weiweik/tronclass-api-bug — explained in plain English
Analysis updated 2026-05-18
Study a real-world example of broken object-level authorization (BOLA/IDOR) in a live web platform.
Read a formal OpenAPI writeup of each vulnerability alongside sample request code.
Browse and test the vulnerability spec locally using the included Swagger UI docs server.
| weiweik/tronclass-api-bug | amazingsyp/pokemon-ontology | binglehaepi/workingtable | |
|---|---|---|---|
| Stars | 21 | 21 | 21 |
| Language | JavaScript | JavaScript | JavaScript |
| Setup difficulty | easy | easy | easy |
| Complexity | 2/5 | 3/5 | 1/5 |
| Audience | researcher | researcher | general |
Figures from each repo's GitHub metadata at analysis time.
Documentation and a local Swagger UI viewer only, not an exploitation toolkit.
This repository is a responsible disclosure report documenting several security problems found in TronClass, an online learning platform used at universities. The author, a student, discovered that multiple TronClass API endpoints check whether a user is logged in but do not check whether that user is actually allowed to access the specific resource they requested. This class of bug is called BOLA (Broken Object Level Authorization) or IDOR (Insecure Direct Object Reference) and is listed in standard security vulnerability catalogs. The most serious issue documented here allows any logged-in student to send an API request that promotes another account, including their own, to the teacher role in any course. Once promoted, that account would theoretically have instructor-level access to that course. Other documented problems include any student being able to retrieve the full attendance list for any class session (including personal identification codes for each student), fetching the QR code used to mark attendance during an active session, reading the enrollment access code for courses, and downloading exam statistics files containing student personal data and answers. The root cause described in the report is that some API endpoints, including older ones that were never properly retired, are missing the middleware step that would check permissions at the object level. The platform asks only whether the requester holds a valid login session, not whether that session belongs to someone who should be allowed to see or change the requested resource. The repository includes an OpenAPI specification file that formally describes each vulnerability, sample JavaScript code showing how each endpoint can be called, and a local documentation server using Swagger UI so readers can browse and test the specification in a browser. The repository is framed strictly as a security education resource and responsible disclosure, not as an exploitation toolkit. The author states their intent is for the TronClass developer to fix these issues before a future release.
A responsible-disclosure report documenting broken object-level authorization bugs in the TronClass learning platform, with proof-of-concept requests and an OpenAPI spec.
Mainly JavaScript. The stack also includes JavaScript, OpenAPI, Swagger UI.
No license information is given in the explanation.
Setup difficulty is rated easy, with roughly 5min to a first successful run.
Mainly researcher.
This repo across BitVibe Labs
Verify against the repo before relying on details.