Security Flaws — PSEB Certification Program

Hello Guys, I’m writing this article to share with the community a vulnerability I found in PSEB’s IT Certification Program back in January 27th 2020. I reported it to them but didn’t receive any serious response from them. Since, the program has expired now so I’m publicly sharing the vulnerability.

If you have read my other articles, you’d know Parameter Tampering is one of my favorite attacks. It is very easy to exploit and do not require special setup of tools. The simplest definition of this vulnerability is:

Parameter Tampering is a type of vulnerability found in mostly eCommerce websites where an attacker can change the price and/or quantity of a placed order

Alright, so coming to our topic, PSEB launch an IT Certification Program for all IT Professionals. It consisted of different types of Certification for all areas of IT i.e. Development, DevOps, Quality Assurance Testing, Automation Testing and Penetration Testing. But there was a limit, One could not select more than two certifications.

All of the security certifications were pretty attractive. The list included:
1. Certified Ethical Hacker (CEH)
2. Certified Information Systems Security Professional (CISSP)
3. Certified Information Security Auditor (CISA)
4. Computer Hacking Forensics Investigator (CHFI) and a bunch of more certifications

Since I liked three of them, My devil mind told to bypass the quantity check. So I started tampering the parameters. (Though I don’t normally participate in Blackhat activities :P )

Unfortunately, I didn’t take the screenshots of HTTP Requests :|

On analyzing the form request, I found that every certification had a number assigned to it in the HTTP Request. Since, I choose CEH and CISA, the generated request had a parameter “Selected_Course” with value “16,17”.

First, I added another parameter with same name and different values (i.e. “Selected_Course=16,17&Selected_Course=12,13”)but it didn’t work. Then I attempted to tamper the parameter “Selected_Course” by making it an array (i.e. “Selected_Course=[16,17,12]). This didn’t work either. :|

I decided to test the simplest testcase by simply adding another number separated by comma. i.e. “Selected_Course=16,17,12”.

AND THIS WAS IT! I was able to add 3 certifications in my profile. Hurray! Mission Accomplished! In just 5 minutes, I was able to identify this vulnerability.

Figure 1: Bypassed Server Checks to select more than 2 certifications.

But later, I decided to report it instead of misusing it.

Figure 2: Vulnerability Disclosure to PSEB Team

I followed up with them twice but the assigned person didn’t respond so I decided to let it be.

CONCLUSION:

1. Always try even the simplest testcases even if you think they are too simple to be vulnerable.
2. Thinking INSIDE the box is also important xD
3. Keep pushing yourself to try new things.