How I “HACKED” my college site

Hello readers , I am Aditya , a second year student at Madhav institute of Technology and Science , Gwalior . This is a story of how I found Bug in my college site . So first of the bug I found is DOS attack that is already fixed by the respective developer team In this bug a hacker can manage to make the site unresponsive or hours .

Me demonstrating the bug to HOD Sir and other faculty members

So lets start with the basic understanding of bug so In DOS attack one can overload the server with simultaneously sending the multiple request to the server which leads to 5xx database connection error .

Same situation

THE EFFECTS OF BUG

One can able to make site server slow or even take them down even if there is exam is going and Sometimes You also may have seen that there is last date of assignment and the moodle is not working So that thing is (!)not done by me 😂.

Site is up before attack

THE BUG

So For me this is one of the thing I always wanted that I want to hack my college site so I look for major bug such as SQLi , XSS , some kind of logic bugs but found nothing but then I thought about some kind of attack that can flood the server which lead to DOS . So I searched for any parameter that I can bruteforce and send multiple request at same time So there is a function of attendance where one can see his/her attendance is marked or not there is a parameter ‘ID’ . I bruteforce that parameter with approx 200 requests per second and with delay-time 10 millisecond so with this configuration in few seconds in approx 500 requests the server get flooded with these requests and it shows following error

Configuration for an intruder attack

Error Shown by server

What is the risk level of this bug ?

So this is a priority II [ PII ] bug which means its quite critical for instance if exams is going on an hacker perform this attack so student might not able to give the exam which may lead to chaos to respective faculty and the site college administrator .

Sorry server is busy for moment please try again later

Mitigation used to fix the bug :

The developer team already fixed the bug by implementing strict rules in firewall . Now if someone continuously tries send the multiple requests for some specific time the firewall sense that it was a hacker and temporarily block that user .

Timeline :

Bug found : 28 feb 2022

Bug reported : 2nd march

Bug fixed : 4th march

THANKS FOR READING and COMMENT YOUR SUGGESTIONS 😀

Connect with me : arshukla [instagram -> @arshukla]