As a non admin user is it possible to request to download a javascript file

Question

Currently I am tasked with debugging a quizzing client for students, and recently I came across something that could be a potential security glitch. Every quiz or test has the same naming convention Example: S1Q1.js = Section 1 Quiz 1

The Javascript quiz file (AKA S1Q1.js) is simply a form that is submitted to the server so I'm not worried about that, but after the student submits the form it is then graded and they are taken to a review page where there is feedback explaining why the correct answer is correct. The review file is always just the quiz file with an R after it so it would be S1Q1R.js If a student were to be able to download the review file before their test was over then they would easily get a 100.

The possible security issue comes from the review file names following a strict pattern. I worry that it's possible for a student to request the S1Q1R.js file from the server just by knowing the URL and the file name. Note The only way to get to the review page is to hit the submit test button, if you entered the URL manually it would redirect you to the home page end note

So do I have anything to worry about? If a student could do this how would they go about doing it, and more importantly how would I go about stopping them?

Answer 1

Well, if you don't want them getting the review file, then it shouldn't be uploaded to a public html directory. It needs to be stored in a private directory, inaccessible until specific actions are performed. You might also want to call the review file content via a unique URL for each student. I'd say it's an issue, because, yeah, it would be easy for someone to figure this out. :)