The Department of Defense Launched a bug bounty program on November 21st, 2016 on Hackerone. This allowed researchers to report vulnerabilities on any military domain, *.mil and DoD linked IP’s as well. When the program launched, I wanted to use this program as an opportunity to help out the DoD’s Website security but also as a chance to learn and sharpen my own skills.
The purpose of this post is to highlight unique and common place vulnerabilities that can be applied if you plan to look into the DoD program or in your own bug bounty hunt, and what I have learned from this engagement on the DoD’s program. I am currently listed in the 8th spot on the leader board for the program and I will be disclosing my reports with an appropriate summary describing the vulnerabilities
Due to the quite large scope of the program it can be hard to pick a website or a sub domain to search for vulnerabilities. Lucky enough we can use a google dork to simplify this search. We can search through the entire website we selected and the sub domain for interesting files or potentially vulnerable end points with the following google dork, site:*.*.mil or site:*.website.mil.
If you don’t know what google dorks are then here’s a TL;DR we can use operators to specify what to look for, we can specify a domain name for our search to look at specifically, we can further narrow this down to file extension, a specific URL string, etc. We use site to specify to search the desired website specifically and with two wild cards to indicate to check sub domains as well, this is very broad search method. The other dork will look at the specific website and the subsequent sub domains.
We can use this to say search for flash applications that are known to be vulnerable, or look for a specific cms installation, this is how I found a majority of my vulnerabilities for the program. We can use tools such as Aquatone if we wanted to find all the sub-domains in a given website and then port scan them as well, a helpful tip is, if you notice that a sub-domain has a sub-domain within it self, such as dev.subdomain.website.com, then you should specify that sub-domain and check if there may be more sub-domains with in that sub-domain, this can help you find additional hosts.