How I Uncovered Multiple Vulnerabilities in My Alma Mater’s Campus App

After receiving permission from the university, the author joined a campus‑network penetration test and focused on the school‑provided mobile app. Initial information gathering led to intercepting the app’s HTTP traffic after refreshing the home page.

Sensitive information leakage : By capturing the request that returns the home page, the author enumerated userId values. Traversing these IDs exposed roughly 19,000 records containing student numbers, majors, dormitory assignments, and facial images, which could be used for further attacks.

Horizontal privilege escalation : Testing showed that IDs 1‑14590 belong to students and 14590‑15000 to teachers. By modifying the userId in the intercepted request, the tester could view any other user’s complete profile, including travel records, facial data, dormitory numbers, class, and name.

Vertical privilege escalation : Using the previously obtained admin‑level credentials, the author changed the persontype field and accessed a hidden attendance‑rescheduling interface. This revealed additional system functions that were not intended for regular users.

Face‑photo tampering : The author captured a login request, replaced the Authorization header, altered the userId to that of another account, and submitted a new base64‑encoded image. After sending the modified packet, the target account’s profile picture changed successfully.

Stored XSS : While exploring the attendance‑reschedule feature, the tester discovered a file‑upload endpoint. By uploading an SVG file whose filename ends with .svg and embedding malicious script code, the attacker obtained a URL containing a token. Accessing this URL via the web portal executed the script, confirming a stored XSS vulnerability.

All identified vulnerabilities were reported and patched before the article was published.