From Challenge to Revelation: Getting Into My College Website and Accessing Student Data

From Challenge to Revelation: Hacking Into My College Website and Accessing Student Data

Introduction

Hello, everyone! In this article, I will share my intriguing journey of uncovering a critical vulnerability in my college's website, which granted me access to sensitive student data. My name is Aditya Sakhare, and it all began with a challenge presented by a friend who dared me to find the vulnerability into our college's website. Intrigued by the opportunity to put my cybersecurity skills to the test, I embarked on this venture. Our college maintains a comprehensive student portal that houses crucial information, including personal details and financial data. For the purpose of this article, I will refer to the targeted website as "victimTestcom". So, let's dive into the world of vulnerability testing as I recount my experiences. πŸš€

As I delved into the college website's structure, one particular feature captured my attention—the password reset function. It's important to note that such functions can often harbor vulnerabilities, making them prime targets for hackers seeking unauthorized access. Before we proceed, I would like to encourage all readers to stay vigilant and be aware of such potential weaknesses in websites they encounter. πŸ”’

Now, let's explore how this seemingly innocuous password reset functionality led me to uncover a major security flaw in the college's website.

  1. Step 1: Initiating a Password Reset Request

    To begin the process, I initiated a password reset request for an account that I owned within the college's student portal. By submitting the necessary details, such as the account username or email associated with it, I triggered the system to generate a password reset link.

  2. Step 2: OTP Verification

    Upon submitting the password reset request, the system prompted me to verify my identity using a One-Time Password (OTP) sent to the email address associated with my account. Accessing my email inbox, I retrieved the OTP and proceeded to the next step.

  3. Step 3: Setting a New Password

    After successfully entering the OTP, the system directed me to a page where I could set a new password for my account. Here, I entered the desired password and submitted the request.

  4. Step 4: Intercepting and Modifying the Request

    This critical step involved capturing the password reset request using a tool called Burp Suite Proxy. By configuring my browser to route traffic through the proxy, I intercepted the request sent to the server. Using Burp Suite, I modified the email parameter within the request, replacing it with the email address of the target victim.

  5. Step 5: Gaining Unauthorized Access

    With the request modified to contain the victim's email address, I submitted it through Burp Suite Proxy. The server, considering the request legitimate due to the modified parameters, updated the password for the victim's account to the one I had specified earlier. Consequently, I gained unauthorized access to the victim's account, obtaining control over their personal information and data stored within the student portal.

! Disclaimer !

It is crucial to note that this article is intended for educational purposes only and aims to shed light on the significance of robust security measures. Unethical or malicious activities, such as hacking without proper authorization, are strictly discouraged and illegal. Always ensure that you have the appropriate permissions and adhere to ethical guidelines when conducting any cybersecurity-related activities. ⚠️⛔

Author:

Branch: Information Technology

Stream of Specialization: Cyber Security and Ethical Hacking