Open in app

Sign in

Write

Sign in

XSS in Edmodo within 5 Minute (My First Bug Bounty)

Keyur Vala
4 min readMar 4, 2019

--

Hello Bug Hunters,

What I will tell you in this article is how I managed to exploit the XSS in Edmodo?

This bug was found by me a month ago. Inspired the story of Parth Shah. He wrote an article based on Stored XSS.

As I was surfing the edmodo.com website, I found two or more URLs at that point in time. There is nothing on that page except a login page and an outdated layout of the Edmodo website. I think let’s see if I can find anything on this page.

I decided to capture the login request of that page after some time on Target URL: https://www.edmodo.com/bookmarklet-login

When I opened this URL, I saw a login screen with a sky blue background. Here is a screenshot of the login page. However, nothing happened when I tried SQL and XSS Input. My next step was to dig deep into the application and check all parameters of the request after logging in.

In the request, username, password, and login information are passed. All of these passes when the user logs in. However, I see there is a parameter called URL passed with the request.

My mind goes into overdrive when the URL parameter is passed in the request!

Now, I’m gonna try to put a string like “Test Example”. I will show the response and it will be reflected on the page. Inputs do not involve any validation or filtering. I tested other payloads and they were also set correctly. Likewise, the payload is also breaking the input tag on the response side. Special characters and XSS payloads will be accepted without any errors.

Step to Generate XSS [Reflected]:

Step - 1: Open https://www.edmodo.com/bookmarklet-login. Enter the random username and password.

Step - 2: Note the request. Note the “URL” parameter passing in the request.

Step - 3: Put the url= ”/><script>alert(document.domain)</script.

Step - 4: Check the response. the payload breaks the input tag on the response side.

Step -5: Payload successfully executed Woooohooo…!

My reaction after Successfully Executing Payload is like this..:P

Finding a single vulnerability can take a lot of time and effort, but if you go too deep, something will definitely be found.

I was very excited because it was my first valid bug. I always awaited a response from Edmodo. I immediately made a POC video and sent it to the team. The team was very responsive. The swag was delivered a few weeks later.

Timeline:

09-Jan-2019: Report Sent

10-Jan-2019: Report in Verification Process.

10-Jan-2019: Report Verified Successfully.

11-Jan-2019: Reward Sent

20-Jan-2019: Reward Received. (Swag)

Things to Know :

  1. Always dig deeper into the web application.
  2. check every parameter which is passing in the request.
  3. Always Never Give Up. There is always something when you go into the deep.
  4. Always do more practice reading books and read more and more writeups.

Thank you for reading this. Focusing now more on reward-based programs. Any suggestions are welcome.

About Me:

An IT security consultant and researcher with over 3.5+ years of expertise in Web & Mobile Penetration Testing. Competent and skilled IT & Web Security Researcher & Developer. Apart from professional experience, I have enthusiasm and diligence for hacking, finding new bugs and vulnerabilities. Having work knowledge in reputed fields.

Helping Enterprise, Medium, and small businesses to be cyber safe. By providing high-end cyber security consulting and the best possible solutions. Working with a vast cyber security community of consultants, companies, and solution providers to reach the cyber-safe goal.

Facebook, Twitter, Linkedin, Medium: @valakeyur

Thank You,

Keyur Vala

Security
Infosec
Bug Bounty
Infosecurity
Writeup

--

--

Keyur Vala

Written by Keyur Vala

49 Followers

Cyber Security Enthusiast | Blogger | Entrepreneur | Bug Bounty Hunter

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams