Text Share Online

Menu

In scope
Introduction

We are happy to announce our program! We’ve done our best to clean up our known issues and now would like to request your help to spot the ones we missed!

This section lists the assets, websites, products, and services that are considered in-scope and out-of-scope. This list is subject to change without notice and should be reviewed prior to submitting a finding.

Only the entities operated by the Software are in scope, in particular:

iqoption.com
*.iqoption.com
quadcode.com
*.quadcode.com
Vulnerabilities in-scope (WEB):

RCE
Injections
Broken Authentication
Sensitive Data Exposure
XML External Entities
Broken Access Control
Security Misconfiguration with a demonstration of how to exploit it
Cross-Site Scripting
Insecure Deserialization
Allowed actions for the critical vulnerabilities:

Command Injection:
Execute only benign commands via the web application or interface, such as:
cat /etc/passwd
Commands must only be used to demonstrate the ability to execute code.
SQLi are limited by the following scope:
Retrieving basic database information:
Name of the current database: SELECT database(); SELECT @@version; SELECT user(); SELECT system_user(); SELECT @@hostname;
Accessing database schema details: SELECT table_schema; SELECT table_name; SELECT column_name;
Performing mathematical, conversion, or logical queries: Includes the use of functions like SLEEP or similar, provided they do not extract data (other than those explicitly listed above).
File Upload:
Testing vulnerabilities that may result in arbitrary file uploads or arbitrary file reads on the server must strictly adhere to the following guidelines:
Permitted Actions for File Reads

When exploiting file read vulnerabilities, only files containing non-sensitive, demonstrable system information may be accessed. Examples include:
/etc/passwd, /proc/sys/kernel/hostname
Further restrictions:
Any action beyond reading the aforementioned files, such as accessing sensitive or critical configuration files, requires prior approval from our security team.
Example file name: bugbounty_2024-11-13.log.
Reporting Requirements:
Provide the following details in your report:
Source: The IP address of the device used to perform the requests.
Timestamp: Include the date, time, and timezone of your actions.
Full Server Requests and Responses: Include all HTTP requests and their corresponding responses, including headers and bodies.
Uploaded Files: List all uploaded files and their names.
Callback Information: The IP address and port if a callback request (e.g., SSRF or RCE) was made.
Accessed Data: Describe any data accessed, either deliberately or accidentally.
Assessment of Vulnerabilities Resulting from Data Leaks
If access to any services is obtained due to data leaks (e.g., authentication credentials found in leaked databases), the severity level of the issue will be determined not based on CVSS, but rather on factors such as the roles assigned to the affected account and the potential impact on our infrastructure and customers.

Additionally, we reserve the final right to determine eligibility for a bounty reward. The mere presence of valid credentials or access does not guarantee a payout, as certain accounts may belong to B2B partners or other entities that do not pose a direct risk to our customers’ data.

Out of scope

Known Issues (date last updated: 25/11/2024) [DD/MM/YYY]

  1. Insecure cross-origin resource sharing dealing-analytics.int.iqoption.com
  2. Insecure Session cookie configuration for dealing-analytics.int.iqoption.com
  3. Exposed metrics at https://offers.cpa.iqoption.com/metrics
  4. SQLi in video-education-app
  5. IDOR on https:/avatars.iqoption.com/api/v1/users
  6. HTML injection in support chat on a page https://iqoption.com/
  7. Open Redirect on:
  • https://auth.iqoption.com/api/v1.0/login/token?q=<special_string>
  • https://auth.iqoption.com/api/v2/login/token?q=<special_string>
  1. XSS svg on iqoption.com/faq/:catId/:id

