Complete endpoint inventory from the OnMark Angular production bundle, with authentication context and vulnerability classification.
The OnMark evaluation platform is an ASP.NET MVC application serving an Angular SPA. The API surface is accessed through a single base URL constructed client-side:
// Base URL construction (Angular bundle)
apiurl = "https://" + window.location.hostname + "/" + ExamSeries_ApiUrl + "/"
// Example: https://cbseosm.onmark.co.in/cbseevalweb/
// ExamSeries_ApiUrl is derived from a server-side config value
All API calls go through an OnMarkWinWebAPI controller, with file downloads served from /Download/ and uploads to /upload/.
| Instance | Status | Server | Path |
|---|---|---|---|
| cbseosm.onmark.co.in | 503 (Maintenance) | Microsoft IIS/10.0, ASP.NET | /cbseevalweb/ |
| bcuosm.onmark.co.in | 200 (Active) | Microsoft IIS/10.0, ASP.NET MVC 5.2 | /cbseevalweb/ |
30+ additional subdomains were observed in SSL certificate transparency logs (crt.sh). Both confirmed-live instances serve the same Angular SPA with the same API controller prefix.
The bundle reveals two distinct auth patterns:
Pattern A — Authenticated (most endpoints):
httpClient.post(Pi_apiurl + endpoint, payload, {
withCredentials: true,
headers: (new Headers).set("Content-Type", "application/json")
})
Sends cookies/XSRF tokens with each request. This is the standard pattern for CRUD operations.
Pattern B — Unauthenticated (photo & file endpoints):
getImage(url) {
return this.http.get(url, { responseType: "blob" })
// No withCredentials, no headers, no token
}
Used for photo retrieval and some file downloads. Relies entirely on server-side access control — if missing, content is publicly accessible.
| Endpoint | Method | Auth | Purpose | Note |
|---|---|---|---|---|
| Auth/CheckUserIDPassword | POST | No | Login | Returns OTP in response body |
| Auth/GetForgotPassword | GET | No | Forgot password | Returns password reset data |
| Auth/InsertUpdateloginstatus | POST | No | Login status tracking | Records IP/MAC/client info |
| Endpoint | Purpose | Auth |
|---|---|---|
| GetScriptData_Edit | Load answer script for marking | Yes |
| InsertUpdateValuationDetails | Save marks for a question | Yes |
| InsertUpdateValuationDetails_RC | Save marks (RC variant) | Yes |
| InsertUpdateValuationDetails_RC_New | Save marks (new RC variant) | Yes |
| GetTotalMarksTable | Get summary marks for a script | Yes |
| GetQuestionWiseMarks | Get per-question marks | Yes |
| GetSubjectSchema | Get marking scheme structure | Yes |
| GetSubjectStepsSchema | Get step-wise marking scheme | Yes |
| GetBundleDetailsById | Get bundle (set of scripts) details | Yes |
| GetSectionWise | Get section-wise marks | Yes |
| GetParentSectionWise | Get parent section marks | Yes |
| GetSubCompleteCount | Get completed scripts count | Yes |
| Endpoint | Purpose |
|---|---|
| HEApproveEval | Approve evaluator's marks |
| HEAssignedEvaluators | List evaluators assigned to HE |
| HEValuatorDashboard | HE dashboard data |
| HeBundles | Bundles assigned to HE |
| GenerateHENewScript | Generate new script for HE review |
| RejectorReleaseScript | Reject or release a script back |
| GetHENotifications | HE notification list |
| GetHeBundleStatusDashboard | HE bundle status summary |
| AssignEvaluatortoAHE | Assign evaluator to AHE |
| AssignAHE | Assign AHE role |
| GetAHEByCollegeId | Get AHE by college |
| GetEvaluatorsAHEByCollegeId | Get evaluators by college (AHE view) |
| Endpoint | Purpose | Vuln? |
|---|---|---|
| GenerateEvaluatedScriptPDF | Generate marked PDF | |
| GenerateScannedScriptPDF | Generate scan PDF | |
| GenerateNewScript | Generate new blank script | |
| GenerateNewScript_Verification | Generate script for verification | |
| ExtractImages | Extract images from script | |
| ExtractImagesS3 | Extract images from S3 storage | |
| DeleteSciptImages | Delete script images | IDOR risk |
| GetAnnotations | Get marking annotations | |
| GetCommentsByScriptId | Get evaluator comments | |
| GetNotesByScriptId | Get notes on a script | |
| GetQNoComments | Get question-specific comments |
| Endpoint | Purpose |
|---|---|
| ValuatorDashboard | Evaluator dashboard summary |
| GetEValuatorScriptReport | Evaluator script-level report |
| GetValuatorScriptReport | Alternate script report |
| GetValuatorSubjectwiseReport | Subject-wise report |
| GetValuatorDaywiseReport | Day-wise marking report |
| GetRejectionReport | Rejected scripts report |
| RefreshEvalMarksReport | Refresh evaluation marks |
| RefreshEvaluatorwiseMarksReport | Refresh evaluator marks |
| RefreshMarksReport | Refresh general marks |
| getrcbarcode_winterseries | Get RC barcode for winter series |
| Endpoint | Purpose |
|---|---|
| GetEvaluators | List all evaluators |
| GetEvaluatorsById | Get evaluator by ID |
| GetEvaluatorsByCollegeId | Get evaluators by college |
| GetValuatorwithID | Get valuator with ID |
| AddEvaluatorDetails | Add new evaluator |
| UpdateEvaluator | Update evaluator info |
| UpdateEvaluatorDetails | Update evaluator details |
| UpdateEvaluatorBank | Update evaluator bank details |
