Hey Everyone, Welcome to my Blog, Today I am going to discuss about how I found my first 3 bugs in .gov websites within 1 Hour So lets begin.

So like most other people I was also stuck in a constant loop of learning and watching bug bounty videos but never actually go looking for vulnerabilities in actual websites. Even when I did I tried finding in websites where competition was high.

So one fine day I decided to pick a target and start hunting on it properly as I knew it was hard finding bugs on paid programs I started finding good VDPs and then I came across NCIIPC where we can report any bugs found in .gov websites and even possibly get hall of fame.

You can also try it out as it has very less competition, Find more details about it in the following link:

https://nciipc.gov.in/RVDP.html

And to report the vulnerability found You can fill the given form and mail it to them:

https://nciipc.gov.in/documents/Vulnerability_Disclosure_Form.pdf

So lets talk about how I found the bugs, As I was researching more about the NCIIPC and reading writeups about bugs found on .gov websites I came across a writeup where the author found a broken twitter link in a gov website, The bug is also called broken link hijacking

What is Broken Link Hijacking?

Broken link hijacking is an attack that takes advantage of expired, unlinked, or inactive external links embedded in a web page. For Example There is a twitter link in your website which is not linked to a twitter account, then an attacker could use that username in his account and that would link his twitter account to your website.

So after I came across that writeup I found that bug very interesting and as a beginner very easy to find, I wanted to automate it so I started finding any tools to automate that.

Then I found a tool-:

Installing:

1. Install Go on your system
2. Run: go install github.com/utkusen/socialhunter@latest

Usage:

Create a list of subdomains and save it to a .txt file , make sure they have https:// or http:// in it or else the tool doesn’t work.

socialhunter -f urls.txt

This will scan all the subdomains in that file and notify you about any possible takeover.

First I found all the subdomains using the following tools:

1. Amass
2. SubFinder
3. AssetFinder

Then I found the unique subdomains in all three tools using the Anew tool and saved them in a file.

Then I used a httprobe tool to find working http and https servers and saved them to a new file.

Then I used socialhunter to find the possible takeovers,

socialhunter -f gov.txt

As there were over 10k subdomains, I also run the tool subzy on it to find any possible subdomain takeovers.

As It was about to take a lot of time I left it running and went for a walk without any hope.

When I came back and checked, Boom! there were about 11 possible takeover links and 3 possible subdomain takeovers.

I didn’t get too overexcited because I knew they could be false.

And as Expected out of 11, 9 were false but YES 2 were Real.

And out of 3 possible subdomain takeover 1 was possible.

So I started making POC’s and reported the 3 bugs to NCIIPC, and after a day I got their email.

I know these were very basic bugs, but as a beginner these meant a lot for me as they were my first bugs.

So to all those who are also still learning and thinking they are not ready to hunt yet, My advice would be go out there and start hunting as it is the best way to learn and move forward!

That’s it for this blog, if you liked it or found it helpful please consider following me or applauding this blog. It would mean a lot!

You can also show some support from this: