Hunting methodology and experience of my First Stored XSS on

Mar 13, 2019 · 2 min read

There are many people sharing images of Edmodo swag. It looks cool and everyone says that, it is cross site scripting bug. So, I assumed there is lots of XSS. Edmodo is a very secure platform and edmodo is very serious about security, so I decided to hunt . Even leet hunter Prial Islam Khan shared image of his edmodo swag, that inspired me a lot.

Screenshot from

So, I decided to test Edmodo. But, I am a noob. How can I find the bug? yeah, I can. If I can that means anyone can.

What is my methodology?

Is that simple steps or any l33ty automation tool. Nope, it’s just manual.. too manual. As I said, I am a noob.. so tried very noob way to hunt. I filled all fields with XSS payloads with hope to get an XSS and cool swag ❤.

How I got the bug?

As I said all fields are filled with XSS. I was hoping for the pop up and got nothing. But, hope (believe) is always there with me. I read Arbaz Hussain’s ( kiraak-boy) post, where he advised to give time to all program before loosing hope. Link to the post: So, I decided to start finding bugs on edmodo subdomains. I used a tool named sublist3r (coded by Ahmed Aboul-ela) to find subdomains. Link to the tool:

Then? then I just opened and boom XSS popped. I started to find the injection point and it’s on the status post.

How I got the payload?

May be people are thinking, even some people already asked me about the payload I used.. It’s not mine. I used an XSS polyglot crafted by XSS King Ashar Javed. Here is the payload, ">><marquee><img src=x onerror=confirm(1)></marquee>" ></plaintext\></|\><plaintext/onmouseover=prompt(1) ><script>prompt(1)</script><isindex formaction=javascript:alert(/XSS/) type=submit>'-->" ></script><script>alert(1)</script>"><img/id="confirm&lpar; 1)"/alt="/"src="/"onerror=eval(id&%23x29;>'"><img src="http: //">) I used this payload initially then removed unnecessary parts while making PoC video.

Twitter Status:

Note: This is my first medium post. So, feel free to comment to give advice about this write up and correct me (even grammar mistakes). btw, the bug was found long time ago, so I described methodology from my memory.

Experience with Edmodo:

Edmodo is very secure platform and very serious about security. I have great experience with edmodo. There response is quick and communication is clear. Thanks edmodo (Specially Chip Benson).

Video PoC (also follow my youtube channel for updates):

XSS Reported 16 September, 2018
Triaged and rewarded on 17 September, 2018
Swag received on 29 September, 2018

About me:

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store