How i was able to see Sensitive Information on One of the India’s best School Website.
I’m Vikas Anand. I am a Cyber Security Researcher and a Bug Bounty hunter From Bihar, India.
So Let’s Begin.
So One day while Searching for New website to Hunt. I found a Educational Website. Let’s Called the Website as https://Redacted.com ( as i am not supposed to reveal the name of the website )
So we have our target Website. So first Thing I do is to find the subdomain of the website from many sources.
I use Tool such as Amass, Subfinder, Assetfinder , Findomain etc.
After Finding all the subdomain i Paste all the subdomain to one .txt file
And run a simple command to find alive domains.
cat sub_domains.txt | httpx -follow-redirects -status-code -vhost -threads 100 | sort -u | grep “200” | cut -d [ -f1 | tee -a 200_alive.txt
After looking at the alive subdomain file, i find a subdomain which i have used in the past. So i select the particular subdomain for further hunting.
After selecting Subdomain i generally go for Directory Brute-forcing. I use ffuf for directory Brute-forcing because it is damn fast.
ffuf -u https://Redacted.com/FUZZ -w /opt/seclists/Discovery/Web-Content/directory-list-2.3-small.txt -mc 200
After Seeing the result i see an endpoint where we can pay our school fees. It got my attention and when visiting this endpoint it ask for the Login 😑
It asking two parameter “Student Unique Id” and “D.O.B”.
As i said previously i have used this website in the past . So After hitting my head to wall Continuous times i remember my Student id . As who the hell remember his Unique id After pass-out.
So I got login in the website using my Unique id , dob and captcha.
I generally Fire up my Burp-Suite then check all the functionality and explore website. So that my Burp history Catches all the requests and i manually see them and try to find some loophole in the requests.
After Seeing this request It asking for Student code as parameter in request I thought of trying “IDOR” ( Insecure Direct Object Reference ) Vulnerability. And After Passing a Random Value such as :
student_code=171827115XXXX10. I Got 200 OK and I was like WTF 😲
So I can see the Details of the Student such as Name, Father’s name, Mobile Number , Transaction history etc.
And Then I use the Burp-Suite Intruder Tabs to Brute-force the Student code and i got many 200 Response.
And from this all 200 Response i can login to any Student account of the school and can see his/her personal Sensitive Information.
And Fun fact Is that : I can Also able to Submit his/her School fees if the fees of the student is due 😁.
So That’s all From this blog, I hope you Like it. And please ignore my Grammatical mistake as I’m not good at writing blog.
If you have any question you can connect with me.
Cheers✌️and thanks for Reading at the end of the blog.