This writeup is a work in progress. I will be updating it with more details in the coming months.
Overview
I conducted an independent security audit of Worcester Polytechnic Institute's public-facing network infrastructure. The audit uncovered several critical vulnerabilities, including exposed sensitive data and the ability to arbitrarily modify content on the wpi.edu domain.
All vulnerabilities were responsibly disclosed to WPI's IT team and have been remediated before publication of this writeup.
Methodology
The audit followed standard penetration testing methodologies:
- Reconnaissance: Mapping the attack surface of public-facing services
- Enumeration: Identifying services, versions, and potential entry points
- Vulnerability Analysis: Testing for known vulnerabilities and misconfigurations
- Exploitation: Demonstrating impact of discovered vulnerabilities
- Documentation: Recording findings for responsible disclosure
All testing was conducted within legal and ethical boundaries, outside of the internal WPI network.
Findings
The audit revealed several categories of vulnerabilities:
- Data Exposure: Institutional data accessible without authentication
- Access Control: Insufficient authorization checks on administrative functions
- Content Injection: Ability to modify public-facing content on wpi.edu
Specific technical details are withheld to protect the institution.
Impact
The discovered vulnerabilities could have allowed attackers to:
- Access and modify sensitive institutional data and internal communications
- Deface the public website
- Potentially pivot to internal systems
Remediation
All findings were reported to WPI's IT Security team through responsible disclosure. The team responded promptly and implemented fixes for all identified issues.
This project reinforced the importance of regular security audits and the value of responsible security research in protecting institutional infrastructure.