Hyperlink Injection on Complaint Form
Description: Discovered a hyperlink injection vulnerability in the "Create Account" form on the complaints page.
Impact: Potential phishing attacks, unauthorized redirection, session hijacking. Mitigation: Implement input sanitization to block malicious links in automated emails.Hyperlink Injection on Suggesties Form
Description:
Identified a hyperlink injection flaw in the "Create Account" form on the suggestions page.
Impact: Users could be redirected to phishing or malicious sites, risking data theft.
Mitigation: Enforce strict input validation to prevent hyperlink injection.Information Disclosure via Wayback URLs
Description: Exposed email addresses of VDAB employees found through Wayback Machine archives.
Impact: Attackers could leverage exposed emails for brute-force attacks, phishing, and spam.
Mitigation: Secure email data and control archived information to prevent leakage.
No Rate Limit on Password Reset
Description: The password reset endpoint lacked rate limiting, allowing attackers to spam reset requests.
Impact: Potential for email bombing attacks, causing user frustration and account lockout.
Mitigation: Introduce rate limiting and CAPTCHA verification on the reset password process.