e.g.)
● Uploading les which deliberately introduce addi onal exploita on vectors (e.g. html
code with cross-site scrip ng code on it etc.)
● Uploading les which can cause Denial of Service (e.g. over-sized les or unlimited
amount of les resul ng in running out of Disk Quota)
Allowed ac ons when conduc ng File-upload a empts:
● Chained exploita on vectors allowing you to jump out from the upload folder using f.g.
path traversal or path manipula on that do not violate prohibited ac ons men oned in
File-Upload Policy.
● Upload of a le (any extension) with no content, simple string, integer or a special
character.
Test Plan
The tests to be performed are only in black box mode and it must be veri ed that it is not possible to
carry out unauthorized access to the applica ons, the data and services exposed. When present, check
the password recovery func on.
ti
ti
ti
fi
fi
ti
ff
ti
tt
fi
tt
ti
ti
ti
ti
ti
ti
ti
ft
ti
ti
ti
ffi
ti
ti
ti
ti
fi
ti
fi
fi
fi
fi
ti
ti
ti
ti
ti
ffi
fi
Invited Finders can set up accounts for tes ng. Only interact with accounts you own. To separate tes ng
tra c from real user tra c, we highly encourage Finders with HackerOne Email alias
[H1username@wearehackerone.com].
Internal
InternalInternal
Access management:
● Generic creden al to test the asset created and shared by Allianz on the program page
● Public access where no accounts and creden als are needed
● Public access where users can sign up for an account through self-registra on ● Speci c
accounts created by Allianz (with DUMMY data) and provided
Safe Harbor Principle
fi
ti
ti
ti
ti
ti
ti
ti
ti
ti
ti
ti
ti
ti
Any ac vi es conducted in a manner consistent with this policy will be considered authorized
conduct and we will not ini ate legal ac on against you. If legal ac on is ini ated by a third
party against you in connec on with ac vi es conducted under this policy, we will take steps to
make it known that your ac ons were conducted in compliance with this policy.
Related documents
Read more - Allianz Global Assistance
Read more - Allianz Global Assistance
Document10907934 10907934
Document10907934 10907934
A MUCH GREATER APPRECIATION OF RISKS
A MUCH GREATER APPRECIATION OF RISKS
Allianz response to allegations that its investments negatively impact
Allianz response to allegations that its investments negatively impact
Download
advertisement