NCIIPC — Responsible Vulnerability Disclosure Program
NCIIPC stands for National Critical Information Infrastructure Protection Center.
Responsible Vulnerability Disclosure Program is a great initiative by the NCIIPC to acknowledge security researchers for reporting critical bugs on government websites (*.gov.in).
Link: https://nciipc.gov.in/RVDP.html
Steps to Report:
- Find a bug (recommended). 😄
- Fill the form https://nciipc.gov.in/documents/Vulnerability_Disclosure_Form.pdf.
- Send an email to rvdp@nciipc.gov.in with steps to reproduce, screenshots & form.
Secure Nation’s Cyber-Space!
To make this blog more interesting, let see the bug I reported:
Vulnerability Name: Sensitive Data Exposure
Website Name: UP Scholarship and Fee Reimbursement Online System
Proof-Of-Concept:
- Open the following URL (https://scholarship.up.gov.in/Status1819.aspx). (with this URL, you can check the status of students who applied for scholarships)
2. I used my friend's details to check his application status.
Required fields: Registration Number & D.O.B
3. The first thing to be noticed is the App_Id Parameter in the URL which is Base64 encoded.
4. After decoding App_Id, I got to know the website is using registration numbers in Base64 encoded form.
5. Now, I changed the value of the registration number -> encoded that again in base 64 -> pasted the new code in App_Id parameter.
6. Yes, you’re right! I was able to check the status of all the other users who applied for scholarships.
In the second image, you can see the information like Name, D.O.B, Bank details, address etc. are being disclosed.
This bug is ethically reported & successfully patched.
Thanks for Reading! 🤓
