# Technical Evidence

## 1. Platform Architecture

**CBSE OSM Portal:** `cbse.onmark.co.in/cbseevalweb/`  
**Technology:** Angular SPA (Single Page Application)  
**Frontend bundle:** `https://cbse.onmark.co.in/cbseevalweb/main.dc17c24606b3b008.js`  
**Host:** Onmark platform (Coempt EduTeck), on Microsoft IIS (per tender docs)

### Evaluation Workflow
1. Physical answer sheets scanned at designated centres using industrial scanners
2. Scanned images uploaded to Onmark platform
3. Evaluators log into web portal, assigned answer scripts
4. Marks submitted via web interface

## 2. Five Critical Vulnerabilities (Nisarga Adhikary, Feb 2026)

### V1: Hardcoded Master Password
- Plaintext password in frontend JS bundle
- Bypasses OTP/2FA entirely when used on login page
- Source: `main.dc17c24606b3b008.js` (publicly served)

### V2: Client-Side OTP Validation
- Server sends OTP in auth response body
- JavaScript compares user input against server value in browser
- Network tab reveals OTP in plaintext

### V3: No Route Guards
- Zero `canActivate` guards on Angular routes
- All internal pages directly navigable by seeding `localStorage`/`sessionStorage`
- Routes: `/dashboard`, `/evalscriptsview`, `/heallscripts`, `/evaluatordetails`, `/verificationdashboard`

### V4: Password Reset Without Old Password
- `ChangePassword` API payload: `{ ValuatorID, pin_NewPassword }` — old password never sent
- Combined with IDOR → reset any examiner's password

### V5: Systemic IDOR
- Every API call reads `ValuatorID` from `sessionStorage["eval"]`
- Server trusts client-sent identity instead of deriving from authenticated session
- Affects practically every POST endpoint

### V6: SQL Injection (discovered 27 May 2026)
- Reported to CERT-In
- Portal taken down shortly after discovery

## 3. No Android App — OSINT Search Results

| Platform | Query | Result |
|----------|-------|--------|
| Google Play Store | coempt, globarena, onmark, oneex, ezytest, digitab | No apps found |
| APKPure | coempt, globarena, onmark | No apps found |
| APKMirror | coempt, globarena, onmark | No apps found |
| VirusTotal | coempt, globarena, onmark | 0 files, 0 comments each |
| Koodous | coempt, globarena, onmark | No APKs indexed |

Internal Coempt code (`com.coempt` package) uses **Selenium WebDriver + TestNG** — purely web browser automation, zero Android SDK dependencies.

## 4. Shared Infrastructure Evidence

- Same hardcoded master password found in JS bundles of **other `*.onmark.co.in` subdomains**
- All CBSE-related subdomains resolve to **same load balancer** (per Nisarga's DNS research)
- Internal project codenames for state-level deployments: KNR (Kakatiya Univ), NIZAM, GITA, SCTEVT
- SBTET (AP) audit repos show same platform pattern

## 5. Scanning Process

Per tender documents, scanning uses "automatic book/robotics scanners" — enterprise-grade industrial scanners, not consumer mobile apps. The exact scanning software is proprietary and not publicly available.