Skip to content

ZKProva Penetration Test Scope

Document version: 1.0 Last updated: 2026-02-28 Classification: Confidential — For Authorized Testers Only

Executive Summary

ZKProva is a ZKP-powered portable identity platform built for credit unions. It enables members to prove financial attributes (credit score ranges, membership standing, income brackets) to third-party lenders using Groth16 ZK-SNARKs, without disclosing raw financial data. The platform issues W3C Verifiable Credentials anchored to DID:key identifiers, verified via Ed25519 signatures.

Credit union partnerships — starting with institutions like Demo CU (millions of members) — require demonstrable security assurance before production integration. A third-party penetration test is required to satisfy partner due diligence, satisfy SOC 2 preparation requirements, and validate the security controls implemented across the credential issuance and verification pipeline.

The application handles sensitive financial identity data. A compromise could result in credential forgery, member impersonation at lenders, or unauthorized disclosure of credit union member records. This pentest must be thorough and adversarial.

Scope

In-Scope: API Endpoints

All endpoints are hosted at https://api.zkprova.com (staging: https://api-staging.zkprova.com). The test environment is preferred for active exploitation; production read-only recon is permitted.

Authentication & Session Management

Method Path Notes
POST /auth/register Member registration
POST /auth/login Returns JWT access + refresh tokens
POST /auth/refresh Token refresh
POST /auth/logout Token invalidation
POST /auth/verify-email Email verification token
POST /auth/forgot-password Password reset initiation
POST /auth/reset-password Password reset with token
POST /auth/mfa/setup TOTP MFA enrollment
POST /auth/mfa/verify TOTP verification
POST /auth/recovery-codes Recovery code generation

Credential Issuance

Method Path Notes
POST /credentials/issue Issues a Verifiable Credential
GET /credentials/{id} Retrieve credential by ID
GET /credentials List member credentials
DELETE /credentials/{id} Revoke a credential
POST /credentials/batch Batch issuance endpoint
GET /credentials/jobs/{job_id} Async issuance job status

ZKP Proof Generation & Verification

Method Path Notes
POST /proofs/generate Generate ZKP from credential
POST /proofs/verify Verify a submitted ZKP
GET /proofs/{id} Retrieve proof record

NCUA Validation

Method Path Notes
GET /ncua/validate/{charter_number} Validate credit union via NCUA API

Webhooks

Method Path Notes
POST /webhooks Register a webhook endpoint
GET /webhooks List registered webhooks
PUT /webhooks/{id} Update webhook config
DELETE /webhooks/{id} Remove webhook
GET /webhooks/{id}/deliveries Delivery history
POST /webhooks/{id}/retry Manually retry failed delivery

Admin

Method Path Notes
GET /admin/users List all users
GET /admin/users/{id} Get user detail
PUT /admin/users/{id}/role Promote/demote user role
DELETE /admin/users/{id} Delete user account
GET /admin/credentials All credentials across members
GET /admin/metrics Platform metrics
POST /admin/issuers Register an issuer (credit union)

Analytics

Method Path Notes
GET /analytics/lender Lender-facing verification stats
GET /analytics/issuer Issuer-facing issuance stats

Health / Utility

Method Path Notes
GET /health Service health check
GET /docs OpenAPI docs (disabled in prod)

In-Scope: Infrastructure

  • Docker containers: zkprova-backend, zkprova-frontend, zkprova-db (PostgreSQL), zkprova-redis
  • Terraform-managed AWS resources: ECS task definitions, IAM roles and policies, security group rules, ALB configuration, RDS PostgreSQL instance, ElastiCache Redis, S3 bucket policies, KMS key policies, Secrets Manager access patterns
  • Frontend: https://zkprova.com (Next.js) — client-side logic, CSP headers, cookie attributes, exposed API keys in JS bundles

Out-of-Scope

The following are explicitly excluded. Do not test these surfaces:

  • AWS managed services internals: RDS engine, ElastiCache internals, KMS HSM — attack the application layer, not the managed service
  • Expo/React Native mobile app (iOS/Android): excluded from this engagement; separate mobile assessment planned
  • Third-party identity providers or OAuth providers not controlled by ZKProva
  • DNS registrar and domain registrar accounts
  • Physical security
  • Social engineering against ZKProva employees
  • Volumetric DoS/DDoS — functional logic DoS (e.g., resource exhaustion via crafted inputs) is in scope; raw flood attacks are not
  • Email infrastructure (SES) — testing email deliverability or spoofing is out of scope

Key Areas of Focus

These are the highest-priority attack surfaces based on the application's architecture and threat model.

1. JWT Token Handling

  • Algorithm confusion attacks (alg: none, RS256 → HS256 downgrade)
  • Signature verification bypass — verify the backend rejects tokens with null or empty signatures
  • Token replay after logout — confirm the token blacklist (Redis) functions correctly
  • Refresh token rotation — test whether refresh tokens are single-use
  • JWT secret entropy — if testable via timing or oracle
  • Cross-tenant token acceptance — can a token issued for member A be used to access member B's credentials?

2. ZKP Proof Verification Bypass

This is the platform's core security primitive. A bypass here allows credential forgery.

