After laughing for a few minutes, I realised I had probably found something that would keep my ADD brain occupied for the next few hours. So I turned up the music, opened a can of diet coke, and messaged @dufferzafar, the other ‘man’ in meninthemiddle:

After a bit of our usual banter, we weighed the situation: It was the 4th of March, and results would be announced on the 17th. On top of that, ~30k people had already checked their scores (and probably didn’t keep checking it whenever they were bored, like me), so time was of essence. Clearly there was no validation of the URL, so gaming this was easy. Plus, we had done worse things to bigger organisations earlier. So in total, there was a slight chance we could create a splash. Good enough for us, we decided.

And so we got to work. @dufferzafar seemed more interested in seeing if we could create a malicious HTML page that would somehow mess up their parsing and maybe even end giving us access to the DB (it might sound like a long shot but such things have been known to happen.) I wanted to go for the ‘easier’ option: messing with the GATE predictor database directly. It was fairly easy too: the site saves student responses for its rank/score prediction, so all I had to do was mock up a fake ‘responses’ page, host it on a server, and check my rank using this page. Voila! If things worked like I hoped they would, I would at this point have successfully inserted a fake record in the DB.

But would things be interesting if everything happened as smoothly as that? (Not very, if I had to guess.) While I was able to get both my (fake) marks and estimated rank/score from the malicious page, there were clearly no insertions being made in the DB (I knew from the fact that the graph below the predicted score wasn’t changing.).

At this point, I was quite annoyed. Clearly I was doing something wrong, but I wasn’t sure what it was. Then, on a whim, I decided to go into Chrome’s devtools and see what was going on under the hood. And as soon as I saw what was happening in the network tab, I realised what a fool I had been, uploading static page after static page to a server, just to mess with the site. There it was, plain as day, a request to /logmymarks.php, as soon as I clicked on the link to show my predicted rank: