3 Minutes & XSS!

Ashish Jha
Aug 17, 2018 · 2 min read

Hello wonderfull readers, Myself Ashish Jha back with another of my write-up, Yes you heard it right it was a “3 minutes and xss”, Now as an hacker i always try to be as much efficient as possible and always try to find bugs fast(It’s just my curiosity), Whenever i start pentesting any stuff i keep a rough record of the amount of time i took finding the bug.

Let me narrate you this one:

So the website i was pentesting was edmodo.com(I asked them for a public disclosure), It was just in the morning that i wanna pentest edmodo that day and in the noon i started it , Follow along.

Step 1:

I did a simply recon using knockpy and found a subdomain go.edmodo.com,

I went their and clicked on signup, which then redirected me to:

https://www.edmodo.com/onboarding?school_suggestion_test_variant=controlass&language=en_GB

Redirection image

Step 2:

I just added some <> in the first parameter —[ school_suggestion_test_variant=controlass<>], To see whether they get embedded into the source code, Then i found these brackets getting embedded between the <script> tags , WHAT NEED MORE!!!!!!!

<script> tags embedded!

Step 3:

<img src=x onerror=”alert(xss by ashish)”>, BOOOOOM XSS

This was my 3 minutes recon and xss, hope you may find it helpfull.

I then headed towards my mail and sent them the report, After a couple of days they replied back for rewarding the swags, And they are really awesome!

My overall experience with edmodo security team was really awesome(10/10).

Image for post
Image for post
Mug, Stickers, Badges, t-shirt

Thank you guys for reading, Write for you after a while!

InfoSec Write-ups

A collection of write-ups from the best hackers in the…

Ashish Jha

Written by

Saw the purity of computers and felt in love with them. Red teamer: https://bluefire-redteam.com | Guitarist | Programmer | Love Electronics | Back-end lover

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Ashish Jha

Written by

Saw the purity of computers and felt in love with them. Red teamer: https://bluefire-redteam.com | Guitarist | Programmer | Love Electronics | Back-end lover

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store