Application

  1. Currently we don’t accepts CSRF
  2. Social engineering (including phishing) of any employee, contractors and/or client of Quadcode and/or of the entities operated by the Software;
  3. Messages from security scanners and other automated systems;
  4. Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS;
  5. Weak password policies;
  6. Mail configuration issues including SPF, DKIM, DMARC settings;
  7. Host header injection without exploitation;
    CRLF and Host header injection without exploitation;
  8. DNSSEC configuration;
  9. Clickjacking;
  10. Unauthenticated/logout/login/signup, enable/disable notification CSRF;
  11. Previously known vulnerable libraries without a working Proof of Concept;
  12. Missing best practices in SSL/TLS configuration;
  13. Missing best practices in HTTP headers configuration without a working Proof of Concept:
    Strict-Transport-Security
    X-Frame-Options
    X-XSS-Protection
    X-Content-Type-Options
    Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP
    Content-Security-Policy-Report-Only
    Cross-Origin-Opener-Policy
  14. Network disruption of service (DoS) attacks (i.e. connection floods, HTTP GET floods, etc);
  15. Path disclosure;
  16. Reports about the absence of a protection mechanism or non-compliance with recommendations;
  17. CSP (content security policy);
  18. SSL Issues, e.g.:
    • SSL Attacks such as BEAST, BREACH, Renegotiation attack
    • SSL Forward secrecy not enabled
    • SSL weak / insecure cipher suites
  19. CSRF on forms that are available to anonymous users (e.g. the contact form);
  20. Logout Cross-Site Request Forgery (logout CSRF);
  21. Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality;
  22. Lack of Secure/HTTPOnly flags on non-sensitive cookies;
  23. Lack of Security Speedbump when leaving the site;
  24. Weak Captcha / Captcha Bypass;
  25. Forgot/Change Password page brute force and account lockout not enforced
  26. OPTIONS HTTP method enabled;
  27. CORS;
  28. Username / email enumeration:
    • via Login Page error message
    • via Forgot Password error message
  29. DoS over account creation
  30. Verbose messages/files/directory listings without disclosing any sensitive information
  31. Disclosure of technical or non-sensitive information* (e.g. software version, detailed error messages)
  32. Bypassing rate-limits or the non-existence of rate-limits.
  33. Best practices violations (password complexity, expiration, re-use, etc.)
  34. CSV Injection
  35. Tokens leaked to third parties
  36. Email bombing
  37. HTTP Request smuggling without any proven impact
  38. Same-site scripting
  39. Subdomain takeover without taking over the subdomain
  40. Arbitrary file upload without proof of the existence of the uploaded file
  41. Blind SSRF without proven business impact (pingbacks aren’t sufficient)
  42. Host header injection without proven business impact
  43. Application-layer DoS/DDoS attacks (e.g., slowloris, HTTP POST floods, GraphQL abuse, etc.)
  44. Open Redirect without demonstration an additional security impact (e.g. ability to steal authentication token)

General

The following testing approaches and attacks are not allowed as part of this program:

  • Recently discovered zero-day vulnerabilities found in in-scope assets within 14 days after the public release of a patch or mitigation may be reported, but are usually not eligible for a bounty
  • Exfiltration of data
  • Phishing
  • Attempting to obtain information from other user accounts. If you believe you’ve found an issue that may result in compromising the data or session of another user account, we ask that you utilize your own testing accounts in this situation.
  • Using automation to brute force login credentials
  • Manually or using automation to scrape large sections of this site to enumerate user IDs, usernames, emails, or other user/employee information
  • In case that a reported vulnerability was already known to the company from their own tests, it will be flagged as a duplicate
  • Theoretical security issues with no realistic exploit scenario(s) or attack surfaces, or issues that would require complex end user interactions to be exploited
  • Spam, social engineering and physical intrusion
  • DoS/DDoS attacks or brute force attacks
  • Vulnerabilities that only work on software that no longer receive security updates
  • Attacks requiring physical access to a victim’s computer/device, man in the middle or compromised user accounts
  • Reports that state that software is out of date/vulnerable without a proof-of-concept

Prohibited actions:

  1. Post-Exploitation: Prohibited Actions for File Uploads:
  • Modification or alteration of files:
    • Uploading files that modify, alter, delete, or replace any files on the server, including system files, is strictly forbidden. Exceptions are only allowed for files explicitly associated with your account or accounts for which explicit consent has been granted by the respective user.
  • Denial-of-Service (DoS) through file uploads:
    • Uploading files that can cause a denial of service (e.g., excessively large files or those designed to exhaust resources) is prohibited.
  • Malicious file uploads:
    • Uploading malicious files, such as malware, spyware, or other files intended to compromise the system, is strictly forbidden.
  • Interrupting normal server operations (e.g., triggering a reboot or disabling services).
  • Creating and maintaining a persistent connection to the server or environment.
  1. Accessing Excessive Information:
  • Intentionally reading files, data, or system logs beyond what is necessary to demonstrate the vulnerability.
  • Viewing sensitive information that is not relevant to proving the issue.
  1. Unethical Behavior:
  • Failing to disclose all actions taken or data accessed during the testing process.
  • Testing outside of the agreed scope (e.g., third-party systems or domains not listed in scope).
Share This: