How I Found Bug in Dutch Government and Never got the Swag

Hello everyone, and welcome back to my blog!

In this post, I’ll walk you through how I discovered vulnerabilities on a Dutch government website and, as a result, never got the swag — including a T-shirt with an awesome quote “I hacked the Dutch Government and all i got was this lousy t-shirt”

🐞 Bugs Reported

First Bug: Directory Listing on wp-content/uploads → Led to Information Disclosure
Second Bug: Unauthenticated Access to Apache Jena Fuseki Admin Panel using default credentials

🎯 The Goal

I came across a GitHub gist by random-robbie, which contains a comprehensive list of Dutch government domains. I thought to myself: “What if I could identify which of these are running WordPress and check for common misconfigurations or vulnerabilities?”

So the plan was simple:

Identify WordPress instances → Run WPScan → Look for common misconfigurations → Report valid issues.

🔍 Finding WordPress Sites Easily

With over 1500 domains in the list, manually checking for WordPress installations wasn’t practical. This is where Nuclei came to the rescue.

Using the WordPress detection template, I ran the following command:

cat domains.txt | nuclei -t ~/nuclei-templates/technologies/wordpress-detect.yaml -o wordpress.txt

This helped me filter out WordPress-powered sites from the massive domain list efficiently.

🛠️ Running WPScan

After identifying a few WordPress websites, I focused on one particular domain. Initially, it redirected from:

https://www.target.com/ → https://www.target.com/nl_NL/

I then ran WPScan on it using:

wpscan --url https://target.com/ -e dbe,vp,vt --rua --api-token 'your_api_token' --plugins-detection aggressive

During the scan, I discovered that directory listing was enabled on the following paths:

• https://www.target.com/wp-includes/
• https://www.target.com/wp-content/uploads/

While inspecting the exposed directories, I discovered log files and sensitive information within the wp-content/uploads directory, including details about the website’s internal structure and configuration. This exposed data could potentially be leveraged for further exploitation, making it a clear case of information disclosure.

Directory Listing Enabled on /wp-includes/

Directory Listing Enabled on /wp-content/uploads/

🔐 Second Finding: Apache Jena Fuseki Admin Panel

While exploring additional domains from the same dataset, I selected one domain and began enumerating its subdomains. Using the Firefox extension “Open All URLs”, I loaded multiple Subdomains in the browser to manually inspect them. During this process, I came across a login panel on one of the subdomains. Upon closer inspection, I noticed a footer reference to Apache Jena Fuseki. A quick Google search revealed that the default credentials for the platform were admin:admin — which, when tested, successfully granted access to the admin interface. By using the default username/password combination:

Username: admin  
Password: admin

I was able to log in and access the admin interface, which could potentially allow an attacker to view or manipulate linked data sets. This was a much more serious misconfiguration and a clear case of exposed internal administrative access.

📨 Reporting the Issues

The first bug wasn’t actually low in severity, as I came across log files and sensitive information within the exposed directories — making it a valid information disclosure issue. The second bug, involving unauthorized access to the Apache Jena Fuseki admin panel using default credentials, was clearly high or critical in nature. I submitted both vulnerabilities separately through the Dutch government’s responsible disclosure platform, and each report was acknowledged. As a result, I received swag for both bugs individually.

🎁 The Response

About five days later, I received a kind acknowledgment from the Dutch government security team. They appreciated the effort, confirmed the findings, and sent me a swag package which never came.

first swag

Second Swag

💬 Final Thoughts

This journey taught me that even seemingly minor issues can lead to recognition, and sometimes, digging just a bit deeper uncovers more serious flaws. Whether it’s a low-risk directory listing or unauthenticated access to an admin panel — every valid report strengthens the overall security posture.

This was my first interaction with the Dutch government’s VDP, and it was a great experience.

Stay curious, stay safe, and happy hacking!

— Vikas Anand