Challenge Overview
The app��https://gmail-ediscovery-open-adev3.appspot.com/
For reference, the code��from the most recent challenge
You should test as a fully unauthenticated user, as an authenticated-but-unauthorized google user, and as a fully authorized user. ��(After you've registered, you'll be see instructions for requesting authorization)
As a user of the system you should be able to run reports and download PGP-encrypted results. ��You should NOT be able to decrypt them, of course, because you won't have the private PGP key.����You should NOT��be able to upload your own PGP��public key... but TRY!
Any serious bug which directly affects the confidentiality or integrity of user account or domain data may be in scope. We will consider any security bug, but we will focus awards on bug that is deemed high or critical impact (see examples noted in ���What vulnerabilities would be considered Critical��� section below). In general, we anticipate most rewards will be in bug categories such as:
- Injection
- Cross Site Scripting
- Broken Authentication
- Broken Session Management
- Insecure Direct Object References
- Cross Site Request Forgery
- Cross Site Script Inclusion
- Server side code execution or command injection
- Security Misconfiguration
- Insecure Cryptographic Storage
- Failure to Restrict URL Access
- Insufficient Transport Layer Protection
- Unvalidated Redirects and Forwards
- Bypassing authorization controls (e.g. Non-administrative User A can access User B's private data)
What vulnerabilities would be considered critical/high severity
- Access the application by an unapproved user
- Access to user identifiable variables such as user email address, name, etc.
- Compromise the application and gain access to the applications valid OAuth key
- Get the App to use HTTP instead of HTTPS
- Allow an unauthorized administrative user to upload their own PGP key
- Download a file that is not PGP encrypted
��