Digicampus Vulnerability - Shoolini University

Privilege Escalation via 'localStorage' Manipulation

Project Name: Privilege Escalation via 'localStorage' Manipulation

Project Type: Ethical Hacking Project - Cybersecurity Vulnerability Research

Role: Student/Security Researcher

Related Organization: Independent Research on Shoolini University's DigiCampus

Time Period: October 2024 - December 2024

Project Description

Identified and analyzed a critical privilege escalation vulnerability in the Shoolini University DigiCampus platform. The issue allowed users to manipulate `localStorage` entries in the browser to gain unauthorized access to faculty-level privileges. This vulnerability posed a significant security risk, exposing sensitive student records, grading systems, and administrative tools.

Relevant Responsibilities, Contributions, and Achievements

Technologies Involved: Web Security, JavaScript, Penetration Testing, `localStorage` Exploitation, Secure Authentication

Outcome

The vulnerability was successfully identified and reported, leading to its remediation in December 2024. The research emphasized the importance of server-side role validation and secure authentication mechanisms, contributing to a more secure DigiCampus platform.

Project in 2 Short ATS Measurable Points for Display on Web

Project in 1 Short Line for One-Page Resume

Identified and reported a privilege escalation vulnerability, leading to a security fix that enhanced access control measures.

Privilege Escalation via 'localStorage' Manipulation

1. Report Timeline

  • Reported: October 11, 2024
  • Fixed: December, 2024
  • Status: Patched

2. Executive Summary

This report details a privilege escalation vulnerability in the Shoolini University DigiCampus platform. The vulnerability allowed unauthorized modification of localStorage values to escalate user privileges from student to faculty, resulting in unauthorized access to sensitive resources like student records, faculty tools, and grading systems.

3. Scope

  • Target: Shoolini University DigiCampus
  • Test Permission: Granted by the Faculty
  • Focus: Identifying privilege escalation and unauthorized access risks

4. Vulnerability Description

  • Vulnerability Type: Privilege Escalation
  • Attack Vector: localStorage Manipulation
Steps to Exploit
  1. Login as a student using valid credentials.
  2. Open browser Developer Tools → Inspect localStorage.
  3. Modify Values faculty, student, usertype.
  4. Refresh the page → User now has faculty-level access.
Impact
  • Unauthorized Access: Students can gain faculty permissions.
  • Data Breach: Access to grades, student records, administrative tools.
  • System Misuse: Unauthorized users could modify grades, disrupt operations.

5. Root Cause & Vulnerability Analysis

  • Root Cause: Client-side trust issue → Server relies on localStorage for access control.
  • Exploitation Potential: High (trivial to execute).
  • Severity: Critical
Potential Exploits
  1. Role Escalation → Gain admin-level control.
  2. Data Theft → Access and alter sensitive information.
  3. Operational Disruption → Unauthorized modifications to university systems.

6. Recommended Fixes

Short-Term Fixes (Immediate Action Required)

✅ Move Role Validation Server-Side → Never trust client-side role storage.
✅ Invalidate Modified Tokens → Reject tampered sessions.
✅ Use Secure Cookies → Store session data in HTTP-only cookies.

Long-Term Fixes (Strategic Improvements)

🔒 Implement JWT Tokens → Server-validated, signed session tokens.
🔒 Encrypt & Integrity-Check Local Storage Data (if needed).
🔒 Conduct Regular Security Audits & developer training.

7. Conclusion

The Shoolini University DigiCampus platform suffered from a severe privilege escalation flaw. Students could gain unauthorized faculty access by modifying localStorage data. The issue was resolved, but such security gaps highlight the need for better access control mechanisms, encryption, and server-side validation to prevent future breaches.

8. References

Click to visit and read Full Report