Questa è una perla. La vulnerabilità è stata identificata da un 17enne solo NAVIGANDO il sito web. E questi geni hanno provato a nascondere^W correggere l'errore con 15 righe di JavaScript da eseguire sul browser dell'attaccante! Sarebbe ridicolo e divertente... se solo non fosse così deprimente... Ma guardiamo il lato positivo: Per un ragazzino curioso di 17 anni penetrare in sistemi informativi istituzionali è come affondare il coltello nel burro. Non usa nessun tool avanzato. Solo un browser. E se ha imparato lui, possono imparare anche gli altri! ;-) https://d4stiny.github.io/Hacking-College-Admissions/ Getting into college is one of the more stressful time of a high school student’s life. Since the admissions process can be quite subjective, students have to consider a variety of factors to convince the admissions officers that “they’re the one”. Some families do as much as they can to improve their chances - even going as far as trying to cheat the system. For wealthier families, this might be donating a very large amount to the school or as we’ve heard in the news recently, bribing school officials. If you don’t know about me already, I’m a 17-year-old high school senior that has an extreme interest in the information security field and was part of the college admissions process this year. Being part of the college admissions process made me interested in investigating, “Can you hack yourself into a school?”. In this article, I’ll be looking into TargetX, a “Student Lifecycle Solution for Higher Education” that serves several schools. All of this research was because of my genuine interest in security, not because I wanted to get into a school through malicious means. [...] After finding this vulnerability, I immediately reached out to WPI’s security team the same day to let them know about the vulnerabilities I found. They were very receptive and within a day they applied their first “patch”. Whenever I tried accessing the backend panel, I would see my screen flash for a quick second and then a 404 Message popped up. The flash had me interested, upon reading the source code of the page, I found all the data still there! I was very confused and diff’d the source code with an older copy I had saved. [...] What they were doing was stopping the page from loading and then replacing the HTML with a 404 error. I could just use NoScript, but I decided to create a simple userscript to disable their tiny “fix”.