Hello wonderfull readers, Myself Ashish Jha back with another of my write-up, Yes you heard it right it was a “3 minutes and xss”, Now as an hacker i always try to be as much efficient as possible and always try to find bugs fast(It’s just my curiosity), Whenever i start pentesting any stuff i keep a rough record of the amount of time i took finding the bug.
Let me narrate you this one:
So the website i was pentesting was edmodo.com(I asked them for a public disclosure), It was just in the morning that i wanna pentest edmodo that day and in the noon i started it , Follow along.
I did a simply recon using knockpy and found a subdomain go.edmodo.com,
I went their and clicked on signup, which then redirected me to:
I just added some <> in the first parameter —[ school_suggestion_test_variant=controlass<>], To see whether they get embedded into the source code, Then i found these brackets getting embedded between the <script> tags , WHAT NEED MORE!!!!!!!
<img src=x onerror=”alert(xss by ashish)”>, BOOOOOM XSS
This was my 3 minutes recon and xss, hope you may find it helpfull.
I then headed towards my mail and sent them the report, After a couple of days they replied back for rewarding the swags, And they are really awesome!
My overall experience with edmodo security team was really awesome(10/10).
Thank you guys for reading, Write for you after a while!