Listen to this Post
Introduction:
Vulnerability Disclosure Programs (VDPs) and bug bounty platforms like YesWeHack allow ethical hackers to report security flaws before criminals exploit them. When Jared Aaron Loo discovered a critical vulnerability and reported it via GovTech Singapore’s VDP, he demonstrated how responsible disclosure protects national information assets. This article extracts real-world techniques from such bug bounty engagements, providing actionable commands, tool configurations, and mitigation strategies for both attackers and defenders.
Learning Objectives:
- Understand how to discover, exploit, and report web vulnerabilities using industry-standard tools.
- Learn Linux and Windows commands for reconnaissance, API security testing, and cloud hardening.
- Master step-by-step disclosure workflows via VDPs like GovTech Singapore and platforms like YesWeHack.
You Should Know:
- Setting Up Your Bug Hunting Environment (Linux & Windows)
Start by building a dedicated virtual machine or WSL2 environment for ethical hacking. This isolates your tools and prevents accidental damage.
Linux (Ubuntu/Debian):
sudo apt update && sudo apt upgrade -y sudo apt install -y nmap burpsuite zaproxy ffuf gobuster metasploit-framework mkdir ~/bugbounty && cd ~/bugbounty git clone https://github.com/tomnomnom/httprobe.git && cd httprobe && go build && sudo cp httprobe /usr/local/bin/
Windows (using WSL2 or PowerShell):
wsl --install -d Ubuntu Then follow Linux commands inside WSL Alternatively, install Chocolatey then: choco install nmap burp-suite-community ffuf gobuster
Step-by-step:
- Update OS and install core pentesting tools.
- Create a workspace for each target (e.g.,
govtech-target/). - Use `httprobe` to find live subdomains from a list.
2. Reconnaissance: Finding Hidden Endpoints with Subdomain Enumeration
Attackers and bug hunters start with passive/active recon to expand the attack surface.
Use Assetfinder and Amass:
echo "govtech.gov.sg" | assetfinder -subs-only | tee subdomains.txt amass enum -passive -d govtech.gov.sg -o amass_subs.txt cat subdomains.txt amass_subs.txt | sort -u > all_subs.txt
Probe for live hosts:
cat all_subs.txt | httprobe -c 50 -t 3000 | tee live_hosts.txt
Windows alternative (PowerShell):
$domains = Get-Content subdomains.txt
foreach ($d in $domains) { if (Test-Connection $d -Count 1 -Quiet) { $d } }
What this does: Generates a list of subdomains, filters those responding to HTTP/HTTPS, and creates a target list for deeper scanning. Always stay within scope of the VDP.
3. Vulnerability Scanning with Nmap and Custom Scripts
Nmap identifies open ports, services, and potential CVEs.
Basic aggressive scan:
nmap -sV -sC -O -T4 -iL live_hosts.txt -oA nmap_scan
Targeting specific CVEs (e.g., Log4Shell):
nmap -sV --script http-log4shell-detection -p 80,443,8080,8443 <target>
Windows Nmap (installed via GUI or CLI):
nmap.exe -sV --script vuln -p- 192.168.1.100 -oN vuln_scan.txt
Step-by-step guide:
- Run a fast ping sweep first (
-sn) to confirm live hosts. - Perform version detection and default scripts.
- Use `–script vuln` to automatically check for known vulnerabilities.
- Save outputs in multiple formats (
.nmap,.gnmap,.xml) for later analysis.
- Web Application Testing: Burp Suite & OWASP ZAP Configuration
Burp Suite is the industry standard for manual web testing. Configure it to intercept and modify traffic.
Set up Burp Proxy:
- Open Burp → Proxy → Intercept → “Intercept is on”.
- Configure browser to use localhost:8080.
- Install Burp’s CA certificate for HTTPS decryption (visit `http://burp`).
Automate scanning with ZAP in headless mode:
zap-cli quick-scan --self-contained --spider -r -s all -o zap_report.html https://target.govtech.gov.sg
Testing for SQL injection manually:
GET /api/user?id=1' OR '1'='1 HTTP/1.1 Host: target.govtech.gov.sg
If the response includes a database error or extra data, you’ve found a potential SQLi.
Step-by-step for API security:
- Capture API requests from mobile apps or web apps.
- Fuzz parameters using Intruder (Burp) or FFUF:
ffuf -u https://target/api/v1/user?id=FUZZ -w /usr/share/wordlists/SQLi.txt -fc 404
5. Reporting Vulnerabilities via GovTech VDP & YesWeHack
After finding a bug, responsible disclosure is critical. GovTech Singapore uses YesWeHack as their VDP platform.
