Bypassing Date Restrictions in an Educational Platform: A Logic Flaw Exploit

Hello hackers, I’m Ahmed Ashraf, a bug hunter.

In today’s blog, I’ll be sharing a cool bug that I discovered related to application logic flow.

About target:
The target is an educational platform focused on enhancing reading and writing skills, offering tools for content assignment, progress tracking, and feedback. It supports roles like teacher, student, and administrator, each with different access levels. The platform fosters a collaborative learning environment aimed at improving literacy

Overview:

In this post, I discuss a logic flaw found in an educational application designed for teachers to manage their class assessments. The application enforces a 30-day restriction between assessment types (Pre-Assessment, Mid-Year, Post-Assessment) via its GUI. However, this restriction can be bypassed by tampering with API requests. This vulnerability allows teachers to schedule assessments within restricted periods, impacting the integrity of the system.

Steps to Reproduce:

1-Login as a Teacher:
2-Create a Pre-Assessment:

3- I have 3 Assessments [ pre-mid-post]

4- click to schedule Pre-Assessment with a start date of 6/28/2024.

5- As shown below, the GUI prevents selecting any earlier date

6- Attempt to Create a Mid-Year Assessment:

7-After a successful Pre-Assessment, I attempted to schedule a Mid-Year Assessment on 7/10/2024, just 12 days later.

8-As expected, the GUI restricts this action, displaying a message that violates the 30-day interval.

9-Navigate to Pre-Assessment:
- I went back to the Pre-Assessment for the same class and clicked on the edit option for the previously created assessment.

10-The application interface restricts editing the assessment date to be earlier than the original creation date (6/28/2024), as shown below:

11- Intercepting the Edit Request: I intercepted the request when submitting the edit form to change the start date. The payload contains the start date, which I modified to a date earlier than 6/28/2024 (e.g., 6/10/2024).

12-After modifying the date, I forwarded the request to the server, which responded with a 200 OK, confirming the successful update of the assessment date before 6/28/2024.

13-Upon refreshing the page, the assessment start date was updated to the earlier date, confirming the bypass.

14- Now I can make the Mid-Year Assessment start on 7/10/2024

The vulnerability allows teachers to create assessments without adhering to the 30-day restriction, potentially skewing student assessment timelines. This is a logic flaw in the application’s backend validation, as it only enforces date restrictions at the GUI level, not server-side.

Note: this series of assessments is a paid feature

Bugcrowd profile:https://bugcrowd.com/ahmed_ashraf74
Linkedin Profile: https://www.linkedin.com/in/ahmed-ashraf-taha
Twitter: https://x.com/ahmedashrafv9