Security Audit 2024

VAPT: Academic Information System

Comprehensive Black-box & Grey-box vulnerability assessment of a state educational institution's Moodle-based learning management system and supporting digital infrastructure.

CRITICAL 9.8 Black-box Grey-box Penetration Testing OSINT Moodle LMS
01

Executive Summary

A comprehensive Vulnerability Assessment and Penetration Testing (VAPT) engagement was conducted against a state educational institution's Moodle-based academic information system. The assessment combined Black-box testing (simulating an external attacker with zero prior knowledge) and Grey-box testing (with student-level credentials) to evaluate the security posture of the entire digital ecosystem.

The engagement revealed 19 vulnerabilities across the platform, including 3 CRITICAL findings that could allow complete system compromise. The most severe vulnerability, a Mass Account Takeover chain, received a CVSS score of 9.8, indicating near-maximum severity with trivial exploitation complexity.

⚠️
Critical Finding: An unauthenticated attacker could take over any user account (including administrators) through a predictable password reset mechanism combined with IDOR vulnerabilities, requiring only a valid email address.
02

Vulnerability Severity Matrix

CRITICAL
3
HIGH
5
MEDIUM
7
LOW
4

Total: 19 vulnerabilities identified across 14 days of active testing.

03

Key Findings

CRITICAL CVSS 9.8
VAPT-001

Mass Account Takeover via Predictable Password Reset

The application's password reset mechanism utilized a predictable token generation algorithm based on sequential user IDs combined with a static server-side salt. By observing the pattern in reset tokens, an attacker could forge valid reset links for arbitrary accounts, including administrator-level credentials.

Attack Flow

1 Enumerate valid email addresses via registration form error messages
2 Trigger password reset for target account
3 Predict reset token using discovered algorithm pattern
4 Forge valid reset URL → Full account takeover

Impact

Complete compromise of any user account, including admin accounts managing academic records, grades, and student PII for 5,000+ registered users.

CRITICAL CVSS 9.1
VAPT-002

Privilege Escalation via Insecure Role Assignment

Authenticated users with the lowest privilege level (student) could escalate to administrator role by manipulating the role parameter in the profile update API endpoint. The server-side validation only checked for session validity but did not enforce role-based access control on the role assignment itself.

Impact

Any authenticated student could grant themselves administrator access, enabling modification of grades, course materials, and system configuration.

HIGH CVSS 8.6
VAPT-003

Stored XSS in Course Discussion Forum

The Moodle discussion forum failed to sanitize HTML input in post bodies, allowing injection of persistent JavaScript payloads. A crafted post could execute arbitrary scripts in the context of any user viewing the forum thread, enabling session hijacking via cookie theft.

Impact

Session hijacking of faculty and admin accounts, defacement of course pages, phishing overlay injection targeting 5,000+ active users.

HIGH CVSS 7.5
VAPT-004

Insecure Direct Object Reference (IDOR) in Grade API

The grade retrieval API endpoint used sequential, guessable student IDs without proper authorization checks. Any authenticated user could enumerate and access grade records of other students by iterating over the student ID parameter.

Impact

Mass extraction of academic records and personally identifiable information for the entire student body.

CRITICAL CVSS 9.8
VAPT-005

SQL Injection in Authentication Endpoint

The legacy login handler (a custom authentication plugin) concatenated user-supplied input directly into SQL queries without parameterization. This allowed extraction of the entire user database, including password hashes, through blind SQL injection techniques.

Impact

Full database extraction including credentials, PII, and academic records. Potential for Remote Code Execution via SQL-to-OS command chaining.

04

Methodology

The engagement followed a structured four-phase approach aligned with the Penetration Testing Execution Standard (PTES):

01

Reconnaissance

OSINT gathering, subdomain enumeration, technology fingerprinting (Wappalyzer, WhatWeb), employee email harvesting, and network topology mapping.

02

Scanning & Analysis

Port scanning (Nmap), vulnerability scanning (Nikto, OWASP ZAP), directory brute-forcing (Dirb), and manual source-code review of client-side JavaScript.

03

Exploitation

Manual exploitation of identified vulnerabilities: SQL injection, XSS payload crafting, IDOR enumeration, privilege escalation testing, and authentication bypass attempts.

04

Reporting & Remediation

Detailed vulnerability documentation with CVSS v3.1 scoring, proof-of-concept demonstrations, remediation recommendations, and post-fix verification testing.

05

Remediation & Outcome

All critical and high-severity findings were communicated to the institution's IT team through a structured responsible disclosure process. A 30-day remediation window was provided.

ID Vulnerability Severity Before After
VAPT-001 Mass Account Takeover CRITICAL Exploitable Fixed
VAPT-002 Privilege Escalation CRITICAL Exploitable Fixed
VAPT-003 Stored XSS HIGH Exploitable Fixed
VAPT-004 IDOR / Grade API HIGH Exploitable Fixed
VAPT-005 SQL Injection CRITICAL Exploitable Fixed
Outcome: All 3 CRITICAL and 5 HIGH severity vulnerabilities were successfully remediated within the 30-day window. Post-remediation verification confirmed that all identified attack vectors were effectively mitigated.