explaingit

weiweik/tronclass-api-bug

Analysis updated 2026-05-18

21JavaScriptAudience · researcherComplexity · 2/5Setup · easy

TLDR

A responsible-disclosure report documenting broken object-level authorization bugs in the TronClass learning platform, with proof-of-concept requests and an OpenAPI spec.

Mindmap

mindmap
  root((TronClass bugs))
    What it does
      Documents BOLA/IDOR bugs
      OpenAPI spec
      Swagger UI docs
    Tech stack
      JavaScript
      OpenAPI
      Swagger UI
    Use cases
      Learn API security
      Report to vendor
      Study IDOR examples
    Audience
      Security researchers
      Students

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Study a real-world example of broken object-level authorization (BOLA/IDOR) in a live web platform.

USE CASE 2

Read a formal OpenAPI writeup of each vulnerability alongside sample request code.

USE CASE 3

Browse and test the vulnerability spec locally using the included Swagger UI docs server.

What is it built with?

JavaScriptOpenAPISwagger UI

How does it compare?

weiweik/tronclass-api-bugamazingsyp/pokemon-ontologybinglehaepi/workingtable
Stars212121
LanguageJavaScriptJavaScriptJavaScript
Setup difficultyeasyeasyeasy
Complexity2/53/51/5
Audienceresearcherresearchergeneral

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · easy Time to first run · 5min

Documentation and a local Swagger UI viewer only, not an exploitation toolkit.

No license information is given in the explanation.

In plain English

This repository is a responsible disclosure report documenting several security problems found in TronClass, an online learning platform used at universities. The author, a student, discovered that multiple TronClass API endpoints check whether a user is logged in but do not check whether that user is actually allowed to access the specific resource they requested. This class of bug is called BOLA (Broken Object Level Authorization) or IDOR (Insecure Direct Object Reference) and is listed in standard security vulnerability catalogs. The most serious issue documented here allows any logged-in student to send an API request that promotes another account, including their own, to the teacher role in any course. Once promoted, that account would theoretically have instructor-level access to that course. Other documented problems include any student being able to retrieve the full attendance list for any class session (including personal identification codes for each student), fetching the QR code used to mark attendance during an active session, reading the enrollment access code for courses, and downloading exam statistics files containing student personal data and answers. The root cause described in the report is that some API endpoints, including older ones that were never properly retired, are missing the middleware step that would check permissions at the object level. The platform asks only whether the requester holds a valid login session, not whether that session belongs to someone who should be allowed to see or change the requested resource. The repository includes an OpenAPI specification file that formally describes each vulnerability, sample JavaScript code showing how each endpoint can be called, and a local documentation server using Swagger UI so readers can browse and test the specification in a browser. The repository is framed strictly as a security education resource and responsible disclosure, not as an exploitation toolkit. The author states their intent is for the TronClass developer to fix these issues before a future release.

Copy-paste prompts

Prompt 1
Explain what a BOLA/IDOR vulnerability is using the TronClass examples in this repo.
Prompt 2
Walk me through how the attendance list endpoint in this report leaks personal data.
Prompt 3
Show me how to run the local Swagger UI docs server included in this repo.
Prompt 4
Summarize the root cause the author identifies for these missing authorization checks.

Frequently asked questions

What is tronclass-api-bug?

A responsible-disclosure report documenting broken object-level authorization bugs in the TronClass learning platform, with proof-of-concept requests and an OpenAPI spec.

What language is tronclass-api-bug written in?

Mainly JavaScript. The stack also includes JavaScript, OpenAPI, Swagger UI.

What license does tronclass-api-bug use?

No license information is given in the explanation.

How hard is tronclass-api-bug to set up?

Setup difficulty is rated easy, with roughly 5min to a first successful run.

Who is tronclass-api-bug for?

Mainly researcher.

Open on GitHub → Explain another repo

This repo across BitVibe Labs

Verify against the repo before relying on details.