Hack me contest of SantoshPandit.com

Why are you here?

It seems you or your web spider has visited this page either to hack me or purely out of curiosity or coincidence. Whatever is your intention, feel welcome.

The contest

You will get our kudos and a reward if you can provide proof of a successful hack into our website. You also need to show how the vulnerability was exploited and can be remedied or patched.

Be considerate!

We are on a shared server; please do not use DDOS or DRDOS. Also please do not use high speed or intensive scans. Those are techniques used by novices. Instead of finding a vulnerability; you are likely to irritate our host and your IP address will get banned by our firewalls. Note - Please inform your IP address if you want me to whitelist the same.

Exclusions from bug bounty eligibility

  • Samesite flag is not used on the Cloudflare cookie. This is normal.
  • Mailserver allows for TLS 1.0 and TLS 1.1. This issue has been raised with Tutanota and awaits them to make the improvement.
  • Some scans may indicate that we are outside the EU. This perception is due to the Cloudflare CDN. Actual servers are in the EU.
  • Scans will be indicate that web server and mail server are located in different countries. We made this choice.
  • No glue for NS records. Minor point; I am not bothered.
  • Only one MX record. This is a Tutanota limitation, which I have to accept.
  • Domain hijack risk. Go ahead and hijack if you can.
  • SOA Serial Number Format and Expiry. This is a minor problem with Cloudflare. Ignored.
  • Presence of robots.txt and sitemap.xml. This is a standard disclosure and not a vulnerability.
  • TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 is not compliant with HIPAA. I know this already. I do not need to comply with HIPAA.
  • Some scans will indicate that Key Exchange and Cipher Strength can be improved further. This is a minor issue and applies to the traffic between the visitor and Cloudflare. The traffic between Cloudflare and our servers uses optimal key exchange and cipher strength.
  • Some scans suggest the use of 'cookie free domains'. Frankly, I do not care about a few milliseconds improvement in the rendering speed.
  • HPKP - HTTP Public Key Pinning - is not used. It creates more problems than solutions; so I choose not to implement HPKP.
  • OCSP stapling. I do not need it.
  • Cookie disclaimer - Some automatic scans will indicate that the cookie disclaimer is inadequate under GDPR. False alarm.
  • For the following points, go ahead and hack me.

  • Secure Client Initiated Renegotiation - Also known as CVE-2009-3555, 'plaintext injection' or 'Project Mogul'. I am aware some scans indicate this but I am not sure if it is exploitable. Go ahead and hack me, if you think this vulnerability is exploitable.
  • BEAST attack - I believe this has been mitigated. You are welcome to exploit and hack.
  • LUCKY13 attack - Same as above. If it is exploitable. Go ahead and hack.
  • Good luck!