Sifchain: Username disclosure at Main Domain

Hello, PoC Link https://sifchain.finance//wp-json/wp/v2/users/ thanks. Impact Malicious counterpart could collect the usernames disclosed and the admin user and be focused throughout BF attack as the usernames are now known, making it less harder to penetrate the data.gov systems...

GSA Bounty: Wordpress Users Disclosure (/wp-json/wp/v2/users/) on data.gov

Summary: Hello TTS Bug bounty team! I have found data.gov User/admin usernames disclosed. Using REST API, we can see all the WordPress users/author with some of their information. Steps To Reproduce: You can find the information disclosure by going to data.gov/wp-json/wp/v2/users/ Supporting Vide...

GSA Bounty: Blind SSRF on https://labs.data.gov/dashboard/Campaign/json_status/ Endpoint

Summary: Due to improper routes handling multiple malicious actions are possible. Attacker is able to call Class/Function/Param1/Param2 directly from source code. this may lead to call function that should be not accessible from GUI. Any Class from...

GSA Bounty: xmlrpc.php file enabled - data.gov

Wordpress that have xmlrpc.php enabled for pingbacks, trackbacks, etc. can be made as a part of a huge botnet causing a major DDOS. this website www.data.gov has the xmlrpc.php file enabled. Impact This can be automated from multiple hosts and be used to cause a mass DDOS attack on the victim...

GSA Bounty: Information disclosure (system username, server info) in the x-amz-meta-s3cmd-attrs response header on data.gov

Hi Team, I noticed, that the x-amz-meta-s3cmd-attrs response header returns sensitive information, like system username on data.gov x-amz-meta-s3cmd-attrs: uid:0/gname:root/uname:root/gid:0/mode:33184/mtime:1513269652/atime:1513269652/md5:2049644b6b833f5dbb826f60a4721f64/ctime:1513269652 Server:...

GSA Bounty: Unclaimed Github Repository Takeover on https://www.data.gov/labs

Hello Security Team, I found a Vulnerability in your website where in one of your domain https://www.data.gov/labs there was Description about Simple API in which two links were pointing to https://simple-api.github.io/api-offices/ but after visiting this URL i got an 404 error where it shown lik...

GSA Bounty: Root user disclosure in data.gov domain though x-amz-meta-s3cmd-attrs header

I performed a GET request on Host www.data.gov in burp suite to a custom domain and the Response showed the x-amz-meta-s3cmd-attrs header with the user id as root and group id running as root. x-amz-meta-s3cmd-attrs: uid:0/gname:root/uname:root/gid:0/mode:33184/ This represents information...

GSA Bounty: Subdomain Takeover due to unclaimed domain pointing to AWS

Note: I know this is on an out of scope domain, however felt it should still be raised as it was the only subdomain of data.gov to be vulnerable. Issue Details The consultant identified that subdomain https://18f.domains.api.data.gov/ is pointing to dn9rrjaiux2m0.cloudfront.net via a DNS CNAME...

GSA Bounty: [api.data.gov] Leak Valid API With out Verification -

Description Remote attackers are able to retrieve a valid working api key with random Generation Process without a secure parsing or secure channel , human verification ..etc . the current proccess for requesting any api key is with signup form , and message with api delivered privately to user ,...

GSA Bounty: Reflected XSS on the data.gov (WAF bypass+ Chrome XSS Auditor bypass+ works in all browsers)

Description Hello. I discovered Cross-Site scripting issue on the https://www.data.gov/local/ endpoint. The issue can be site-wide, and exploitable in any place, where pagination exist. The Impact and Severity I assigned the High severity, because unlike the last 263226 report that XSS was...

GSA Bounty: {REDACTED}.data.gov subdomain takeover.

@edio discovered a number of related subdomain takeover attacks against some subdomains of data.gov. Technically, these domains are out of scope for our Vulnerability Disclosure Policy. We want to remind hackers to please limit their testing to domains explicitly listed in that scope which is...