Ping Identity icon Ping Identity HackerOne

Target Policy
https://hackerone.com/pingidentity?type=team
Structured Scope
  • Asset Identifier
    Asset Type
    Max Severity
  • https://uploads.pingone.com
    URL
    none
  • https://openam-bug-bounty-stag.forgeblocks.com/*

    * **What it is:**
    * Administrative console for the single-tenant SAAS PingOne Advaced Identity Cloud platform which manages IAM functionality for Enterprise customers.
    * Staging environment - Used for testing development changes, including stress tests and scalability tests with realistic deployment settings.
    * **What it does:**
    * Allows administrators to configure authentication workflows and assign different authentication policies (SAML, OAuth2, and OpenID Connect are supported) to each of your applications.
    * Supports Single-Sign-On (SSO) and Multi-Factor Authentication (MFA) across all connected applications.
    * Offers robust user-management capabilities.
    * **Documentation:**
    * https://backstage.forgerock.com/docs/idcloud/latest/overview.html

    WILDCARD
    critical
  • https://console.pingone.com
    URL
    none
  • http://ort-authenticator.pingone.com/*


    * **What it is:**
    * Multi-factor Authentication (MFA) authenticator service
    * MFA is configured via the PingOne Desktop > Devices > My Device > Add.
    * Ping Authenticator used for Multi-Factor Authentication (MFA)
    * The authenticator is a service which provides multi-factor via PingID mobile applications available in the iTunes and Android app stores, Yubikey Series 4, PingID Desktop apps for OS X and Windows, or email.
    * The authenticator service is a back-end hosted service.
    * The client MFA applications are not in scope but the protocol data and authenticator service are, this includes requests and responses.

    * **What it does:**
    * Employs MFA (typically [PingID](https://www.pingidentity.com/en/cloud/pingid.html)) to authenticate users and then pass control back to PingOne for Enterprise

    WILDCARD
    high
  • auth.ort-one-pingone.com
    URL
    critical
  • https://authenticator.pingone.com
    URL
    none
  • https://ort-authenticator.pingone.com/*


    * **What it is:**
    * Multi-factor Authentication (MFA) authenticator service
    * MFA is configured via the PingOne Desktop > Devices > My Device > Add.
    * Ping Authenticator used for Multi-Factor Authentication (MFA)
    * The authenticator is a service which provides multi-factor via PingID mobile applications available in the iTunes and Android app stores, Yubikey Series 4, PingID Desktop apps for OS X and Windows, or email.
    * The authenticator service is a back-end hosted service.
    * The client MFA applications are not in scope but the protocol data and authenticator service are, this includes requests and responses.

    * **What it does:**
    * Employs MFA (typically [PingID](https://www.pingidentity.com/en/cloud/pingid.html)) to authenticate users and then pass control back to PingOne for Enterprise

    WILDCARD
    high
  • https://uploads-staging.pingone.com
    URL
    none
  • api.ort-one-pingone.com
    URL
    critical
  • https://test-desktop.pingone.com
    URL
    none
  • https://test-sso.connect.pingidentity.com
    URL
    none
  • http://ort-admin.pingone.com/*


    * **What it is:**
    * Administrative web portal for PingOne For Enterprise (P14E)
    * **What it does:**
    * Allows P14E administrators to manage all aspects of their enterprise user accounts

    WILDCARD
    critical
  • http://api-staging.pingone.com/*


    * **What it is:**
    * REST API for configuring and managing your PingOne For Customers organization

    Please note that this documentation points to **PROD**, which is out of scope for this engagement. To access the ORT environment URLs will have to be appended with -staging like the console link above.

    WILDCARD
    critical
  • http://apps-staging.pingone.com/*

    * **What it is:**
    * Cloudfront distribution for the PingOne for Customers login/authentication flow orchestration and self-service account/profile management user interfaces
    * **What it does:**
    * Provides user interface for administrators to configure authentication flows and assign different authentication policies
    * Provides interface for end users to manage their account profiles and settings

    WILDCARD
    critical
  • http://ort-desktop.pingone.com/*


    * **What it is:**
    * Central hub of Ping One For Enterprise, a cloud-based dock that provides users with secure SSO access to an expansive library of applications
    * **What it does:**
    * Provides many pre-existing integrations with popular SaaS applications
    * Leverages SAML, OIDC and other secure identity standards to integrate with any other cloud-based applications
    Provides the option of storing user identity data in PingOne’s cloud directory

