⚠️ Status: Deprecated – this tool no longer works (the vulnerability has been fixed). 🧠 This project was developed purely for educational and ethical security research purposes.
Amikom Students Enumerator is a proof-of-concept (PoC) Python tool created for educational cybersecurity research. Its purpose was to demonstrate mass enumeration and IDOR (Insecure Direct Object Reference) vulnerabilities found in the student photo system of amikom.ac.id, before the issue was patched.
This tool is no longer functional as the vulnerability has been mitigated by the system administrators.
- Automated retrieval of student photo URLs
- Enumeration based on sequential student IDs
- Parallel download of all accessible photos
- Local storage for research and vulnerability validation
Root Cause: Predictable URL structure without authentication or access control.
Impact:
- Allowed bulk access to all student photos.
- Risk of personal data leakage (names, photos).
- Potential misuse for phishing, impersonation, or social engineering.
Root Cause: Excessive concurrent requests generated by multi-threaded enumeration.
Impact:
- Could degrade web server performance.
- Temporary service unavailability for legitimate users.
- Affected stability of shared hosting resources.
| Issue | Technical Category | Impact |
|---|---|---|
| Predictable URL access | IDOR / Mass Enumeration | Exposure of student personal data (photos) |
| Uncontrolled concurrent access | Denial of Service (DoS) | Temporary performance degradation |
This tool was never intended for exploitation. It was created for academic cybersecurity study, to demonstrate how improper access control can lead to mass data exposure.
If you are a system administrator or developer:
- Always validate access control for media files.
- Avoid predictable identifiers in URLs.
- Implement authentication or token-based access for sensitive assets.