Sandbox Environment for Penetration Testing

About Secure Gateway®: Secure Gateway® is an AI-driven security solution invented by ALSCO®, designed to deliver multi-layered defense against cyber threats. It operates through advanced network traffic analysis, enabling intelligent detection and prevention of unauthorized access, data breaches, and malicious activities in enterprise environments. This innovative technology is protected under three U.S. patents: U.S. Patent No. 10,498,760 B1 – Revolutionizing Online Security, U.S. Patent No. 10,630,721 B1 – Revolutionizing Email and Database Protection, and U.S. Patent No. 11,777,927 B1 – Establishing Secure Communication Channels.

Additionally, Secure Gateway® is a trademarked brand under Trademark Registration No. 7566628 and Trademark Registration No. 5992874. Secure Gateway® combines cutting-edge AI technology, real-time network analysis, and patented innovations to offer unmatched cybersecurity performance across industries, including government, education, finance, and enterprise sectors.

This sandbox is restricted to hackers on hackerone.com. Please visit ALSCO bug bounty programs.

Testing Guidelines

1-Authentication Security Testing

Objective: Test if you can bypass the two-factor authentication (2FA) system used by Secure Gateway®.

Instructions:

Bypass 2FA: - Try to log in without entering the verification code. - Check if there is any way to skip or avoid the 2FA step.
Guess or Brute Force the Code: - Try guessing the 2FA code manually. - Use tools or scripts to attempt multiple guesses.
Test Code Validity: - Check if previously used or expired authentication codes can still grant access.

Goal: Find out if it is possible to log in without a valid 2FA code or if you can guess the code using brute force. Document any vulnerabilities you discover.

2. Secure File Upload Validation

Objective: Test if Secure Gateway® prevents unauthorized or harmful files from being uploaded and executed.

Instructions:

Try Uploading Unallowed Files: - Upload files with extensions not on the allowed list: jpg, jpeg, png, gif, jfif, mp4, doc, docx, pdf, xls, xlsx, ppsx, ppt, pptx, flv, rar, zip, htm, html. - Examples of unallowed extensions: exe, php, js, bat, cmd, sh.
Open the File in a Browser: - After uploading, try opening the file in your browser. - Check if it runs scripts, shows content, or behaves strangely.

Goal: Find out if you can upload restricted files and if they run or behave unexpectedly in the browser. Document anything unusual.

3. Content Detection System Testing

Objective: Test if Secure Gateway® can detect and block harmful content hidden inside allowed file types.

Instructions:

Upload a File with Hidden Content: - Create a file with an allowed extension like .jpg. - Inside the file content (not the file name), add this string: [php_uname].
Attempt to Upload the File: - Upload the file to the system. - Check if the system detects and blocks it.

Goal: Determine if Secure Gateway® can detect malicious content hidden inside allowed file types. Document any behavior or vulnerabilities.

4. Injection Vulnerability Testing

Objective: Test if the Royal CMS is vulnerable to SQL Injection, URL Injection, or XSS attacks that could manipulate files, alter database records, or download sensitive data.

Instructions:

SQL Injection: - Try injecting SQL commands into input fields (e.g., login forms, search boxes). - Check if you can alter database values, retrieve sensitive data, or access restricted areas.
URL Injection: - Modify URLs in the browser's address bar to inject commands. - Check if you can access unauthorized files or manipulate data.
XSS Injection (Cross-Site Scripting): - Insert malicious scripts (e.g., JavaScript) into input fields. - Check if the scripts execute in the browser or affect user sessions.
Observe System Behavior: - Check if your injections caused any file changes on the server, altered database records, or enabled database downloads.

Goal: Identify if SQL Injection, URL Injection, or XSS attacks can manipulate files, alter database values, or expose sensitive information. Document any vulnerabilities found.

Important Notes

This is the only sandbox testing environment where many Secure Gateway® security functions are disabled. Some hacking tools and methods may work here but will not function in the live product.