  • Submit proofs with invalid or forged pi_a, pi_b, pi_c fields and confirm rejection
  • Submit a valid proof for one claim against a different credential (proof reuse)
  • Manipulate public inputs (publicSignals) while keeping the proof structure valid
  • Test whether the verifier checks the verification key matches the circuit/credential type
  • Explore whether the async job queue (/credentials/jobs) can return results for another user's job by job ID enumeration
  • Test proof expiry enforcement — replay an expired proof

3. SSRF via Webhook Registration

  • Register webhook URLs pointing to internal AWS metadata endpoint (http://169.254.169.254/)
  • Test http://localhost/, http://127.0.0.1/, http://[::1]/, and DNS rebinding vectors
  • Test cloud-internal hostnames (e.g., http://rds.internal/, ECS task metadata endpoint)
  • Test redirect chains that resolve to internal hosts
  • Evaluate HMAC signature verification on delivery — can a lender forge an inbound webhook event?

4. Privilege Escalation (Member to Admin)

  • Attempt to call /admin/* endpoints with a member-role JWT
  • Test mass assignment in user update endpoints — can a member set their own role field?
  • IDOR on credential endpoints — can member A retrieve or revoke member B's credentials?
  • IDOR on admin user detail endpoint — predictable integer IDs vs. UUIDs
  • Horizontal escalation: lender role accessing issuer analytics and vice versa

5. SQL Injection

  • All filterable GET endpoints that accept query parameters (/admin/users?email=, /credentials?status=)
  • Batch credential issuance payload fields
  • Login endpoint username/email fields
  • Test both inline injection and second-order injection via stored values

6. Credential Forgery

  • Tamper with Verifiable Credential JSON structure before proof generation
  • Test whether the issuer signature (Ed25519) is validated before proof generation begins
  • Submit credentials with altered credentialSubject fields but valid signatures over different data
  • Test whether credential revocation is enforced at proof verification time

7. Additional Checks

  • Rate limiting: Verify limits are enforced on login, registration, OTP endpoints; test bypass via IP rotation headers (X-Forwarded-For)
  • Input validation: Oversized payloads, Unicode edge cases, null bytes in string fields
  • Cryptographic implementation: AES-256-GCM nonce reuse (check if nonces are random per encryption or derived), Poseidon hash input handling
  • Error messages: Confirm stack traces and internal paths are not leaked in 4xx/5xx responses
  • CORS policy: Verify Access-Control-Allow-Origin is not wildcard on credentialed endpoints
  • Security headers: CSP, HSTS, X-Frame-Options, X-Content-Type-Options on frontend

Test Environment Details

Property Value
Base URL (API) https://api-staging.zkprova.com
Base URL (Frontend) https://staging.zkprova.com
Test accounts provided 2 member accounts, 1 issuer account, 1 lender account (no admin — escalation is a test objective)
Database Isolated staging RDS instance — data resets nightly
ZKP circuits Same Groth16 verification keys as production
Rate limit thresholds Lower than production — document if you trip them
Pentest window Coordinate with security@zkprova.com before starting active scans
Emergency contact security@zkprova.com — response within 4 hours during business days

Testers will be provided with an OpenAPI spec (JSON), the Docker Compose file for local replication, and read access to the Terraform module outputs (security group rules, IAM policy documents) to aid infrastructure review.

Deliverables

The following deliverables are required from the testing firm at engagement close:

  1. Executive summary report (2–3 pages): Suitable for board-level and credit union partner audiences. No technical jargon. Severity distribution and key risk narrative.

  2. Technical findings report: Each finding must include:

  3. Title and CVSSv3.1 score
  4. Affected endpoint or component
  5. Proof of concept (reproduction steps, request/response, screenshots)
  6. Impact description
  7. Remediation recommendation

  8. Retest status (if retesting is included in scope)

  9. Findings log (spreadsheet): Machine-readable summary of all findings with severity, status, and affected asset.

  10. Retest report (if applicable): Confirmation of remediated findings after fixes are deployed.

  11. Raw findings handoff: Any scanner output, Burp project files, or custom tooling artifacts — shared via secure file transfer.

Findings should be delivered in a draft report within 5 business days of test completion, with a final report after remediation review.

The following firms are recommended based on relevant expertise. ZKProva has no existing relationship with any of them.

Firm Relevant Expertise Notes
Trail of Bits ZKP cryptography, Rust/Python, blockchain security Preferred for ZKP circuit review; deep Groth16 and snark audit experience
NCC Group Web application, API security, cloud infrastructure Strong AWS and container security practice
Cure53 Web application, JavaScript, cryptographic implementations Excellent for frontend and JWT-layer review
Bishop Fox Red team, API, cloud Good fit for privilege escalation and SSRF objectives

Trail of Bits is the recommended primary firm if budget allows, specifically because of their ZKP expertise. The proof verification bypass surface (/proofs/verify, circuit verification key handling) warrants cryptographic-level review, not just API fuzzing.

Rules of Engagement

  • All testing must occur against the staging environment unless explicitly authorized for production read-only recon
  • Destructive actions (dropping tables, deleting production data, exfiltrating real member PII) are prohibited
  • Any critical finding (CVSS >= 9.0) must be reported immediately via email to security@zkprova.com, not held until report delivery
  • Testers must not disclose findings to third parties or publish details before a coordinated disclosure window agreed with ZKProva
  • Testing hours: 24/7 is acceptable against staging; production recon limited to business hours