How a Training Platform’s Weak Credentials Exposed Medium‑Risk Vulnerabilities

Introduction: The target is a corporate training platform whose login page appears as a simple username/password form.

Step 1 – Traffic capture: By intercepting the login request the author observes that credentials are transmitted in clear text. An attempt at SQL injection is blocked by a WAF, prompting a different approach.

Step 2 – Captcha extraction: A script is written to retrieve the captcha image and enumerate possible user accounts.

Step 3 – User enumeration: Exporting the Intruder module yields more than ten usernames. Three password‑guessing strategies are considered: (1) different users share a common password, (2) usernames and passwords are identical, (3) passwords are user‑set.

Step 4 – Credential testing: A brute‑force of common passwords against all accounts fails. Trying identical username/password pairs succeeds; several accounts log in without further effort.

Step 5 – Post‑login probing: The author checks CRUD endpoints, starting with the course query API. The response includes an absolute file path, indicating a potential unauthorized file disclosure. The courseId parameter controls which file is returned.

Step 6 – Fuzzing courseId: By fuzzing the parameter the author extracts multiple files and verifies they can be accessed directly.

Conclusion: The investigation uncovers only medium‑severity issues—clear‑text credential transmission, shared passwords, and path disclosure—without higher‑risk vulnerabilities.