https://lessonsec.com/tags/bug-bounty/ Recent content in Bug Bountyon less on sec Hugo -- gohugo.io en Thu, 02 Nov 2023 23:25:14 +0100 https://lessonsec.com/posts/dutch_government_bounty/ https://lessonsec.com/posts/dutch_government_bounty/ Thu, 02 Nov 2023 23:25:14 +0100Recently, I was awarded a cool t-shirt from the Dutch government for disclosing and reporting a vulnerability under their National Cyber Security Centre responsible disclosure program. Lousy t-shirt I was able to discover a vulnerability in one of the government&rsquo;s websites. <p>Recently, I was awarded a cool t-shirt from the <strong>Dutch government</strong> for disclosing and reporting a vulnerability under their <strong>National Cyber Security Centre</strong> <a href="https://www.government.nl/topics/cybercrime/fighting-cybercrime-in-the-netherlands/responsible-disclosure">responsible disclosure program</a>.</p> <table> <thead> <tr> <th style="text-align:center"><img src="https://lessonsec.com/images/dutch_government_bounty/tshirt.jpeg#center" alt="Lousy t-shirt"></th> </tr> </thead> <tbody> <tr> <td style="text-align:center">Lousy t-shirt</td> </tr> </tbody> </table> <p>I was able to discover a vulnerability in one of the government&rsquo;s websites. The platform allows users to compile a survey and offers the possibility to save progress and receive a link via email to resume the it in a second time.</p> <p>Testing this functionality I was able to find the parameter responsible for setting the URL to resume the survey in a POST request. This parameter was also not subject to sanification, and so it was possible to inject HTML code into email sent from <code>noreply@[governmentdomain].nl</code> effectively allowing unauthenticated users to send emails with forged contents to arbitrary addresses, impersonating the Dutch government.</p> <p>As a proof of concept, consider this POST request:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-http" data-lang="http"><span style="color:#a6e22e">POST</span> /[endpoint] <span style="color:#66d9ef">HTTP</span><span style="color:#f92672">/</span><span style="color:#ae81ff">1.1</span> Host<span style="color:#f92672">:</span> <span style="color:#ae81ff">[governmentdomain].nl</span> User-Agent<span style="color:#f92672">:</span> <span style="color:#ae81ff">Mozilla/5.0(X11; Linux x86_64; rv: 108.0) Gecko/20100101 Firefox/108.0</span> Accept<span style="color:#f92672">:</span> <span style="color:#ae81ff">application/json, text/javascript, */*; q=0.01</span> Accept-Language<span style="color:#f92672">:</span> <span style="color:#ae81ff">en-US,en;q=0.5</span> Accept-Encoding<span style="color:#f92672">:</span> <span style="color:#ae81ff">gzip, deflate, br</span> Referer<span style="color:#f92672">:</span> <span style="color:#ae81ff">[...]</span> Content-Type<span style="color:#f92672">:</span> <span style="color:#ae81ff">application/x-www-form-urlencoded; charset=UTF-8</span> X-Requested-With<span style="color:#f92672">:</span> <span style="color:#ae81ff">XMLHttpRequest</span> Content-Length<span style="color:#f92672">:</span> <span style="color:#ae81ff">191</span> Origin<span style="color:#f92672">:</span> <span style="color:#ae81ff">https://[governmentdomain].nl</span> Connection<span style="color:#f92672">:</span> <span style="color:#ae81ff">keep-alive</span> Cookie<span style="color:#f92672">:</span> <span style="color:#ae81ff">[...]</span> Sec-Fetch-Dest<span style="color:#f92672">:</span> <span style="color:#ae81ff">empty</span> Sec-Fetch-Mode<span style="color:#f92672">:</span> <span style="color:#ae81ff">cors</span> Sec-Fetch-Site<span style="color:#f92672">:</span> <span style="color:#ae81ff">same-origin</span> Pragma<span style="color:#f92672">:</span> <span style="color:#ae81ff">no-cache</span> Cache-Control<span style="color:#f92672">:</span> <span style="color:#ae81ff">no-cache</span> [...] link=https%3A%2F%2Fexample.org&lt;h1&gt;hack&lt;/h1&gt; [...] </code></pre></div><p>With the received email looking like this:</p> <table> <thead> <tr> <th style="text-align:center"><img src="https://lessonsec.com/images/dutch_government_bounty/poc.jpg#center" alt="poc email"></th> </tr> </thead> <tbody> <tr> <td style="text-align:center">PoC email with injected HTML code</td> </tr> </tbody> </table> <p>At this point I stopped testing in accordance to the rules of the responsible disclosure program and reported the issue.</p> <p>Thanks to the Dutch National Cyber Security Centre for promptly fixing the issue and awarding me the t-shirt. It&rsquo;s great to see a government taking proactive steps towards improving their cybersecurity posture and promoting responsible disclosure.</p>