Credentials Management

Provision and manage test accounts for hunters with a set of dedicated features and workflows

In a few words, 'Credentials management' is a program-related feature that lets you manage and describe what type of test accounts will be provided and how the corresponding credentials will be provisioned and distributed. 

As a Program Manager, how to USe it?

Instead of - somehow - manage test accounts distribution to hunters over emails or other means, you can manage and monitor credentials provisioning directly on YesWeHack platform.

For better understanding, let us take an example:
> You have a web application with 3 types of accounts : basic, advanced and privileged
> You want to achieve in-depth security and you are willing to provide test accounts for each type of users to let the hunter play around with it.

In your Program management panel, you will find a ‘Credentials Management’ menu :

From here, you can configure two types of credential pools:

• Email credentials: you are notified when hunters asks for credentials, you create the account within your system with the email address provided and then communicate their credentials to the hunters.
• Login credentials: you import pre-provisioned accounts into the pool and then they are assigned automatically to hunters when they request credentials on the program. 

In the screenshot below, we created 3 separated pools, one for each type of access:

Then, for each credentials pool, you can:

• edit the pool (title, descriptions, nbr of accounts per hunter);
• consult the status/assignement of credentials;
• revoke/update assignements;
• disable the whole pool

Now, let's see how it works with the 2 options of credential pools.

Option 1 : email credentials

When you create a new pool, you will give it a title, provide a short description to better contextualize where & how those credentials can be used, as well as a number of accounts provided per hunter (e.g. each hunter will be assigned 2 set of credentials).

Now that your pool is created, you need to activate it, so that hunters can see it and request it from their YesWeHack account. Most of the time, hunters will directly request you those credentials through the platform. It will appear as pending request, like in our example below :

Then just click on the credential pool where you have a pending request to see more details (screenshot below)

From here, you may now select the emails account you wish to provision. Just select the 'validate' icon. You will then have again 2 more options:

1.A - Directly create a password for the appropriate email address

1.B - Indicate that the hunter will receive a specific email from you to activate its account

Once completed, the credentials will appear as assigned to the hunter.

Option 2 : login credentials

When you create a new pool, you will give it a title, provide a short description to better contextualize where & how those credentials can be used, as well as a number of accounts provided per hunter (e.g. each hunter will be assigned 2 set of credentials).

 

Once the pool created, you may now provision it with available set of credentials, i.e. valid login/password couples ;)

To add more credentials in a given pool, you may import a .csv file or add them manually.

 

At any moment, you can check who claimed his credentials, how many sets are still available or, on the contrary, how many credentials request could not be addressed and thus make sure to add enough in your next batch.
You can see in the example below that ' credentials are prepared out of which 2 are assigned to the hunter 'TestPPHacker'

As a Hunter, what will THEY see?

Curious about how does it work from an hunter point of view? Everything you need to know is in this article.