16

our university results are out
the webpage to check the results has only 3 input fields
roll number
date of birth
captcha
after checking the source code turnsout it doesn't need the date of birth and the most FUCKEDUP part is the captcha it uses is generated using javascript on the client side and literary checked using string1 == string2
I captured the post request its sending..
it only sends the roll number with some headers to the url
I wrote a quick python script to emulate the post request and got back the results of my entire college
note - the university I'm referring to has literally more than hundred thousand students under it, each and every student uses that interface to get his results

Comments
  • 4
    I'll try to post the javascript function in the comments tommorow
  • 0
    @SanitizedOutput we don't need to login to get our result but still it's damn frustrating that a university of this size using this type of validation
    and regarding the legality matter no one gives a fuck about things on internet.. we can't literary ddos the fuck out of government websites and no one bats an eye.. literally everyone i know uses pirated software.. even the university guys and 50 colleges under it uses pirated windows and other softwares in computer labs
    no one gives a fuck about legality
    and regarding the reporting to uni..
    this is hard to believe but the university wantedly fails its students to get money.. the don't give a fuck about the students..
    and more over its not a bug or vulnerabily to report.. its fucking dumb to use this type of javascript validation
  • 1
    Wtf? Like even without that vulnerability, it’s still stupid. I know the date of birth of lots of people, I could easily get their results. Universities are fucking stupid sometimes
  • 0
    @-vim- you don't even have to enter a date of birth.. you can leave the field empty and still get the results
Add Comment