Showing posts from March, 2019

Awww!!! It's *Public* Service Commission.....

In this post, I'd like to talk about multiple issues I found on a website owned by Kerala Public Service Commission . The issues here are otp bypass to achieve IDOR. For those who don't know what's IDOR, quoting from OWASP " Insecure Direct Object References occur when an application provides direct access to objects based on user-supplied input. As a result of this vulnerability attackers can bypass authorization and access resources in the system directly ". The site url is ``, which is a temporary site they've opened for the Aptitude Exam for engineering students. How the site works Students can register for the aptitude exam by providing following details :  College ID card number,  Mobile Number, Email, Name, Address, College Name, Desired Center Name and the photographs of themself, signature and id card. Question : This is for engineering students. What I'm doing there?