    WILDCARD
    high
  • https://admin.pingone.com
    URL
    none
  • https://api.pingone.com
    URL
    none
  • https://desktop.pingone.com
    URL
    none
  • http://console-staging.pingone.com/*

    * **What it is:**
    * Administrative console to the PingOne For Customers platform that manages user access, authentication types, and connected applications.
    * **Here's how to add an application to your PingOne For Customer environment:**
    https://youtu.be/TBA5VTfnsSE
    * **Sample client-side app (Please note that the content of the github repository is out of scope):**
    https://github.com/pingidentity/pingone-customers-sample-oidc

    * **What it does:**
    * Allows administrators to configure authentication workflows and assign different authentication policies (SAML, OAuth2, and OpenID Connect are supported) to each of your applications.
    * Supports Single-Sign-On (SSO) and Multi-Factor Authentication (MFA) across all connected applications.
    * Offers robust user-management capabilities.

    WILDCARD
    critical
  • https://ort-desktop.pingone.com/*


    * **What it is:**
    * Central hub of Ping One For Enterprise, a cloud-based dock that provides users with secure SSO access to an expansive library of applications
    * **What it does:**
    * Provides many pre-existing integrations with popular SaaS applications
    * Leverages SAML, OIDC and other secure identity standards to integrate with any other cloud-based applications
    Provides the option of storing user identity data in PingOne’s cloud directory

    WILDCARD
    high
  • https://console-staging.pingone.com/*

    * **What it is:**
    * Administrative console to the PingOne For Customers platform that manages user access, authentication types, and connected applications.
    * **Here's how to add an application to your PingOne For Customer environment:**
    https://youtu.be/TBA5VTfnsSE
    * **Sample client-side app (Please note that the content of the github repository is out of scope):**
    https://github.com/pingidentity/pingone-customers-sample-oidc

    * **What it does:**
    * Allows administrators to configure authentication workflows and assign different authentication policies (SAML, OAuth2, and OpenID Connect are supported) to each of your applications.
    * Supports Single-Sign-On (SSO) and Multi-Factor Authentication (MFA) across all connected applications.
    * Offers robust user-management capabilities.

    WILDCARD
    critical
  • apps.ort-one-pingone.com
    URL
    critical
  • console.ort-one-pingone.com
    URL
    critical
  • https://developer.pingidentity.com/*
    WILDCARD
    none
  • https://*.pingidentity.net
    WILDCARD
    none
  • https://*.pingidentity.io
    WILDCARD
    none
  • https://ort-admin.pingone.com/*


    * **What it is:**
    * Administrative web portal for PingOne For Enterprise (P14E)
    * **What it does:**
    * Allows P14E administrators to manage all aspects of their enterprise user accounts

    WILDCARD
    critical
  • https://*.pingidentity.com
    WILDCARD
    none
  • https://apps-staging.pingone.com/*

    * **What it is:**
    * Cloudfront distribution for the PingOne for Customers login/authentication flow orchestration and self-service account/profile management user interfaces
    * **What it does:**
    * Provides user interface for administrators to configure authentication flows and assign different authentication policies
    * Provides interface for end users to manage their account profiles and settings

    WILDCARD
    critical
  • https://api-staging.pingone.com/*


    * **What it is:**
    * REST API for configuring and managing your PingOne For Customers organization

    Please note that this documentation points to **PROD**, which is out of scope for this engagement. To access the ORT environment URLs will have to be appended with -staging like the console link above.

    WILDCARD
    critical
Target Scope Domains
  • api-staging.pingone.com
  • api.ort-one-pingone.com
  • apps-staging.pingone.com
  • apps.ort-one-pingone.com
  • auth.ort-one-pingone.com
  • console-staging.pingone.com
  • console.ort-one-pingone.com
  • openam-bug-bounty-stag.forgeblocks.com
  • ort-admin.pingone.com
  • ort-authenticator.pingone.com
  • ort-desktop.pingone.com
Tech Stack
Last Finished Scan:
Scan Name
Fleet
Finished
State
auto-gausubs-2-kcrlf
allkxss
1 week, 5 days ago
Finished
auto-gausubs-2-kcrlf
  • Fleet: allkxss
  • Duration: 22 Seconds
  • Finished: 1 week, 5 days ago