Skip to content
Gallery
QA Documentation
Quality Assurance 101
V2 MIGRATION
QA Gank Global
Master Data
Product Documentation
Rules Quality Assurance
Tasking
Penetration Testing
MEMBERSHIPS
More
Share
Explore

Penetration Testing

Issue Reference :
https://docs.google.com/spreadsheets/d/1lUgA6yABoZpLz2bM4J4zZolKbR-3zU5pttIQH3oOH4I/edit#gid=1002359322

Feature :
Blank
Summary
Step
Feature
Endpoint
Expected
Status
Method
Request
1
Information Disclosure
In the request below the attacker just changes the username to another user's username, and the response will display some information from the username user
GET /v1/users/nickname/[User-Nickname]
Data Leak Prevention
PASSED
IDOR
Open
2
Attacker change another user's Goals status to 'Completed'
Create a new Goal on account A, and on account B click 'Support me' and proceed to payment
Go back to account A and click 'Complete goal' intercept the request with Burp
Goal Donation
PUT /v1/wallets/goal-donation/[ID-goals]'.
Validation
PASSED
IDOR
Open
3
Attacker update another user’s Goals
Update Existing goal on Attacker’s account
Intercept the request then change id to Victim Goal donation id
Goal Donation
PUT /v1/wallets/goal-donation/[ID-goals]'.
Validation Handle
PASSED
IDOR
Open
4
Attacker delete another user’s Goals
Delete Existing goal on Attacker’s account
Intercept the request then change id to Victim Goal donation id
Goal Donation
PUT /v1/wallets/goal-donation/[ID-goals]'.
Validation Handle
PASSED
IDOR
Open
5
Attacker create new Goal Donation for another user
Attacker create new goal donation, intercept request before click button create
Goal Donation
POST /v1/wallets/me/goal-donation
Authentication Handle
PASSED
IDOR
Open
6
Users can rate products more than once
Buy another user's product and go to the page https://ganknow.com/manage/my-orders
Click the Leave a Review button and intercept the request with Burpsuite
Right click and Send to repeater
Shop Listing
POST /v1/catalogs/services/[order-id]/reviews
make sure order id is exist and order the same service and come from same users
double checking on one order id only can submit by one review
PASSED
IDOR
Open
7
Users can change the URL of the Attachments URL
Create a new listing on https://ganknow.com/plecle/shop fill in the title, description, etc. [or edit an existing one]
In the 'Listing type' select Digital Goods and Upload Attachments then Publish
Return to the newly created listing and click Edit Listing
Intercept requests with Burp
Shop Listing
PUT /v1/catalogs/services/[services-id]
Validate download link with only allowed scheme http or https
PASSED
IDOR
Open
8
Attacker change another user’s Listing price to $0
Attacker
Shop Listing
Open
9
Attacker create new membership on another user’s account
Open
10
Attacker Delete victim membership
Membership
DELETE /v1/users/membership-settings-v2
Authentication Handle
Membership id leak
PASSED
IDOR
Open
11
Attacker withdraw more than existing balance
Withdrawal
POST /v1/wallets/withdrawal-requests
PASSED
IDOR
Open
12
Attacker withdraw less than minimum withdraw
Withdrawal
POST /v1/wallets/withdrawal-requests
PASSED
IDOR
Open
13
Attacker change victim withdraw account
Open
14
Attacker change earnings balance
Open
15
Attacker change donation ammount from transaction history
Withdrawal
PATCH /v1/wallets/(Tranasaction ID)/transactions
Open
There are no rows in this table


Want to print your doc?
This is not the way.
Try clicking the ⋯ next to your doc name or using a keyboard shortcut (
CtrlP
) instead.