Coming straight to the point, Edmodo has as option to create a class group.
Once you create a class group , you can add students , you can post images, links etc just like a facebook group.
As I previously told in the other post, before doing any recon I first sign up and see what are all the features that website has to offer.
First thing I did was to create a class group. Then I started to post stuff in the class , like images etc
There was also an option to share a link through the post.So,I shared a link ,
https://www.google.com in the group.
When I saw in the source code , just to check ,how is the application handling my input, I saw the following in the source code.
I was like well, now let me put by hacker hat and put XSS payload in href
To my surprise, it didn’t pop any error saying its an invalid URL.So,the final URL looked like below.
I shared the post in the group.Obviously I was 100000% sure, its gonna work.XSS!!!!!! But still, as always my heart was pounding until it actually shows a POP UP.
I clicked on the link shared annnnnnnd.
I quickly made the POC and sent it to Edmodo and after two days! I got this mail. <3 <3
This was the story about my XSS on Edmodo.As always, I will be back with more.Stay tuned!!
You can always support me through Paypal!