A hilarious deep dive into the absolute trainwreck that is my college's (SAITM) exam portal. I poked around the backend and found typos, zero security, and data leaks that’d make your jaw drop. From copy-paste captchas to exposed student info, this is a roasting session of epic proportions. Built by Sonet Microsystems, this portal is a mastercla…

Bug Hunting the SAITM Exam Portal: A Comedy of Errors (Public).md

Hey guys I am [REDACTED NAME] of B. Tech AIML [REDACTED REG NO.], today we got a message in our WhatsApp group that we can check our sessional marks online

My Descent into Madness

I’m chilling when our class WhatsApp group lights up with a message saying we can check our sessional marks online. Online? In 2025? [REDACTED COLLEGE] finally entering the digital age? I was hyped, like a kid unwrapping a shiny new toy.

Buckle up, because this backend, brought to you by the "geniuses" at [REDACTED COMPANY NAME], is a dumpster fire of code, security holes, and typos that’ll make you question humanity.

I fired up the URL: https://[REDACTED_DOMAIN]/InternalExam/internalExaminationMarks. The UI? Imagine a 90s Geocities page had a baby with a spreadsheet and forgot to teach it manners.

The Captcha That’s Just Vibing

I entered my details and the story starts. And noticed something glorious. The captcha? You can copy and paste it into the input field. Why even bother?

The Backend: A Masterclass in "It Works, Kinda"

So we hit "Submit" and let the magic begin.

This function, LoadCheckIsValidData, takes a roll number and date of birth, sends them via AJAX, and checks if they’re valid. Here are all the funny things I found:

• Typos: DatyeOFBirth, “Captche”, “Does not Matched”
• Freezes browser with synchronous requests
• Ignores AJAX/JSON parse errors
• Hardcoded URLs and logic
• Strange logic (like comparing .html() to .val())
• Bad variable names like param1, Data1
• debugger; left in production

Anyways, some people say “if it works don’t touch it” — sure, but it works badly.

The Data Leak Extravaganza: GetStudentDetailsData

This function fetches student details with no authentication. I ran it and got a response like:

{
  "Table": [
    {
      "StudentName": "[REDACTED]",
      "FatherName": "[REDACTED]",
      "ProgramName": "[REDACTED PROGRAM]",
      "Semester": "[REDACTED]",
      "DateOfBirth": "[REDACTED]"
    }
  ],
  "Table1": [
    {
      "TotalDues": 195625.00,
      "Balance": 195625.00
    }
  ]
}

Yup — name, DOB, father's name, program, fees — all out in the open.

The Security Apocalypse: No Authentication

Anyone with dev tools can just call this function with different reg numbers and extract full student details. This is a huge breach of privacy and could violate GDPR/CCPA/FERPA.

The Grand Finale: GetInternalResultData

This function is triggered next:

It returns data like:

[
  {
    "EvaluationParameter": "SESSIONAL 1",
    "ExamType": 4
  },
  {
    "EvaluationParameter": "ASSIGNMENT",
    "ExamType": 5
  }
]

Yay GET request (finally!). But again, no authentication. Anyone can fetch anyone else’s marks by changing a number.

https://[REDACTED_DOMAIN]/InternalExam/LoadInternalExamResultView?AdmissionNo=XXXX&...

Final GET/POST Dance and Full Marks Disclosure

Then comes this endpoint:

https://[REDACTED_DOMAIN]/InternalExam/GetResultViewData?...

Sending a POST request with a student ID returns full marks data:

{
  "Table": [
    {
      "StudentName": "[REDACTED]",
      "FatherName": "[REDACTED]"
    }
  ],
  "Table1": [
    {
      "SubjectName": "Computer Networks",
      "MarksObtained": 7.00
    },
    {
      "SubjectName": "Design & Analysis of Algorithms",
      "MarksObtained": 12.00
    }
  ]
}

Then I tried with another ID (3500) and got another student's full info, like:

{
  "Table": [
    {
      "StudentName": "[REDACTED]",
      "FatherName": "[REDACTED]"
    }
  ],
  "Table1": [
    {
      "SubjectName": "Discrete Mathematics",
      "MarksObtained": 15.00
    }
  ]
}