reported to CERT-IN
A months-long reverse-engineering project against a CBSE assessment platform — full-chain analysis across authentication, authorization, credential handling, and inter-service trust.
reported
A full-surface assessment of a Delhi Public School learning portal — broken access control at every layer, a question bank that could be cheated with two API calls, and a blind NoSQL injection that turned a password reset flow into a deterministic account takeover requiring nothing but an email address.