RVDP

How I got Acknowledged by the Indian Government For finding a BUG

Hello everyone, This blog is on reporting bugs that we found on Indian Government websites. There is a specific program called RVDP (Responsible Vulnerability Disclosure Program) which is similar to a Bug Bounty Program which is hosted privately on the website itself i.e. it is not hosted on any Bug Bounty Platform. For Indian websites, we have NCIIPC (NATIONAL CRITICAL INFORMATION INFRASTRUCTURE PROGRAM CENTRE) where we can report related to the Indian Government Websites.

If you are a beginner, you can start your Bug Bounty career from here as you don't have any pressure of negative points, duplicates, invalid's, etc. Even if you are already into bug bounty but not getting success on other platforms, you can start hunting here. It will help you to gain confidence and also protect Government websites by reporting Bugs/Vulnerabilities before any Black Hat Hacker takes advantage of it. If you are looking for a job in Cyber Security, what else would be helpful than getting acknowledged by the Indian Government.

Let's dig deeper to look into how I started Bug Hunting on NCIIPC. Firstly, we need a government website on which we can find a bug. It can be any government website whether it belongs to the state or central, you can find bugs and report them in NCIIPC. To find the Government websites I used Google Hacking. 

Google hacking, also named Google Dorking, is a hacker technique that uses Google Search and other Google applications to find security holes in the configuration and computer code that websites are using. Google dorking could also be used for OSINT. 

Ex: in the google search engine, we'll search for site:*.gov.in. This will give us the list of government websites. You can choose any website having a .gov top-level domain. 

After Choosing a website from the search results given by the Google search engine. Firstly, I tried low-hanging fruits. Low hanging fruit is nothing but the easiest and most prevalent technique an attacker can use to gain access to systems and data. In my case, I decided to move forward with Misconfigurations. So I choose to find vulnerabilities related to SPF records and found it on many of the government websites. If you don't know what is SPF, refer to this link.

This is a low-level bug, but if we exploit it correctly we can send phishing emails from the registered domain's email address. So sometimes it is very dangerous for a customer. 

The next Bug I found was related to Components with known vulnerabilities. Considering some security reasons and the high reliability some government websites use Drupal CMS. So, I came across a  vulnerability related to outdated Drupal CMS on a government website and reported it. I not posting any POC for security reasons and I recommend you also, do not post any POC or images of the vulnerability before they fix it as any Hacker can take advantage of it and attack it.

Now let's talk about why I'm hunting Bugs in RVDP, well I'm a beginner in Bug bounty. So, I'm getting myself ready to play on bigger platforms like HackerOne, BugCrowd, etc. It also keeps my confidence high while hunting bugs in Government websites and gives me the experience of how real websites function.

It's time for advantages,

• Well, participating in RVDP, particularly on the Government website won't get you some rewards but they acknowledge you for reporting. Getting Acknowledgement from Government will help in getting a job/promotion in the Cyber Security domain.
• Large Scope to find bugs. There are no limitations here. You can hunt for any kind of bug on a large set of websites.
• Boosts confidence in Bug Bounty Hunting. When you hunt on other platforms there is are possibilities that you get duplicates and you will get demotivated after constant failures as you invest too much effort and time. There is a very negligible possibility to get duplicates here due to less competition.
• Not only in Government websites, but you can also hunt bugs in other company websites who are having their own RVDP programs and also offers rewards, goodies, appreciation, gift hampers, swags, etc for a valid bug.
• Great opportunity to practice your web application pentesting skills in real-world applications. So, that we can keep updated ourselves with the new technologies.

After knowing all the details, well it's time for us to know how to get started in RVDP.

• The First Thing is Google Dorking, We need to have some knowledge of google dorking to find websites with particular top-level Domains.
• Knowledge of OWASP TOP 10 vulnerabilities to find valid bugs.
• Most importantly you should be good in Information Gathering skills to find domain lookups, sub-domains, technologies, firewall status, etc.

It's time for some Tips & Tricks in Bug Bounty.

 

Our mentor suggested a strategy, One website All Vulnerabilities OR One Vulnerability on All Websites. i.e. select one website and hunt for all the vulnerabilities or hunt a particular vulnerability in all the websites.

But, when you are selecting the websites it is necessary to do some information gathering to check if that website is suitable or not. 

Check Whether it is running on any Known CMS. Try to find what version and try to work on that.

Don't use any automated Scripts or any other tools to scan or perform a brute force attack. It will increase the traffic and might you will get blocked by the firewall.

Try to get familiar with tools like BurpSuite, OWASP ZAP, etc as it will help you a lot in finding bugs.

That's it for this blog.

Thank You...

Keep learning and keep Growing...