“My Journey as a Bug Hunter: Reporting to the Dutch Government”

Greetings everyone, I hope you all are doing well.

I am Taha Diwan and I work at IZYITS

I would like to share with you my experience uncovering a vulnerability on the Dutch government website.

In today’s write-up, we’ll dive into a vulnerability I discovered on a Dutch government website. These included issues like Information Disclosure, Password Reset Poisoning and specifically a “Password Reset Token Sent Over HTTP” issue.

By exploiting this vulnerability, I was able to demonstrate how an attacker could intercept sensitive tokens transmitted over an unencrypted connection. This security flaw could allow an attacker to compromise user accounts by capturing the reset tokens sent over HTTP, potentially exposing users’ private information.

So If anyone submits a report to the Dutch government and it gets accepted as valid, they reward the researcher with a cool T-shirt that says, ““I hacked the Dutch government, and all I got was this lousy T-shirt”

Inspired by this, I too decided to begin bug hunting on the Dutch Government Website.

So lets begin,

I came across a Github list that contained approximately 1765 subdomains associated with Dutch Government websites. From this extensive list, I selected the first 10 subdomains to start my bug-hunting.

During my hunting, I found a vulnerability related to “Information Disclosure”. I promptly submitted this vulnerability report. However, in a remarkably short time, within 10 to 15 minutes, I received a response indicating that they could not accept it due to the low impact of the vulnerability.

I decided to give it another try, this time, I focused on a specific domain and used the KNOCKPY tool to extract its subdomains. I started visiting each subdomain one by one.

Let’s assume the subdomain to be “abc.dutchgov.nl,” as I prefer not to disclose its actual domain.

I first created an account and then went to the login page, I began checking for vulnerabilities in the password reset functionality.

I checked the password reset functionality by entering my email, enabling Burp Suite, and turning on the proxy. After clicking ‘send,’ I intercepted the request, forwarded it to the repeater, and attempted to replace the normal host with ‘evil.com.’ However, this didn’t work.

Later, I tried using ‘X-Forwarded-Host: evil.com’ and sent the request, receiving a 200 OK status. I checked my email and confirmed that the host had changed to ‘evil.com,’

I immediately submitted this Password Reset Poisoning Vulnerability to the Dutch government, and then, one day later, I received a reply stating, “Thank you for your report. However, we have already received a responsible disclosure report for this particular vulnerability and are currently in the process of resolving it. Therefore, we will not process your report.”

I didn’t let that stop me because I wanted that T-shirt with the print, ‘I hacked the Dutch government, and all I got was this lousy T-shirt.’

Then, I targeted another subdomain from the list I had discovered using Knockpy.

I began hunting on this subdomain, Let’s assume the other subdomain to be ‘xyz.dutchgov.nl,’ as I prefer not to disclose its actual domain, where I went to a signup page. Without delay, I created an account and accessed the password reset functionality.”

I checked for a password reset poisoning vulnerability by entering my email address. Enabling Burp Suite, I intercepted the request, replaced the actual host with ‘evil.com,’ and sent it.

Upon checking my email, I noticed that the actual domain remained unchanged, but the password reset link was being received in an ‘HTTP unsecure protocol.’ This highlighted a vulnerability: ‘Password Reset Token Sent Over HTTP’

I immediately reported it, and within a day, this report was accepted.

What’s the Vulnerability & impact?

The “Password Reset Token Sent Over HTTP” vulnerability occurs when the password reset token is transmitted over an unencrypted HTTP connection, potentially exposing it to interception by malicious actors.

The vulnerability allows an attacker to intercept and potentially compromise a user’s account since the password reset link is transmitted over an insecure HTTP connection, making it susceptible to eavesdropping and manipulation.

After patching that vulnerability, they sent me an email regarding Swag.

Thank you so much for reading. Have a great day!