Asset: https://admissions.highereduhry.ac.in
Vulnerability: Insecure Direct Object Reference (IDOR) / Broken Access Control
Severity: High
Reported to: incident@cert-in.org.in (June 2026)
Status: Awaiting response / Public disclosure via responsible report
NOTE
Hi team — quick heads-up from the “security gremlin under the desk” (aka an independent security researcher). I found a potential IDOR / Broken Access Control issue that could expose student-uploaded documents without login.
Executive Summary
During a review of the admissions portal, a condition was identified where student documents can be accessed directly via predictable URLs without any authentication or authorization checks.
This is a clear case of Insecure Direct Object Reference (IDOR) affecting the document storage and serving path.
Vulnerability Type
- Broken Access Control / IDOR
- Unauthenticated direct object access to user-uploaded files
Issue Description
Student-uploaded documents appear to be stored and served from a publicly reachable path. File locations incorporate predictable identifiers (such as a registration ID), allowing an unauthenticated party to access documents simply by guessing or enumerating IDs.
Observed URL Pattern (Redacted)
https://admissions.highereduhry.ac.in/Data/Student/<ACADEMIC_YEAR>/<REGISTRATION_ID>_<DOCUMENT_TYPE>_<N>.jpegCommon document types observed include:
- Secondary school certificate
- Senior secondary / diploma certificate
- Signature
- Photograph
- Residence / domicile certificates
- Other identity and academic documents
Proof of Concept (High-level)
- Obtain or guess a valid registration identifier (often visible in other parts of the application or through public lists).
- Construct the document URL using the predictable pattern shown above.
- Request the file directly using a browser or any HTTP client (no cookies or authentication headers required).
- The server returns the full document image without performing any authentication or authorization checks.
This behavior confirms that the document serving layer lacks proper access control enforcement.
Impact
If exploited, an attacker may be able to:
- Access sensitive student documents without logging in
- Enumerate registration IDs and bulk-download documents for large numbers of students
- Collect personally identifiable information (PII) from academic certificates, identity proofs, photographs, and signatures
- Perform large-scale automated scraping of student records
Why This Matters
These documents often contain:
- Full names, dates of birth, addresses
- Academic history and marks
- Government-issued certificate details
- Photographs and signatures (usable for identity fraud)
Exposure of this data violates student privacy and can lead to identity theft, harassment, or misuse of official documents.
Severity (Suggested)
High
Reasons:
- Direct exposure of sensitive identity and academic documents
- Affects potentially thousands of students
- Extremely low complexity (simple URL manipulation / enumeration)
- No authentication barrier
Recommended Remediation
Immediate Actions
- Block or restrict direct access to the
/Data/Student/path (or equivalent storage directory). - Remove or properly protect any backup / direct file serving endpoints.
Proper Fixes
- Require authentication for all document access.
- Implement server-side authorization checks — verify that the logged-in user (or authorized staff) is permitted to view the specific document.
- Serve files through a controlled handler instead of direct web paths. Example flow:
- Authenticated request → server checks permissions → streams file content with proper
Content-Dispositionheaders.
- Authenticated request → server checks permissions → streams file content with proper
- Replace predictable identifiers in filenames and paths with random, non-guessable tokens (e.g., UUIDs or cryptographically secure random strings).
- Add rate limiting and anomaly detection on document access endpoints to catch enumeration attempts.
- Consider migrating sensitive uploads to a private object storage bucket (with signed URLs or authenticated proxy).
Responsible Disclosure
This report was submitted in good faith to CERT-In (incident@cert-in.org.in) as part of responsible disclosure practices.
- Validation was limited to confirming the existence of the access control issue.
- No bulk data was collected or exfiltrated.
- The goal is to help the Higher Education Department of Haryana secure the portal and protect student data.
I remain available to assist with validation of any fixes or to provide additional technical details if required.
Reported by: Hacck3y (independent security researcher)
Contact: Available via this site or previous responsible disclosure channels
If you are a developer or administrator for this portal and need help implementing the fixes, feel free to reach out.
This write-up is published after responsible disclosure to CERT-In. The original report was sent via email on or around 8 June 2026.