Step-by-step report submission:
- Create an account on YesWeHack.
- Navigate to “Programs” → search “GovTech Singapore”.
- Read the scope and rules of engagement (e.g., no DoS, no social engineering).
- Click “Report a vulnerability” and fill in:
- (e.g., “Reflected XSS on subdomain x.govtech.gov.sg”)
- Description: Steps to reproduce, impact, CVSS score (use NVD calculator).
- Attach proof-of-concept (PoC) screenshots, video, or a script.
- Wait for triage – typically within 24-48 hours. Jared reported and got a fix “in a jiffy”.
What to include in a PoC:
<!-- Example XSS payload -->
<script>alert('VDP Test')</script>
Linux command to generate a curl PoC:
curl -X POST https://target.govtech.gov.sg/api/comment -H "Content-Type: application/json" -d '{"text":"<script>alert(1)</script>"}'
6. Cloud Hardening: Misconfigured AWS S3 Buckets
Many GovTech and enterprise assets reside in the cloud. S3 misconfigurations are common bug bounty findings.
Enumerate S3 buckets with `s3scanner`:
git clone https://github.com/sa7mon/S3Scanner.git cd S3Scanner pip install -r requirements.txt echo "govtech-assets" | python s3scanner.py -l - -o found_buckets.txt
Check for public read/write:
aws s3 ls s3://govtech-assets/ --no-sign-request aws s3 cp test.txt s3://govtech-assets/ --no-sign-request If successful, bucket is writeable
Mitigation commands (for defenders):
aws s3api put-bucket-acl --bucket govtech-assets --acl private aws s3api put-public-access-block --bucket govtech-assets --public-access-block-configuration BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true
Step-by-step:
- List buckets using common naming patterns.
- Attempt unauthenticated access.
- If open, report immediately via VDP. For remediation, apply the above AWS CLI commands.
7. Exploitation & Mitigation: Real-World Bug Bounty Examples
Based on Jared’s disclosure, we simulate a typical vulnerability: IDOR (Insecure Direct Object Reference) on an API.
Exploitation:
GET /api/invoice?invoice_id=1001 HTTP/1.1 Host: payments.govtech.gov.sg Authorization: Bearer user1_token
Change `invoice_id=1002` – if you see another user’s invoice, it’s IDOR.
Mitigation (for developers):
- Implement server-side access controls (e.g., check `user_id` from token matches invoice owner).
- Use UUIDs instead of sequential integers.
- Code example (Node.js):
app.get('/api/invoice/:id', (req, res) => { const invoice = db.getInvoice(req.params.id); if (invoice.userId !== req.user.id) return res.status(403).send('Forbidden'); res.json(invoice); });
Linux command to test IDOR in bulk:
for id in {1000..2000}; do curl -s -H "Authorization: Bearer $TOKEN" "https://payments.govtech.gov.sg/api/invoice?invoice_id=$id" | grep -i "error" || echo "Potential IDOR at $id"; done
What Undercode Say:
- Key Takeaway 1: Responsible disclosure through VDPs like GovTech Singapore’s YesWeHack program is faster and more effective than public shaming – the affected party fixed the bug “in a jiffy”.
- Key Takeaway 2: Mastering open-source tools (Nmap, ffuf, Burp Suite, AWS CLI) and systematic recon steps turns any ethical hacker into a valuable asset for national cybersecurity.
Analysis: The post by Jared Aaron Loo highlights a growing trend: governments embracing bug bounties. Unlike traditional pentests, VDPs leverage a global crowd of researchers. This democratization of security testing significantly reduces mean time to remediation. However, hunters must strictly follow scope – attacking non-listed assets could violate laws. The inclusion of GovTech and YesWeHack shows public-private collaboration at its best. Undercode predicts that within two years, all major Singapore government agencies will operate their own VDPs, and automated recon-as-a-service will become standard. For defenders, the lesson is clear: deploy a VDP before a black-hat finds your flaw.
Prediction:
As AI-powered vulnerability scanners become mainstream, bug bounty platforms will shift from volume-based findings to complex logic flaws (business logic, race conditions, and AI prompt injection). GovTech will likely integrate automated triage using machine learning to classify reports, reducing response time from hours to minutes. Meanwhile, attackers will target VDP researchers via social engineering to steal zero-days. The future of Singapore’s cyber defense hinges on continuous VDP adoption – and professionals like Jared will lead the charge.
▶️ Related Video (70% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Jaredaaronloo Singapore – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
