Stored XSS on Edmodo
I believe sharing is caring, and I have been learning from multiple security researchers in the Infosec community. So here is the write-up of my recent finding.
The web application allows you to create a virtual library.
In the library, you can add files, folder, links, quiz.
And when a user adds the name to the folder with evil chars, it was sanitized correctly.
After hours of enumeration, I found another endpoint where only the folder name was getting reflected, and it was not correctly being sanitized.
Below are the steps to reproduce the stored XSS vulnerability:
1: Open Https://edmodo.com/library
2: Make a new folder
3: Input this payload “</title></head><body onload=alert(1)></body><! — “ in the name field.
4: Intercept the request and note down the [folder-id]
5: Open https://www.edmodo.com/folder/[folder-id], a pop-up will come.
Thanks, everyone for reading my write-up!
Thanks a lot, Chip for quick responses and cool swag.