In this post, I'd like to talk about multiple issues I found on a website owned by Kerala Public Service Commission . The issues here are otp bypass to achieve IDOR. For those who don't know what's IDOR, quoting from OWASP " Insecure Direct Object References occur when an application provides direct access to objects based on user-supplied input. As a result of this vulnerability attackers can bypass authorization and access resources in the system directly ". The site url is `https://mailer.psc.kerala.gov.in/KPSCAptitudeTest/home`, which is a temporary site they've opened for the Aptitude Exam for engineering students. How the site works Students can register for the aptitude exam by providing following details : College ID card number, Mobile Number, Email, Name, Address, College Name, Desired Center Name and the photographs of themself, signature and id card. Question : This is for engineering students. What I'm doing there?