Hello guys! My name is Tuhin Bose (@tuhin1729). I am currently working as a Chief Technology Officer at Virtual Cyber Labs. In this write-up, I am going to share my experience of hacking Dutch Government.
So without wasting time, let’s start:
At first, I was so confused because there are more than 1000 domains within the scope. But later I took a domain randomly from the list and started hunting on it. After 2–3 days of hunting, I started testing on https://rijkswaterstaat.archiefweb.eu/
In my initial recon process, I came across a parameter subsite. I quickly checked XSS there using a simple payload: “><script>alert(document.domain)</script>
And guess what! The payload was executed successfully.
I quickly made a proof of concept and reported it to them. After a month, I got a reply from them:
15/10/20 — Reported Vulnerability
16/10/20 — Confirmed the vulnerability and informed the
03/12/20 — Resolved
04/12/20 — Got appreciation as Dutch Government T-shirt
04/01/21 — T-shirt delivered to my home
Later, I got more than 10 T-shirts from them and it was really a nice experience :)
If you want to learn Bug Bounty Hunting, you can enroll in our course from here.
Follow me on Instagram: @tuhin1729
Thanks for reading. I hope you enjoyed this blog.