Description

OneSpan (formerly known as VASCO Data Security) is a global leader in digital security with two-factor authentication, transaction data signing, document e-signature and identity management solutions designed for financial institutions, enterprises, healthcare institutions as well as government agencies. In this project, we request researchers to validate the security of two server-side products, namely IDENTIKEY Authentication Server and IDENTIKEY Risk Manager.

Bounties
Low
Medium
High
Critical
Exceptional
Tier 2
€ 0
€ 500
€ 750
€ 1,000
€ 2,000
Up to € 2,000
Domains

irm.scc.labs.vasco.com

Tier 2
URL
IDENTIKEY Risk Manager (IRM)

irm.scc.labs.vasco.com:9090

Tier 2
URL
IDENTIKEY Risk Manager (IRM)

ias.scc.labs.vasco.com

Tier 2
URL
IDENTIKEY Authentication Server (IAS) UDP ports 1812 and 1813

ias.scc.labs.vasco.com:8443

Tier 2
URL
IDENTIKEY Authentication Server (IAS)

ias.scc.labs.vasco.com:8888

Tier 2
URL
IDENTIKEY Authentication Server (IAS)
In scope

We have recently updated IDENTIKEY Authentication Server and IDENTIKEY Risk Manager. Please check out the new versions and let us know your findings!

The scope of this project is limited to the following products:

IDENTIKEY Authentication Server (IAS)

  • Application entry points:
  • Accounts: it is not possible to create user accounts. Upon registration you will receive a user account from Intigriti which you can use to perform your tests. This user account allows you to create additional accounts in the application.

IDENTIKEY Risk Manager (IRM)

  • Application entry points:
  • Accounts: it is not possible to create user accounts. Upon registration you will receive a user account from Intigriti which you can use to perform your tests. This user account allows you to create additional accounts in the application.
Out of scope

Please note that all domains of OneSpan are out of scope except the ones mentioned in the “in scope” section.

The demo token website where you can generate one-time passwords is also explicitly out of scope. The URL of this website is http://demotoken.vasco.com/.

All other domains in the OneSpan Labs domain .labs.vasco.com are also explicitly out of scope.

All services running on ports on the above mentioned servers that are not explicitly mentioned in the in-scope section are also explicitly out of scope.

You will not receive a reward and your submission will be rejected if they are out of scope or if they are one of the following:

General

  • Violations against best practices that only have a theoretical chance of exploitation
  • Highly speculative reports about theoretical damage. Be concrete.
  • Denial of Service Attacks
  • Publicly accessible login panels of OneSpan software
  • Reports that state that software is out of date/vulnerable without proven exploitable risks
  • Vulnerabilities as reported by automated tools without additional analysis as to how they're an issue
  • Physical or social engineering attempts (this includes phishing attacks against employees)

Application

  • Debug information, stack trace information, excessive information leakage (internal IP addresses, server paths, …)
  • Open redirects - 99% of open redirect issues have low security impact. For the rare cases for which there is a security impact, like stealing sensitive data (customer records,…) or introducing XSS, we do still want to hear about them.
  • XSS issues in non-current browsers (older than 3 versions)
  • Self-XSS that cannot be used to exploit other users (this includes having a user paste JavaScript into the browser console)
  • Content injection issues
  • User enumeration
  • Cross-site Request Forgery (CSRF)
  • Missing autocomplete attributes
  • Missing cookie flags on non-security sensitive cookies
  • Missing security headers or unnecessary headers which do not present an immediate security vulnerability
  • Banner grabbing issues (figuring out what web server we use, etc)
  • Clickjacking (including clickjacking on sensitive pages)
  • Injection attempts where the application doesn’t accept the input because of input validation.
  • Session hijacking by copying the cookie values.
  • Available HTTP methods that do not pose a security risk (for example if the PUT/DELETE methods seem to be available, but using them doesn’t have an impact because the corresponding server functionality is not available or implemented).

Infrastructure

  • Recently disclosed 0-day vulnerabilities against commercial products where no patch is available or the patch was released within the last 2 months. We need time to patch our software and release new versions just like everyone else.
  • Open ports without an accompanying proof-of-concept demonstrating vulnerability
  • Weak SSL/TLS configurations and SSL/TLS scan reports (for example output from sites such as SSL Labs or issues related to the fact that the applications are configured with self-signed certificates).
  • Reports on misconfigured DNS settings or missing DNS domain records (such as missing DMARC or SPF records).
  • Reports on the configuration of services that are not related to the tested application (for example reports about the email security of the tested domains and reports about the DNS servers hosting the DNS records of the tested domains).
  • Reports on the configuration of the underlying operation system.

