High Risk Vulnerabilities within the DoD - Exploiting Coldfusion, Dotnet Nuke, Oracle, and more

Introduction

The Department of Defense Launched a bug bounty program on November 21st, 2016 on Hackerone. This allowed researchers to report vulnerabilities on any military domain, *.mil and DoD linked IP’s as well. When the program launched, I wanted to use this program as an opportunity to help out the DoD’s Website security but also as a chance to learn and sharpen my own skills.
The purpose of this post is to highlight unique and common place vulnerabilities that can be applied if you plan to look into the DoD program or in your own bug bounty hunt, and what I have learned from this engagement on the DoD’s program. I am currently listed in the 8th spot on the leader board for the program and I will be disclosing my reports with an appropriate summary describing the vulnerabilities

Reconnaissance

Due to the quite large scope of the program it can be hard to pick a website or a sub domain to search for vulnerabilities. Lucky enough we can use a google dork to simplify this search. We can search through the entire website we selected and the sub domain for interesting files or potentially vulnerable end points with the following google dork, site:*.*.mil or site:*.website.mil.

If you don’t know what google dorks are then here’s a TL;DR we can use operators to specify what to look for, we can specify a domain name for our search…