How I got my first swag on Edmodo with a simple XSS.

Hi friends,

Coming straight to the point, Edmodo has as option to create a class group.
Once you create a class group , you can add students , you can post images, links etc just like a facebook group.

As I previously told in the other post, before doing any recon I first sign up and see what are all the features that website has to offer.

First thing I did was to create a class group. Then I started to post stuff in the class , like images etc

There was also an option to share a link through the post.So,I shared a link ,
https://www.google.com in the group.

When I saw in the source code , just to check ,how is the application handling my input, I saw the following in the source code.

<a href=”https://www.google.com>google</a>

I was like well, now let me put by hacker hat and put XSS payload in href
i.e javascript:confirm(1)

To my surprise, it didn’t pop any error saying its an invalid URL.So,the final URL looked like below.

<a href=”javascript:confirm(1)”>random_stuff</a>

I shared the post in the group.Obviously I was 100000% sure, its gonna work.XSS!!!!!! But still, as always my heart was pounding until it actually shows a POP UP.

I clicked on the link shared annnnnnnd.

aaaaaannnnd Boooooooooooooooom!

I quickly made the POC and sent it to Edmodo and after two days! I got this mail. <3 <3

This was the story about my XSS on Edmodo.As always, I will be back with more.Stay tuned!!

You can always support me through Paypal!
>>paypal.me/icodechannel<<

One Reply to “How I got my first swag on Edmodo with a simple XSS.”

Leave a Reply

Your email address will not be published. Required fields are marked *