Application business logic

  • As mentioned in the FAQ, all provided DIGIPASS tokens have the same configuration, meaning that all provided DIGIPASS tokens accept the same one-time password at the same time. Issues related to the fact that a valid one-time password used on account X is also valid on account Y will be rejected.
  • Issues related to the configuration of the application that can be modified using the application (for example mentioning that using username/password on the logon page is insecure (this can be configured), the fact that the application allows to use “weak” passwords, or mentioning that a one-time password generated 30 minutes ago is still accepted (this can also be configured))*.
Rules of engagement

Guidelines

  • Provide detailed but to-the point reproduction steps
  • Include a clear attack scenario, a step by step guide in the PoC is highly appreciated
  • Remember: quality over quantity!
  • Provide details on the timestamp when you conducted the test and about the username that you used to conduct the test.

Application availability

  • The IAS and IRM servers will automatically reboot each day at 0:00 CET.
  • The IAS and IRM servers might automatically reboot after the installation of updates (typically around 3:00 CET)

Safe harbour for researchers

OneSpan considers ethical hacking activities conducted consistent with the Researcher Guidelines, the Program description and restrictions (the Terms) to constitute “authorized” conduct under criminal law. OneSpan will not pursue civil action or initiate a complaint for accidental, good faith violations, nor will they file a complaint for circumventing technological measures used by us to protect the scope as part of your ethical hacking activities.

If legal action is initiated by a third party against you and you have complied with the Terms, OneSpan will take steps to make it known that your actions were conducted in compliance and with our approval.

Severity assessment

It will be the responsibility of Intigriti to pay ethical hackers in a timely and legal way. Payouts will only take place after agreement with OneSpan on the criticality of the impact and only if the submission was the first of its kind and agreed to be valid.

Duplicates policy: When two identical issues are reported, with different endpoints being the only difference between submissions, only the first submission will have the criticality below assigned.

If similar reports by the same user are reported within 14 days after accepting the previous (only differentiating in endpoint), the reports will be accepted but in a lower criticality, hence affecting the bounty.

OneSpan provides following monetary rewards. In addition, researchers will be listed in OneSpan’s Hall of Fame, if they agree so.

Exceptional: € 2.000:

  • Remote Code Execution
  • OTP bypass, for example if a client is required to log on using a one-time password and you manage to log on using any other number.
  • Recovering DIGIPASS secrets.

Critical: € 1.000:

  • Access to all user / domain details
  • IDENTIKEY Authentication Server: Being able to test/validate one-time passwords and signature of tokens not part of the user’s domain
  • Privilege escalation: Ability to read/modify data without having the privilege to do so, for example being able to create a user without having the required admin privilege.
  • SQL/XML/JSON Injection that can be used to manipulate the behavior of the query or request.
  • Impersonation of other user without copying the session cookie value

High: € 750:

  • Stored XSS

Medium: € 500:

  • Vulnerabilities that affect multiple users, and require little or no user interaction to trigger.
  • Reflected Cross-Site scripting
  • SQL/XML/JSON Injection that only generate an application error or break the query.

Low:

  • Vulnerabilities that affect singular users and require interaction or significant prerequisites (MitM) to trigger.
  • Scripting and automation
  • Publicly accessible login panels of third party software (for example the login panel of the application server or of the database server). Login panels of OneSpan products are out-of-scope.
FAQ

Can we receive test accounts?

Yes. Since it is not possible to create an initial account, you will receive one account from Intigriti. With this account, you can create additional accounts in your own domain/environment. If required for your testing, you can request a second account from Intigriti.

You can contact intigriti through their support to receive the account.

Where can we get one-time passwords?

Every test account has also been provisioned with at least one DIGIPASS token. You can generate one-time passwords for this token via the following website: http://demotoken.vasco.com/ or http://demotoken.vasco.com/go3.html

The Demo Token website is outside of the scope of this project!

Please note that all DIGIPASS tokens that are provided have exactly the same configuration. So all tokens that are provided to you accept the same one-time password at the same time.

All aboard!
Please log in or sign up on the platform

For obvious reasons we can only allow submissions or applications for our program with a valid intigriti account.

It will only take 2 minutes to create a new one or even less to log in with an existing account, so don't hesitate and let's get started. We would be thrilled to have you as part of our community.

Program specifics
ID check required
Reputation points
Triage
Activity
1/24
OneSpan
has suspended the program
1/24
logo
foobar7
created a submission
1/24
logo
foobar7
created a submission
1/23
OneSpan
has unsuspended the program
1/19
OneSpan
closed a submission
1/18
logo
bharat
created a submission
1/18
OneSpan
has suspended the program
11/30
OneSpan
closed a submission
11/30
logo
callmed
created a submission
11/6
OneSpan
changed the severity assessment