Simple bug on Indian government website | Govt. bug hunting

6 months ago 30
BOOK THIS SPACE FOR AD
ARTICLE AD

SIDHARTH PANDA

Hey fellas, how you guys are doing. I hope everything is going great, and if you are new to bug hunting, then don’t worry we are on the same page.

In this article, I will take you through my journey of finding a bug on Indian government website along with a glimpse on things that helped me that changed my mindset.

So, let’s begin…

So, I was fed up from finding bugs on targets which were there on hacker1. Hence, I decided to start with bug hunting with govt. websites. Usually they are easy to find and most of the websites are vulnerable.

For the starters, I have to choose a website. So, I choose MOD’s website (Ministry of Defense), yeah I thought of an irony too. However, on surfuing through I came across another governmet website i.e.,DRDO’s website. AS, it felt exciting to look into it once, I made it my prime target.

I straight away went to my Linux machine started to look at the website. Initially I checked all the functionality of the website, did some dorking to find exposed documents. (I will share all the websites I used at the end of this article).

But still no luck. Then I thought that there might be something in their directories, I did directory brute forcing using Dirsearch too. It is one of the best tools, I have ever used. I ran this tool and yup there wasn’t anything there. Although, I left the tool running till the end still was shown- “Task completed.”

Once it showed me the message I again went through the result of Dirsearch and got to know that there was a website’s directory, which shared a vulnerable code with some very important and crucial results.

The vulnerable code exposed.

As soon as I saw this, I thought there might be some way which is to be done to exploit this code. But I couldn’t so I left it there and decided to make a report showing this as a bug.

Thus, I wrote a report using their given template, and after some days they sent me that, the bug which I had submitted was valid and they have rectified it.

So, I again went to that website but this time it showed 404 page not found, which means they have removed that file from their servers, which is a good thing.

Links to reference and resources

https://pentest-tools.com/information-gathering/google-hacking → For google dorking of disclosed websites.

https://gowthams.gitbook.io/bughunter-handbook/checklists → For checklist.

Mindset

This mindset is what I use and it may vary from person to person.

Everything in this world that is connected with internet is hackable, you just have to find out how.Try to learn, no matter what the age group is, learn, learn what you don’t understand, use internet and ask friends.Build/join a community or make friends in this domain. More your friends, more you will understand where you are going wrong. Nahamsec’s discord will be a great place.Solve tryhackme/hackthebox/portswigger’s rooms and challenges without looking at the walkthrough or writeups, solve it on your own. When you get stuck spend some time on that challenge/machine if it takes time then have a look over the walkthroughs, otherwise seeing walkthrough in the beginning is not advisable.Make your own notes on what you are doing and document your process of bug hunting journey. Writing will make your think where you went wrong and helps you to see where you are lacking.Last but not least, NEVER GIVE UP because today you might not get good bugs but in future you definitely will.

So, that’s it, this is how I got my first hit on bug hunting stating that I have landed successfully in this side of cyber security too.

I hope you guys enjoyed this article, will see you guys soon with another writeup/article.

Till then WhiteDevil signing off..

You reach out to me via my Instagram or LinkedIn..

Read Entire Article