Exposing Critical Vulnerabilities in CBSE's On-Screen Marking Portal
5 hours ago
- #vulnerabilities
- #cybersecurity
- #CBSE
- The author discovered critical vulnerabilities in CBSE's On-Screen Marking (OSM) portal, used for Class 12 board exam evaluations.
- Vulnerability 1: A hardcoded master password in the frontend JavaScript bundle allowed bypassing OTP and logging in as any examiner.
- Vulnerability 2: OTP validation was performed client-side, making it trivial to extract or bypass.
- Vulnerability 3: No route guards in the Angular app enabled direct navigation to internal pages without authentication.
- Vulnerability 4: The password change feature did not require the old password, allowing reset of any examiner's password.
- Vulnerability 5: Systemic IDOR across the API let attackers act as any user by manipulating browser storage values.
- These flaws combined enabled full account takeover, mark tampering, and disruption of the grading process.
- The vulnerabilities were reported to CERT-In but remained unpatched for a long time, prompting public disclosure.
- Key lesson: Client-side code cannot be trusted; secrets and security decisions must be enforced server-side.