How I got into United Nations Hall of Fame as an 18y/o Ethical Hacker!
For anyone aspiring to build a career in cybersecurity, Hall of Fames play a major role, like anyone and everyone as a young aspiring ethical hacker it was my dream too and it was a surprise to me when it turned into a reality one day. Here is how I made my dream come true.
If you’re thinking Hall of Fame at United Nations is a great deal and it demands extraordinary skills to enter United Nations Hall of Fame! This is for you.
Is it Hard to Enter United Nations HOF?
The simple answer is No.
If Entering United Nations is your goal it's not at all a great deal , go ahead and explore vulnerabilities like clickjacking which is very common in UN sites and try to increasing the severity of it and Report it to infosec@un.org , it’s just time consuming and not hard , But the real fun is doing something interesting and new that justifies your presence in the Hall Of Fame , Here is the Story of how I made it to United Nations Hall of Fame by Finding XSS in one of the UN owned subdomains .
The core step in finding any vulnerability in any domain is subdomain enumeration, I personally use amass, subfinder and sublist3r you can use use any tool of your choice but combining the goodness of all these tools is a better idea so that you don’t miss any subdomain. If you’re an absolute beginner you can try online tools like DNSDumpster , Virustotal or any such enumeration tool available online. On enumeration I got a lot of active subdomains, had been a while I guess something around 8000 subdomains. One domain caught my attention https://mdgs.un.org , I moved on to explore further and I tried brute forcing the directories.
Now I Found something amazing,
This gave me some hope that this has some juice in it!
I tried various XSS payloads on the search field there and finally one payload worked for me,
Payload : x” onmouseover=alert(1) x=”
After the successful execution of the payload, I found an alert pop up each time the mouse cursor crosses the Search field.
It was a Reflected XSS!!!!!
I reported the vulnerability to United Nations infosec@un.org , on 19th of January and waited for almost 2 months.
On March 16 Finally my name Joshua Arulsamy was added to the Hall of Fame.
Find my name here: Hall of Fame | Office of Information and Communications Technology
Thank You so much for reading, do follow me here on medium and on LinkedIn for more amazing content!