How I Found a Secret Backdoor to a University’s News Feed

The Find

I was running subdomain enumeration against a university’s root domain when one result stood out:

services.university.edu  [200] [ASP.NET Application]

A bare ASP.NET default page sitting in production. No branding, no login. Just the framework welcome screen - which already tells you the stack, signals a forgotten deployment, and screams “dig deeper.”

Default ASP.NET application page exposed on the subdomain

Hostnames and endpoints in this post have been changed.

I hit it with a targeted wordlist for ASP.NET-specific paths - /swagger, /api, /Help, /odata - and /Help came back 200.

It was a fully exposed API documentation page auto-generated by ASP.NET’s Web API Help Page. Every endpoint, every HTTP method, every parameter - all laid out in production.

Most endpoints had proper auth. But a cluster under /api/Media/ didn’t:

GET    /api/Media/GetPressRelease
GET    /api/Media/GetPressRelease/{id}
POST   /api/Media/AddPressRelease
PUT    /api/Media/UpdatePressRelease/{id}
DELETE /api/Media/DeletePressReleaseById/{id}

Full CRUD on the university’s official press releases. The content that goes on the homepage, gets picked up by media, gets shared across channels.

The Exploit

First, I pulled existing press releases:

curl -s https://services.university.edu/api/Media/GetPressRelease | jq '.[0]'

No auth token. No API key. No session. Raw response with live data and internal IDs.

Then I sent a DELETE with one of those IDs:

GET https://services.university.edu/api/Media/DeletePressReleaseById/5219

[
  {
    "$id": "1",
    "Status": 1,
    "Message": "Delete Successfully !"
  }
]

Postman showing successful unauthenticated delete of press release ID 5219

I figured it was a false positive - maybe the API just returns success regardless. So I sent a follow-up GET for the same ID.

404 Not Found.

Checked the university’s actual website. The news item was gone from the public feed.

One unauthenticated HTTP request deleted an official university press release from production.

The POST and PUT endpoints were equally exposed. I verified by creating a test entry (immediately removed it). Zero authentication on any write operation.

The Impact

Any person on the internet could:

Create fake press releases - “Final exams cancelled,” “Tuition fees refunded,” politically motivated statements
Modify existing ones - alter facts, inject misinformation, change quotes
Delete real announcements - suppress official communications

For an institution with thousands of students, faculty, and media monitoring its channels, this is full compromise of the communication pipeline. The attack surface is a single curl command. Automating mass manipulation of the entire news feed would take minutes.

Root Cause

Multiple failures stacking:

Broken Access Control (OWASP A01:2021) - Write endpoints had zero auth checks. The server processed any request from any origin.

API Documentation in Production - The /Help endpoint gave attackers a full map of every endpoint and parameter. Blind enumeration turned into targeted exploitation.

No Network Segmentation - An internal CMS backend service was directly reachable from the public internet with no API gateway, no IP whitelist, no VPN.

Forgotten Infrastructure - The default ASP.NET landing page says it all. This was deployed, wired to the production database, and abandoned. Nobody was watching.

CVSS 9.6 (Critical)

Network-accessible, no authentication, full integrity impact on a public-facing communication channel. Availability impact is maximum - an attacker can wipe the entire news archive.

Reported and patched.