Code Tantra SEA Vulnerability Writeup
This writeup documents a security vulnerability discovered in CodeTantra's Secure Exam Application (SEA) that has since been responsibly disclosed and patched. The research focused on two specific restrictions that could be bypassed, allowing students to potentially circumvent exam security measures.
The Vulnerability
The CodeTantra SEA platform contained two key vulnerabilities:
- Window Management Bypass: SEA was designed to stay in focus during exams, preventing students from accessing other applications. My research demonstrated how the Win32 API could be leveraged to force the SEA window below other windows, enabling unrestricted Alt-Tab functionality.
- Away-Timer Prevention: SEA implemented a timer that detected when students navigated away from the exam window. By accessing the application's embedded Chromium DevTools port, JavaScript could be injected to disable this detection mechanism.
Technical Implementation
Window Management Bypass
The solution utilized a C++ tool (HWND.cpp) that:
- Enumerated all visible windows via Win32 API
- Set the "always-on-top" flag for every window except the SEA application
- Effectively pushed the SEA window below others in the Z-order
Away-Timer Prevention
A Python-based injector (dev_injector.py) that:
- Connected to SEA's Chromium DevTools port (9222)
- Located the exam page among available targets
- Injected JavaScript payloads to neutralize various away-detection strategies
- Maintained persistent execution through connection monitoring
Responsible Disclosure
This security weakness was immediately reported to the CodeTantra security team following its discovery. The vendor acknowledged the issue and has since released a patched version that addresses both vulnerabilities. This writeup and associated repository are published with vendor acknowledgment as a case study for educational purposes only.
Ethical Considerations
This research demonstrates how client-side security controls can be circumvented when implementation details aren't adequately secured. The publication of these findings:
- Helps defenders understand potential attack vectors
- Provides educators insight into client-side security challenges
- Serves as a teaching resource for responsible vulnerability research
All code and techniques should be used exclusively on test systems with outdated versions for educational purposes. Using these techniques against current systems or in real exam environments would constitute academic dishonesty and potentially violate computer misuse laws.
Conclusion
This project highlights the importance of defense-in-depth strategies for exam security platforms. By sharing this research responsibly after the vendor's patch deployment, we contribute to the security community's knowledge while respecting ethical boundaries.
Comments
Comments have been disabled.