IMPORTANT: you can choose any format to create the report for this assignment. Using a specific format is not a requirement in the selection process – we will consider the content of your report (vulnerabilities and methods for exploiting them) exclusively to evaluate your work. The Non-Disclosure Agreement (NDA) in effect between you and Origin governs the disclosure of the upcoming report to all other parties, including product vendors or suppliers.
Origin is a platform that helps our customers' employees put their financial lives on track.
You will perform a security test of the Origin web solution. The solution consists of one web application access for a specific user role: the Consumer.
The primary goal of this web application level security testing project will be to identify any potential areas of concern associated with the solution in its current state and determine the extent to which the system may be breached by an attacker possessing a particular skill and motivation. The assessment should be performed in accordance with “best-in-class” practices.
You will conduct the manual testing for two days. All testing activities will be performed on the development environment using the latest versions of the applications and completely isolated from production data. While performing the testing activities, you can emulate an external attacker without prior knowledge of the environment. The assessment should not attempt any active network-based DoS attacks.
The scope of the assessment will include the following application:
- https://app-development.useorigin.com – the Consumer application
To test the user-authenticated area and privilege escalation vulnerabilities, you can create a user account freely and use the credentials recently created to access the user-authenticated area. You will receive a confirmation e-mail to finish account creation.
Be aware that Origin will focus on the following evaluation criteria:
- If you can run a manual test to identify and attempt exploitation of the most common security issues.
- How organized your assessment is. Not following any format doesn't mean that you don't need to be clear and organized.
- How deeply you collected and examined key information about the targeted application and related infrastructure.
- If you could identify possible security issues that could lead to compromise of sensitive information or unauthorized access to the functionality of the targeted application.
- And if you tried to exploit all identified vulnerabilities in order to disclose the true risk level of the possible impact on the system from issue exploitation and minimize false-positive results.
The report's internal structure is not important. Still, we ask you to send us the report in a PDF file format.