Hey guys, I am back again with another writeup about how I found a seviour bug in my college’s student portal which leads to a data leak of every student in my college. Basically it is a third party web portal for students in which students can check their time table, attandance, profile, fee dues and many other stuff.
It was a simple IDOR bug with a huge impact. Now, without any delay lets get started.
From past 2 weeks I was struggling for finding any valid bug on VDPs and Bug bounty programms, So one day I indulge myself in a conversation with my brain, It goes like:
ME: DAMNN!!! I m not getting any valid bug, I’m tired of this shit.
MY BRAIN: 😂😂😂 huh…. looser
ME: I should pick an easy target, that will be quiet fun.
MY BRAIN: yeah…
ME: What about our college’s student portal😏
MY BRAIN: That will be a hell lot of dopamine for me. DOPAMINE DOPAMINE DOPAMINE DOPAMINE DOPAMINE…..
ME: Should I really do it???
MY BRAIN:
So, after listening to my brains approval I moved on to test my target with my full potential.
I started fuzzing for directories and files but did’nt find anything intresting so I started doing some manual reacon and went through every functionality in the web app. Then my eye caught an option which is used to check the fee dues, I clicked on that option and started analysing the requests in my burp proxy. The interface of the fee status page was something like this:
The request was quiet intresting to me, it was like:
As u guys can see there are 3 parameters in the body :
Method, Admission number, br_id
I have no idea what the hell is br_id. So I again clicked on the fee status option, intercept it and changed the admission number parameter from blah blah blah26 to blah blah blah30 and I can clearly see the fee status page of that student including some of his basic info.
I was preety sure there is something more about this request, So I send that request to the repeater tab and again changed the admission number to blah blah blah30 the response of the request amazed and shocked me at the same time.
Literally the response was leaking a hell lot of data about the student including their email, phone number and address. The leaked data also have 10th and 12th class marks 😉.
Now I feel like a HACKER…
After that I was bit confused about the next step, Should I report the company or just let it go, but as a responsible cyber security researcher and bug hunter I decided to report the bug to the company.
I wrote a beautiful email with a well described report to the company’s support email address expecting a reply from them, but these guys did’nt reply any of my mail. I don’t know what the hell is wrong with these guys, why are they not taking this security concern seriously. Well nothing new to me, I have faced these type of guys in my past.
ENDING
That’s it for this writeup guys, hope u have enjoyed the writeup. Feel free to connect with me, my DM’s are always open for any recomendation or help. Do follow me on twitter for regular updates about cyber security and bug bounty stuff. See ya all with a new writeup.
>>>>>>>>>>>>>>>>>>>>>>>>>>>TWITTER<<<<<<<<<<<<<<<<<<<<<<<<<<<