Stored XSS on Edmodo

Rohit Verma
May 28, 2019 · 1 min read

Hello everyone,
I believe sharing is caring, and I have been learning from multiple security researchers in the Infosec community. So here is the write-up of my recent finding.

The web application allows you to create a virtual library.
In the library, you can add files, folder, links, quiz.
And when a user adds the name to the folder with evil chars, it was sanitized correctly.

After hours of enumeration, I found another endpoint where only the folder name was getting reflected, and it was not correctly being sanitized.

Below are the steps to reproduce the stored XSS vulnerability:

1: Open Https://edmodo.com/library
2: Make a new folder
3: Input this payload “</title></head><body onload=alert(1)></body><! — “ in the name field.
4: Intercept the request and note down the [folder-id]
5: Open https://www.edmodo.com/folder/[folder-id], a pop-up will come.

Image for post
Image for post

Thanks, everyone for reading my write-up!

Thanks a lot, Chip for quick responses and cool swag.

About me:
https://twitter.com/5eren1ty

https://facebook.com/5eren1ty

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store