How i Accessed Fee Records of My School Online.

Hello everyone. Hope you all are doing well. Today i am going to write about how i accessed all the fee records of my school without using any tool. All it required was a web browser and an internet connection. It is a Authorization issue as my school didn’t imposed any security restriction to access online fee records and anyone can access them without any hassle. My school uses PayUMoney service to receive online fees.

Note: For obvious reasons all the Identifiable Information are hidden. So let’s get started.

How it all started?

One day i was wandering over my school website and searching various login pages using Google dorks and suddenly a page caught my attention which was: online-fee-payment.aspx . Here we need to enter our admission number and it will show the current status of our fees.

If fee is pending, by clicking on ‘Make Payment’ option we will be directed to PayUMoney website. So what i did was took a series and supplied admission number one by one in user input area. Ex: Took admission number ranging between 1000–1200 and accessed students records.

Hid school name, logo and names for obvious reasons.

Now What?

I took the manual pain of supplying admission numbers in a sequence to gain access to fee records but a hacker could create a custom script which sends continuous requests to the website in order of admission number series and save the retrieved output in a clear readable format in his local environment.

How They Could Have Fixed This Issue?

1. Use a updated framework to manage user sessions.
2. Impose proper session timeout.
3. Not rotating a session ID after a successful login.
4. Use of multi-factor authentication (MFA).
5. Temporarily blocking an IP that originated a high number of authentication errors in a brief period.

Closing Note:

This isn’t something “great hack” but it was fun playing with school website and discovering high severity vulnerabilities ( Broken Authentication) in a short time.

#For more information regarding top 10 web application vulnerabilities see here:

10 Most Common Web Security Vulnerabilities

Improper Authentication Vulnerability | CWE-287 Weakness | Exploitation and Remediation

#For Guidance on Protection of Personal Identifiable Information see here:

Guidance on the Protection of Personal Identifiable Information