Hello and welcome to all! This is Adithya M S, a novice web hacker passionate about digging deep into how website endpoints work and how their parameters may be tampered with.

Disclaimer: The content provided in this article is for educational and informational purposes only. Always ensure you have proper authorization before conducting security assessments. Use this information responsibly. Neither me nor the publication may be held liable for any harm, damage or legal trouble caused by acting on the information contained in this blog post. Please exercise discretion.

In this blog, I shall share my experience of exploiting a file based IDOR in the NIELIT website.

If you have NOT heard of the term IDOR before, it stands for Insecure Direct Object Reference and occurs when a web server takes internal references to resources (such as files, other records) as parameters/inputs in paths or queries (in web requests) and handles them in an insecure way to respond with the corresponding resource.

There are many nice articles on the web to get some more clarity on IDOR. Here is one such reference.

Now let’s get started. NIELIT is an Indian government institute that focuses on developing human resources and related activities in the field of Information, Electronics, and Communications Technology. NIELIT also conducts an entrance examination every year to select students for its various programs.

My brother applied for this exam and thus I was able to login by getting his credentials and see the various sections of the website available to logged in users.

One of the sections is to review the filled application form. Part of this page also contains links to view 3 documents

Now we click on one of these links to view the uploaded documents file

Now 71399 is the registration number of my brother. The same appears in the URL to view his uploaded documents https://nltchd.info/nielituniv25/Uploads/canddocx/71399_documents.pdf. What if we change this number to say 71405 ?

Wow!!, we get the documents of the user with registration number 71405

The same technique holds for the photo and signature files. Their names follow the same pattern and contain the candidate registration number.

Anyone can access everybody else’s documents !! What an IDOR ??

I hope you guys had fun reading this blog and Happy hacking !! Please follow me and give me some claps 👏 if you liked this post. Please comment on this post to give me any feedback that you may have and let me know how to get this bug resolved.

Thank you again for reading my article !!