How I Earned Over 100 Points on HackerOne with Email Spoofing.
Hello, my name is Jonas Dias Rebelo, I am currently 21 years old, born in Portugal and now residing in the USA (United States of America).
In my latest post, I mentioned the existence of a VDP program with an almost limitless scope: the Department of Defense (DoD). This scope encompasses all websites under the Department’s jurisdiction, including, but not limited to, every site ending in “.mil”.
With this in mind, it’s worth mentioning that the program’s scope also accepts various simple vulnerabilities, such as Low-severity ones. One example is the WordPress Debug Mode. Another example, and the focus of this post, is Email Spoofing.
WHAT IS EMAIL SPOOFING?
Email spoofing is a technique used by hackers to forge the sender of an email, making it appear as though the message originated from a trusted source. This practice is often employed in phishing attacks, fraud, and other malicious activities, tricking recipients into disclosing sensitive information, clicking on malicious links, or performing harmful actions.
However, HackerOne classifies this as a “Core Ineligible Finding.” If you attempt to report this issue in a standard program, the response will typically be as follows:
Despite this, the Department of Defense program does not follow these rules and does not use HackerOne’s triage system. This allows them to accept email spoofing vulnerabilities.
Note: The DOD only accept email spoofing vulnerabilities on second-level domains. Therefore, avoid searching for this vulnerability in subdomains.
Now that we understand how the “rules” work, we need to find vulnerable domains. I used four tactics:
- Google Hacking
- Issued Certificates
- The website with a list of DoD domains: https://www.defense.gov/Resources/Military-Departments/DOD-Websites/
- Brute-Force
Let’s start with Google Hacking. I used several possible combinations, such as:
- site:*.mil
- site:*.mil “login”
- site:*.mil “contact”
- site:*.mil “comment”
- etc…
This resulted in numerous subdomains with different domains, which I analyzed using MXToolbox, providing useful information to determine whether they were vulnerable or not.
For the second tactic,
I used CRT.sh to search for *.mil websites with certificates, using the following command:
curl -s “https://crt.sh/?q=%.mil&output=json" | jq -r ‘.[].name_value’ | sort -u > domains_mil.txt
This command returned one new domain, which I hadn’t found through Google Hacking.
As for the third tactic,
I went through several websites from the list. Many of them, although government-related, aren’t actually part of the DoD, resulting in several informational findings, despite many duplicates/triaged reports.
As for the fourth tactic,
I thought the following: If all .mil websites are in scope, what if I try brute-forcing? The idea was to perform a brute-force attack on .mil domains with 3 to 4 letters, and well, the result was positive, uncovering 4 new domains (without a website on port 80 or 443) that I hadn’t found using the previous tactics.
Upon finding the domains, I used this tool to verify the Email Spoofing vulnerability:
https://github.com/fdzdev/DMARC-SPF-Checker
I configured the server with the credentials and added the following at the end:
send_spoofed_email(“spoofed@yourwebsite.mil”, “youremail@gmail.com”)
If the domain is truly vulnerable, you will receive an email in your inbox.
As a result, I found a total of 17 valid domains vulnerable to Email Spoofing, with 13 being triaged (7 points each) and 5 being duplicates (2 points each). This gave me a total of 101 points on HackerOne and helped me earn a spot in the TOP 7 of the 2024 Ranking for the United States Department of Defense.
Although these were low-severity vulnerabilities, I am proud to have discovered an issue that was affecting the DoD on a large scale, helping and contributing to the protection of the country where I currently reside.
