Showing posts from March, 2019

Awww!!! It's *Public* Service Commission.....

In this post, I'd like to talk about multiple issues I found on a website owned by Kerala Public Service Commission. The issues here are otp bypass to achieve IDOR. For those who don't know what's IDOR, quoting from OWASP "Insecure Direct Object References occur when an application provides direct access to objects based on user-supplied input. As a result of this vulnerability attackers can bypass authorization and access resources in the system directly".

The site url is ``, which is a temporary site they've opened for the Aptitude Exam for engineering students.

How the site worksStudents can register for the aptitude exam by providing following details : College ID card number, Mobile Number, Email, Name, Address, College Name, Desired Center Name and the photographs of themself, signature and id card.
Question : This is for engineering students. What I'm doing there?

We're everywhere. In this case,…