Stored XSS on Edmodo

Futaacm Cyber
Feb 18, 2019 · 4 min read

Hi guys,

Today i will be sharing about the exploit i found in Edmodo which could have allowed me to take over the account of any user of my choice.

About the target?

Edmodo is an educational technology company offering a communication, collaboration, and coaching platform to K-12 schools and teachers. The Edmodo network enables teachers to share content, distribute quizzes, assignments, and manage communication with students, colleagues, and parents.

Let’s get started!!!

Image for post
Image for post

So I saw a post on twitter where some guys posted about the swag they got from edmodo and I decided to try my luck out probably I might be able to find something. Below I will be talking about one of the bug I found on this target.


I visited the website and signed up as a normal user, I tried playing around the application for a while trying to understand the work flow of the application before creating another account which I will be using for attacking.

After playing with the application for a while, I thought I understood the application and I was set to attacking it which happened to the biggest lie of all time.

Image for post
Image for post

Thinking i was set to attack, so I decided to create a new account which I will be using to attack. To sign up on this application, the application takes you through four stages which are:

Stage 1: The application ask you for your email and password

Stage 2: The application ask you for your first name and last name. (This is the vulnerable endpoint)

Stage 3: The application ask you for the school you will be teaching from

Stage 4: The application ask you to link your other social media account with your edmodo account.

The Exploit

In the first stage, I filled in the form as required, i entered my email and password, then I was redirected to the second stage where I was asked for my firstname and lastname, this was where I injected my payload, I used <img src=x onerror=alert(1)> as the firstname and the same as the lastname, luckily for me my payload slipped through without being filtered or rejected by the server, at this stage I was already dancing.

Image for post
Image for post
my current mood

I filled the rest of the forms as required then I got logged in to my account. Upon logging in I was a bit disappointed, I was expecting my payload to be executed in the home page since my first name and last name were reflected their, instead of being executed as a script, they were reflected as a raw text, I checked my profile page probably I might get lucky and my payload will be executed their but still no luck, at this stage I was getting discouraged.

Image for post
Image for post
me feeling discouraged

I tried for couple of days to get it work but damn!!, I got nothing, this is where my insufficient reconnaissance showed but I was determined to make it work, as the infosec community always say #TryHarder which is what I did, on one faithful day, I was playing with the application again then I searched for my Account A from my Account B, I found my other Account A and I sent a connection request from my Account B to my Account A and I logged in to my Account A and I accepted the request, I viewed my Profile, I saw I had a new connection, I clicked on the connection tag and Boom!!! my payload was executed.

Image for post
Image for post

At this stage I didn’t know how to feel because I have being trying to make this work for days and finally It worked, straight away I reported the bug, I didn’t try exploiting it further because I didn’t want to get a “duplicate report” response and which sadly for me that was what I got.

But it’s good, I did learn something from exploiting the application which is: “Reconnaissance is the key” and “Being persistence pays off”.

Screenshot of P.O.C:

Image for post
Image for post

Response from the triage team:

Image for post
Image for post

That’s all for now,

Thank you.

Credit: Afolic

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store