| UpdateFVProfile | Update face verification profile |
| GetSchoolsBySchlCode | Get school by code |
| GetSubjects | List subjects |
| GetSubjectListByPogramme | Subjects by programme |
| GetPogramme | List programmes |
| Endpoint | Purpose |
|---|---|
| GenerateAllVerification | Generate verification for all |
| GetAllVerificationScripts | List verification scripts |
| EnableEditOptionForEval | Enable mark editing |
| GetEditHistory | Get mark edit history |
| UpdateMasterSet | Update master mark set |
| Endpoint | Purpose |
|---|---|
| GetNotifications | Get user notifications |
| GetHENotifications | Get HE notifications |
| DeleteNotifications | Delete notifications |
| UpdateNotificationData | Update notification |
| InsertUpdateloginstatus | Update login status |
| ChangePassword | Change evaluator password |
| GenerateLoginQRCode | Generate QR code for login |
| CheckQRCodeLogin | Verify QR code login |
| Endpoint | Purpose | Auth |
|---|---|---|
| Download/finalpdf/{id}.pdf | Download marked answer sheet | None in client |
| Download/QP_Files/{filename} | Download question paper | None in client |
| Download/Schema_Files/{filename} | Download marking scheme | None in client |
| OnMarkWinWebAPI/face/GetUserPhoto/{code}.jpg | Download evaluator photo | None in client |
| upload/{code}.jpg | Upload evaluator photo | Yes |
| Route | Purpose | Guard? |
|---|---|---|
| /login | Login page | No |
| /dashboard | Evaluator dashboard | No guard |
| /evalscriptsview | View scripts for marking | No guard |
| /heallscripts | HE: all scripts | No guard |
| /evaluatordetails | Evaluator details | No guard |
| /verificationdashboard | Verification dashboard | No guard |
| /profile | User profile | No guard |
| /webcamtest | Webcam test page | No guard |
| /contactdetails | Contact details | No guard |
| /recheck | Recheck page | No guard |
| /viewscript | View script | No guard |
| /viewscript-rc | View script (RC) | No guard |
| /viewscriptverf | View verification script | No guard |
| /selectseries | Exam series selection | No |
| /notifications | Notifications | No guard |
| /evaluators | Manage evaluators | No guard |
| /marksreport | Marks report | No guard |
| /UFMReport | Unfair means report | No guard |
Endpoint: Download/finalpdf/{total_marks_id}.pdf
Evidence: Bundle contains hardcoded ID 93836. URL constructed client-side with no access-control token. Opens in new 800×600 window.
Impact: Any authenticated user could enumerate sequential integer IDs to download other evaluators' marked answer sheets, exposing student handwriting, evaluator annotations, and final marks.
Prevalence: Affects all OnMark instances sharing this controller.
Endpoint: OnMarkWinWebAPI/OnMarkWinEVal/ChangePassword
Evidence: Payload is {ValuatorID, pin_NewPassword} — no old password field in client form or API payload.
Impact: Account takeover. Any authenticated user who knows another evaluator's ValuatorID can reset their password, locking them out or impersonating them during evaluation.
Note: Partially disclosed by Nisarga Adhikary. Confirmed here with exact payload structure.
Endpoint: OnMarkWinWebAPI/face/GetUserPhoto/{user_code}.jpg
Evidence: Called via http.get(url, {responseType: "blob"}) with no withCredentials, no auth headers, no token. Other endpoints in the same bundle explicitly use withCredentials: true.
Impact: Evaluator photographs — potentially government ID photos — could be accessible to anyone who guesses a user_code. User codes follow a predictable pattern (e.g., K82XXXXXXX).
Prevalence: Affects all OnMark instances using the same /face/ path.
IP/MAC Tracking: Login status endpoint (InsertUpdateloginstatus) records the client's IP address, MAC address, browser user-agent, and OS. This data is transmitted in the login response and could be accessible to other users if the status endpoint has IDOR issues.
QR Code Login: A GenerateLoginQRCode / CheckQRCodeLogin flow exists. The bundle polls CheckQRCodeLogin every 5 seconds. The security of this QR-based session transfer depends on server-side implementation.
Face Verification: A /webcamtest route and CheckPhoto / RegisterPhoto API endpoints exist for facial recognition-based attendance verification. The photos are stored at /upload/{user_code}.jpg.
Draft Mode: An EnableEditOptionForEval endpoint exists alongside GetEditHistory, suggesting marks can be edited after initial submission. The edit history is queryable, but the controls around who can enable/disable editing are unclear.
Question Paper Downloads: Download/QP_Files/{filename} serves question papers. Like the PDF download, this uses no client-side auth — security depends entirely on server-side access control.
| Evidence | Source | Date |
|---|---|---|
| Angular production bundle (1.7 MB) | Wayback Machine — cbse.onmark.co.in | 3 Mar 2026 |
| Selenium automation code | GitHub — segrgokul/New_Coempt_Automation | Cloned May 2026 |
| SSL certificates (30+ subdomains) | crt.sh — *.onmark.co.in | Queried May 2026 |
| Live HTTP headers | Direct curl to cbseosm/bcuosm.onmark.co.in | 30 May 2026 |
All evidence archived at zo.pub/cashlessconsumer/cbse-osm-onmarks-osint (1,400+ files).