XSS in Edmodo within 5 Minute (My First Bug Bounty)

Hello Bug Hunters,
I would love to thank you for your Edmodo support and wish success to all.

In this writeup, I am going to tell you how I was able to get XSS in Edmodo.

This bug was found by me a month ago. Inspired the story of Parth Shah. He wrote an article based on Stored XSS.

I was just surfing the edmodo.com website and I found two or more URL at that time of surf. There is nothing on that page just a login page and simple some outdated layout of Edmodo. I am thinking let’s try to find something on this page so, I start thinking thinking thinking..!

After some time I decide to capture login request of that page.
Target URL: https://www.edmodo.com/bookmarklet-login

I opened this URL and saw it’s showing some login screen with sky blue background. In this, You can show the login page in the screenshot. I tried SQL, XSS Input but won’t anything happened. then, I trying to go digger into the application and check every parameter of the request. when I log in.

I see username, password, login is passing in the request. Generally, these all are passing when the user can log in. But I show there is a parameter called URL is passing in the request.

When the URL parameter is passing in the request my mind thinking thinking thinking..!

Now, I am gonna to try put some string like “ Test Example”. Then I show response it will reflecting in the response side. There is no validation or filter for sanitizing the inputs. Then I tried other payloads it is set perfectly. I did also see that payload is also breaking the input tag at the response side. It will accept all the special character and XSS payload without giving any errors.

Step to Generate XSS [Reflected]:

Step - 1: Open https://www.edmodo.com/bookmarklet-login. Enter the username and password.

Step - 2: Intercept the request. Note the “url” parameter passing in the request.

Step - 3: Put the url= ”/><script>alert(document.domain)</script.

Step - 4: Check the response. the payload breaks the input tag in the response side.

Step -5: Payload successfully executed whooooilaaaa…!

After Payload successfully executed I am like this..:P

There are lots of tries to find a single vulnerability but “Never Give UP” If you are going too much deep you will definitely find something,

I was very happy because it’s my first valid bug. I every time waiting of response from Edmodo side. I immediately made a POC video and sent to the team. They were very responsive. After a few weeks, I received the swag.

Timeline:

09-Jan-2019: Report Sent

10-Jan-2019: Report in Verification Process.

10-Jan-2019: Report Verified Successfully.

11-Jan-2019: Reward Sent

20-Jan-2019: Reward Received. (Swag)

Things to Know :

  1. Always dig deeper into the web application.
  2. check every parameter which is passing in the request.
  3. Always Never Give Up. There is always something when you go into the deep.
  4. Always do more practice read books and read more and more writeups.

Thank you for reading this. Focusing now more on reward-based programs. Any suggestions are welcome.

About Me:

I am Keyur Vala [Student of M.Tech Branch at Gujarat Forensic Science University] Cyber Security Researcher, Ethical Hacker, Cyber Crime Investigator, and Bug Bounty Hunter. Currently doing the job as Information Security Analyst and Providing security in the banking sector. If you want to security analysis or need any kind of help kindly ping me any time..!

I am looking for an opportunity in infosec. I am good in Web Application security, also I am an experienced PHP developer and Python enthusiast. I have written some hacking tools and other cool stuff. So if You hire for your company I would like to apply.

Facebook, Twitter, Linkedin, Medium: @valakeyur

Thank You,

Keyur Vala