How i was able to see Sensitive Information on One of the India’s best School Website.

4 months ago 17

Vikas Anand

Hello Readers,

I’m Vikas Anand. I am a Cyber Security Researcher and a Bug Bounty hunter From Bihar, India.

So Let’s Begin.

So One day while Searching for New website to Hunt. I found a Educational Website. Let’s Called the Website as https://Redacted.com ( as i am not supposed to reveal the name of the website )

So we have our target Website. So first Thing I do is to find the subdomain of the website from many sources.

I use Tool such as Amass, Subfinder, Assetfinder , Findomain etc.

After Finding all the subdomain i Paste all the subdomain to one .txt file

And run a simple command to find alive domains.

cat sub_domains.txt | httpx -follow-redirects -status-code -vhost -threads 100 | sort -u | grep “200” | cut -d [ -f1 | tee -a 200_alive.txt

After looking at the alive subdomain file, i find a subdomain which i have used in the past. So i select the particular subdomain for further hunting.

After selecting Subdomain i generally go for Directory Brute-forcing. I use ffuf for directory Brute-forcing because it is damn fast.

ffuf -u https://Redacted.com/FUZZ -w /opt/seclists/Discovery/Web-Content/directory-list-2.3-small.txt -mc 200

After Seeing the result i see an endpoint where we can pay our school fees. It got my attention and when visiting this endpoint it ask for the Login 😑

It asking two parameter “Student Unique Id” and “D.O.B”.

As i said previously i have used this website in the past . So After hitting my head to wall Continuous times i remember my Student id . As who the hell remember his Unique id After pass-out.

So I got login in the website using my Unique id , dob and captcha.

I generally Fire up my Burp-Suite then check all the functionality and explore website. So that my Burp history Catches all the requests and i manually see them and try to find some loophole in the requests.

After Seeing this request It asking for Student code as parameter in request I thought of trying “IDOR” ( Insecure Direct Object Reference ) Vulnerability. And After Passing a Random Value such as :

student_code=171827115XXXX10. I Got 200 OK and I was like WTF 😲

So I can see the Details of the Student such as Name, Father’s name, Mobile Number , Transaction history etc.

And Then I use the Burp-Suite Intruder Tabs to Brute-force the Student code and i got many 200 Response.

And from this all 200 Response i can login to any Student account of the school and can see his/her personal Sensitive Information.

And Fun fact Is that : I can Also able to Submit his/her School fees if the fees of the student is due 😁.

So That’s all From this blog, I hope you Like it. And please ignore my Grammatical mistake as I’m not good at writing blog.

If you have any question you can connect with me.

https://twitter.com/kingcoolvikas

https://instagram.com/kingcoolvikas

Cheers✌️and thanks for Reading at the end of the blog.

Read Entire Article