Penetration Testing for the Climate Risk Digital Tool.

Black box external surface testing of the CROMP Digital Tool.

The scope of the pen testing will be:

• Verify the login and registration flows (in Azure B2C) including MFA challenge and periodic password reset and domain limitation controls (.gov.au registrations only).
• Verify the externally accessibly portions of the digital tool which will include the security of the backend infrastructure, backend API (~50) and the RBAC on assessments and roles of administrators and collaborators (who have access to subsets of data) on assessments.
• Tool has a React frontend – susceptibility to XSS, cross site forgery, local storage etc.

Out of scope

• GovCMS
• Internal network/infrastructure testing
• Reporting of test outcomes.