VDAB belgium government Project

Found Hyperlink Injection And Rate Limit Bugs.

Scroll

Overview

Image

Image

Project Bugs
Hyperlink Injection on Complaint
Hyperlink Injection on Email Verification
Hyperlink Injection on Suggesties
Information Disclosure via Waybackurls
No Rate Limit on Reset Password
Role Bug Bounty
Client -
Project Description

Hyperlink Injection on Complaint Form

Description: Discovered a hyperlink injection vulnerability in the "Create Account" form on the complaints page.

Impact: Potential phishing attacks, unauthorized redirection, session hijacking.

Mitigation: Implement input sanitization to block malicious links in automated emails.

Hyperlink Injection on Suggesties Form

Description:

Identified a hyperlink injection flaw in the "Create Account" form on the suggestions page.

Impact: Users could be redirected to phishing or malicious sites, risking data theft.

Mitigation: Enforce strict input validation to prevent hyperlink injection.

Information Disclosure via Wayback URLs

Description: Exposed email addresses of VDAB employees found through Wayback Machine archives.

Impact: Attackers could leverage exposed emails for brute-force attacks, phishing, and spam.

Mitigation: Secure email data and control archived information to prevent leakage.

No Rate Limit on Password Reset

Description: The password reset endpoint lacked rate limiting, allowing attackers to spam reset requests.

Impact: Potential for email bombing attacks, causing user frustration and account lockout.

Mitigation: Introduce rate limiting and CAPTCHA verification on the reset password process.