Home Bargains icon Home Bargains HackerOne

Target Policy
https://hackerone.com/homebargains?type=team
Structured Scope
  • Asset Identifier
    Asset Type
    Max Severity
  • staging.tjmorrispayslips.co.uk

    This is exact replica of payslip application written for TJ Morris. We are looking to improve security of the application and take it to the next level. The database populated with test data and contains no personal information

    You can perform unauthenticated test against

    https://staging.tjmorrispayslips.co.uk/

    And we are looking for authenticated tests as well to prevent application misuse by users.
    To access application we are providing test accounts on the system.

    Testing accounts to be used:

    |Email|Password|Employee ID|
    |-----|---------|------------|
    |ho-test1@homebargains.co.uk|ho-test1|1000001|
    |ho-test2@homebargains.co.uk|ho-test2|92|
    |ho-test3@homebargains.co.uk|ho-test3|1000005|

    **Sign in URL: https://auth.tjmorrispayslips.co.uk/login**

    **Please note: the login page on staging.tjmorrispayslips.co.uk is not functional at the moment, please see the above Sign in URL to access the application.**

    **Please note: auth.tjmorrispayslips.co.uk is out-of-scope (to reiterate auth.tjmorrispayslips.co.uk is not part of the test and is out of scope).**

    URL
    none
  • https://signin-hackerone.hbstaging.website/
    URL
    critical
  • hackerone-m1rtuq8orz.hbstaging.website

    A new eCommerce website has been developed. Whilst the front end looks similar to our current site, the back end has been completely redesigned using a "No Server" type infrastructure. There is minimal code in place and as a result we hope to be immune from many of the classic web vulnerabilities.

    Please test all aspects of the listed site - https://hackerone-m1rtuq8orz.hbstaging.website/

    You may create accounts
    You may place orders
    You may use test card details to settle orders (see https://stripe.com/docs/testing for test card information)
    Please do not use live card details as payment may not be refunded

    Please also follow the rules outlined in the main program notes.

    We welcome quality submissions, and will reward accordingly for any confirmed vulnerabilities.

    URL
    critical
  • *.homebargains.co.uk
    WILDCARD
    none
  • *.hbweb.io
    WILDCARD
    none
  • *.tjmorris.co.uk
    WILDCARD
    none
  • *.home.bargains
    WILDCARD
    none
  • Any physical attempts to gain access to our network
    OTHER
    none
  • In-store systems and EPOS systems
    HARDWARE
    none
  • Any third-party systems or domains
    OTHER
    none
  • auth.tjmorrispayslips.co.uk
    URL
    none
Target Scope Domains
  • hackerone-m1rtuq8orz.hbstaging.website
  • signin-hackerone.hbstaging.website
Tech Stack
Last Finished Scan:
Scan Name
Fleet
Finished
State
auto-gausubs-2-kxss
allkxss
3 weeks ago
Finished
auto-gausubs-2-kxss
  • Fleet: allkxss
  • Duration: 22 Seconds
  • Finished: 3 weeks ago