مستقل صياد ثغرات
وصف المشروع
احتاج شخص يصيد ثغرة في تطبيق اندرويد
اسمه my stc ksa
ANDROID: https://play.google.com/s...
IOS :
ويجب ان تكون ثغرة حرجة او عالية
اي شخص يحصل على ثغرة يرسل عرض
البرامج
MySTC - Mobile - stc
MySTC - Mobile - stc
مقبول
STC
MySTC Application gives you the ability to control and deal with your own mobile and landline numbers in STC by providing you a lot of services and features that help you to do your operations easily, like viewing the bills and pay them, recharge prepaid numbers and transfer amounts between them, subscribe and unsubscribe in packages and services, monitor your data usage.
سبتـ 2, 2024 - سبتـ 2, 2025
ضمن النطاق
MySTC - iOS:
MySTC - Android:
خارج النطاق
Out of Scope:
Any physical attacks against stc property or data centers.
Scanner output or scanner-generated reports, including any automated or active exploit tool.
Attacks involving payment fraud, theft, or malicious merchant accounts.
Man-in-the-Middle attacks.
Vulnerabilities involving stolen credentials or physical access to a device.
Social engineering attacks, including those targeting internal employees.
Social Engineering. For example, attempts to steal cookies, fake login pages to collect credentials.
Open redirection.
Host header injections without a specific, demonstrable impact.
Denial of service (DOS) attacks using automated tools.
Self-XSS, which includes any payload entered by the victim.
Any vulnerabilities requiring significant and unlikely interaction by the victim, such as disabling browser controls.
Login/logout CSRF.
CSRF on forms that are available to anonymous users.
Content spoofing.
Weak Password Policy.
Autocomplete Enabled.
Missing Custom Error Page.
Infrastructure vulnerabilities, including: - Issues related to SSL certificates - DNS configuration issues - Server configuration issues (e.g. open ports, TLS versions, etc.) - TLS configuration issues such as BEAST, BREACH, renegotiation attacks, insecure cipher suites, etc. - Missing HTTP security headers or Lack of HTTP security headers (CSP, X-XSS, etc. - Lack of Secure or HTTPOnly cookie flags - Missing SPF/DKIM/DMARC entries.
HTTP Harmful methods enabled without showing real impact.
Mixed content warnings for passive assets like images and videos.
Vulnerabilities only affecting users of outdated or unpatched browsers and platforms.
Information disclosure of public or non-protected information (e.g. code in a public repository)
Exposed credentials that are either no longer valid, or do not pose a risk to an in-scope asset
Any other submission determined to be low risk, based on unlikely or theoretical attack vectors, requiring significant user interaction, or resulting in minimal impact.
Attacks requiring physical access to a user's device.
Vulnerabilities in any open-source library.
Account/email enumeration issues.
Email and OTP Flooding
Clickjacking or UI redress attack and Tap jacking.
Vulnerabilities requiring extensive user interaction.
Exposure of non-sensitive data on the device.
Vulnerabilities on third party libraries without showing specific impact to the target application. (e.g. a CVE with no exploit)
Generating abuse requests.
Submission of support, sales or other requests to 3rd party systems.
Mass creation of users, groups, and projects.
Spam-like or other high-volume activity to mails.
Brute Forcing User Credentials.
Use of Insufficiently Random Values
Information Exposure through Caching and Browser Cache.
المهارات المطلوبة
العروض المقدمة
السلام عليكم و رحمة الله و بركاته لقد قرات المطلوب و انا جاهز لتنفيذه باذن الله تعالي تواصل معي لنبدا في العمل ان شاء الله