None

Let's get started…

A few lines about IIIT Sricity;

The Indian Institute of Information Technology Sri City (IIIT Sri City) is an Institute of National Importance established in 2013 by the Ministry of Education, Government of India, in partnership with the Government of Andhra Pradesh and industry partners.

Let's re-create the scenario!!

I was searching for some good universities for my online Master's across the internet… and honestly, every review felt like a complaint box πŸ’€

Then suddenly, I found this IIIT offering an online M.Tech program where GATE isn't mandatory πŸ˜πŸ˜‰

Me: "Okay… now you have my attention."

So, I decided to apply for the M.Tech (Online) in Cyber Security at IIIT Sricity. While preparing to pay the admission and other fees…

🚨 Intrusive thoughts activated

"What if… I don't pay the fee… and still get in?" πŸ˜ˆπŸ˜‚

And just like that…

Curiosity = πŸ’―

Morals = buffering… πŸ”ƒπŸ”ƒ

πŸ’» Let's move into the hack!!!

It started like every hacker movie scene:

- Burp Suite: βœ… Open - Music: 🎧 ATM by Don Toliver on loop (Such a sooooothing one πŸ”„οΈβ€οΈβ€πŸ”₯) - Me: Feeling like Anonymous… πŸ˜ŒπŸ’€

β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€”

I opened the admission form, entered the basic details, and clicked on "Proceed with Application."

None

I selected M.Tech in Cyber Security and started filling out the application…

And bro… this form is LONGGG 😭 At one point I felt like I was writing UPSC exam. πŸ˜‚

None

Halfway through, I even got a startup idea: "AI agent that auto-fills college applications" πŸ˜‚

Alright alright… back to the mission πŸ˜„

I uploaded all the required documents.

None

Finally, it asked me to select some compulsory subjects. I chose Penetration Testing (PT)…

The irony? I was literally doing penetration testing on the same website πŸ’€πŸ’€

None

β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€”

The payment moment πŸ’Έ

After submitting, I was redirected to the payment page where I could select different fee components. I selected everything (this was for the first semester only).

Looked at the total amount and went: "Hmm okay…" "But do I really need to pay this?" 😈

None

I selected UPI and clicked PAY NOW.

None

β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€”

Now things got interesting…

I hadn't seen this payment gateway before, so I decided to explore its API documentation to understand how transactions work.

5 minutes later:

🧠Brain overloaded πŸ‘€Eyes confused πŸ’€ slightly regretting life choices

So I took a break… 🫠

After the break, I uploaded the document to ChatGPT and used this prompt:

"Break this document into bullet points without missing anything, in a way even a kid can understand."

β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€”

Back to Burp πŸ”₯

With some clarity, I turned interception ON.

Cancelled the transaction and started analyzing requests like a crime investigatorπŸ•΅οΈβ€β™‚οΈ

After a while, I found an interesting request containing parameters like:

response_code response_message error_description

None
Before the change 🫠

At that moment, my brain said: πŸ‘‰ "These look… editable." 😏

β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€”

The experiment πŸ› οΈ

response_code = 1001 β†’ 0 response_message = User declined the payment β†’ Transaction Successful error_description = User declined the payment β†’ Transaction Successful

None
After the change 😁

Sent the modified request to the server…

Me: 😐 Server: πŸ€”

…and then…

πŸ’₯ BOOOOOOM πŸ’₯

None

Result

The transaction was marked as successful β€” without actually completing the payment 😢

During testing, I used GuerrillaMail as my email… and guess what?

πŸ‘‰ I even received a confirmation email πŸ•ΊπŸ’€

None

System be like: "Payment successful sir 🀝R" Me "We both know that's not true…"

Notes:

This program is offered via CEP Digivarsity, which collaborates with several institutions such as IITs, IIMs, and IIITs.

It is worth noting that multiple institutions within this ecosystem seem to rely on the same payment gateway, which could have broader security implications if not properly addressed.

Disclaimer

This write-up is shared for knowledge transfer purposes only. Please don't try this on real systems without proper authorization.

(Yes… I'm looking at you πŸ‘€πŸ˜…)

Shoutouts πŸ™Œ

Special thanks to: Mayur Parmar, Hemant Patidar, Tarun Tandon, and Pavan Kumar Chinta

Final thoughts πŸ˜„

If I had put this much effort into actually paying the fee… I'd probably already have my degree by now πŸ˜­πŸ˜‚

Hope you enjoyed this write-up and learned something useful 😁 Feel free to connect with me on LinkedIn for doubts or guidance.

Also, follow me on Medium for more content!

Thanks and bye… Happy hacking β€” let's hack together πŸ‘¨β€πŸ’»πŸ˜ˆ