Okta

Hello Researchers!

We have exciting news! We are adding Okta Identity Engine & AtSpoke (Okta Access Requests) to the program scope!

Okta Identity Engine

• Okta OIE allows organizations to customize their Okta cloud components and satisfy an unlimited number of use cases. Instead of relying on predefined behavior for identification, authorization, and enrollment, Identity Engine offers customizable building block that can support dynamic, app-based user journeys. More information can be found here: https://help.okta.com/oie/en-us/Content/Topics/identity-engine/oie-get-started.htm
• Okta OIE will function and look very similar to Okta Classic but there are many new features available to test.
• The authentication pipeline is different from Classic so that is definitely one of the key focus areas!
• When submitting a report please mention which environment you found it in, OIE or Classic!

NOTE: When a vulnerability is discovered and you are able to reproduce it in both Classic & OIE, this does not make it a different vulnerability. They will be considered the same vulnerability within Classic. Make sure to test in both environments to ensure it is unique to either Classic or OIE. By the end of the year, Classic will be removed from the scope.

Classic Orgs

• bugcrowd-%username%-#.oktapreview.com

OIE Orgs

• bugcrowd-oie-%username%-#.oktapreview.com

AtSpoke (Okta Access Requests)

• Okta Access Requests automates the process of requesting access to applications and resources. Expanding on Okta's existing self-service offerings, Access Requests delivers a simplified and frictionless approach that automatically routes user requests to one or more approvers for action.

AtSpoke (Okta Access Requests) In-Scope

• bugcrowd-oie-%username%-1.at.oktapreview.com
• bugcrowd-oie-%username%-2.at.oktapreview.com

AtSpoke (Okta Access Requests) Out of Scope

• Okta Workflows actions in access requests
• Entitlement bundles as a resource in access requests

Key Focus Areas For AtSpoke

• Configuration List Create a configuration list. Ability to bypass resource restrictions imposed by configuration lists
• Create a Request Type Create a request type
• Create and manage requests Create requests. Ability to modify critical fields of an access request (like assignee, approver, resource, etc)
• Access request integrations Access Requests Integrations. Ability to execute injection attacks from integrations: Jira, ServiceNow, Slack, Microsoft Teams
• Export data from access requests Export data from Access Requests
• File Upload OIG Access Requests - Can I Attach a File? -OIDC (custom client implementation)

Security Codes
Security codes can be found at the bottom of the program page by clicking "Get Credentials". 5 unique security codes have been assigned to all researchers. These security codes can be used to create your orgs through the new registration page and will be immediately deleted upon use. Make sure to create at least 2 Super Admins in each org for resetting locked accounts and handling account problems. Okta Security will not provide support or additional security codes.

OIE Org Creation
To create the new OIE orgs and gain access to Okta Access Requests, you will need to provide your BCID and Security Code. Make sure you provide your correct BCID or else the security code will become invalid. Okta Security will not provide support or additional security codes.

You can go to Okta Registration and create your orgs there! Each org will be created with the following naming convention:

• bugcrowd-oie-%username%-1.oktapreview.com
• bugcrowd-oie-%username%-2.oktapreview.com

OUT OF SCOPE
Testing against the new registration page is STRICTLY OUT OF SCOPE and will result in an immediate ban from the program. NO EXCEPTIONS!

As always, please be sure to review the program brief in detail.

Happy Hunting!