How i was able to see Sensitive Information on One of the India’s best School Website.

Vikas Anand
3 min readJan 16, 2022

Hello Readers,

I’m Vikas Anand. I am a Cyber Security Researcher and a Bug Bounty hunter From Bihar, India.

So Let’s Begin.

So One day while Searching for New website to Hunt. I found a Educational Website. Let’s Called the Website as https://Redacted.com ( as i am not supposed to reveal the name of the website )

So we have our target Website. So first Thing I do is to find the subdomain of the website from many sources.

I use Tool such as Amass, Subfinder, Assetfinder , Findomain etc.

After Finding all the subdomain i Paste all the subdomain to one .txt file

And run a simple command to find alive domains.

cat sub_domains.txt | httpx -follow-redirects -status-code -vhost -threads 100 | sort -u | grep “200” | cut -d [ -f1 | tee -a 200_alive.txt

After looking at the alive subdomain file, i find a subdomain which i have used in the past. So i select the particular subdomain for further hunting.

After selecting Subdomain i generally go for Directory Brute-forcing. I use ffuf for directory Brute-forcing because it is damn fast.

ffuf -u https://Redacted.com/FUZZ -w /opt/seclists/Discovery/Web-Content/directory-list-2.3-small.txt -mc 200

After Seeing the result i see an endpoint where we can pay our school fees. It got my attention and when visiting this endpoint it ask for the Login 😑

It asking two parameter “Student Unique Id” and “D.O.B”.

As i said previously i have used this website in the past . So After hitting my head to wall Continuous times i remember my Student id . As who the hell remember his Unique id After pass-out.

So I got login in the website using my Unique id , dob and captcha.

I generally Fire up my Burp-Suite then check all the functionality and explore website. So that my Burp history Catches all the requests and i manually see them and try to find some loophole in the requests.

After Seeing this request It asking for Student code as parameter in request I thought of trying “IDOR” ( Insecure Direct Object Reference ) Vulnerability. And After Passing a Random Value such as :

student_code=171827115XXXX10. I Got 200 OK and I was like WTF 😲

So I can see the Details of the Student such as Name, Father’s name, Mobile Number , Transaction history etc.

And Then I use the Burp-Suite Intruder Tabs to Brute-force the Student code and i got many 200 Response.

And from this all 200 Response i can login to any Student account of the school and can see his/her personal Sensitive Information.

And Fun fact Is that : I can Also able to Submit his/her School fees if the fees of the student is due 😁.

So That’s all From this blog, I hope you Like it. And please ignore my Grammatical mistake as I’m not good at writing blog.

If you have any question you can connect with me.

https://twitter.com/kingcoolvikas

https://instagram.com/kingcoolvikas

Cheers✌️and thanks for Reading at the end of the blog.

Sign up to discover human stories that deepen your understanding of the world.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

Vikas Anand
Vikas Anand

Written by Vikas Anand

“A Genuine Expert on Nothing”

Responses (3)

What are your thoughts?