- What is my methodology?
- How I got the bug?
- How I got the payload?
- Twitter Status
- Experience with Edmodo
- Timeline
There are many people sharing images of Edmodo swag. It looks cool and everyone says that, it is cross site scripting bug. So, I assumed there is lots of XSS. Edmodo is a very secure platform and edmodo is very serious about security, so I decided to hunt . Even leet hunter Prial Islam Khan shared image of his edmodo swag, that inspired me a lot.
So, I decided to test Edmodo. But, I am a newbie. How can I find the bug? yeah, I can. If I can that means anyone can.
Is that simple steps or any l33ty automation tool. Nope, it’s just manual.. too manual. As I said, I am a newbie.. so tried very noob way to hunt. I filled all fields with XSS payloads with hope to get an XSS and cool swag ❤. As I said all fields are filled with XSS. I was hoping for the pop up and got nothing. But, hope (believe) is always there with me. I read Arbaz Hussain’s ( kiraak-boy) post, where he advised to give time to all program before loosing hope.Link to the post: https://medium.com/@arbazhussain/10-rules-of-bug-bounty-65082473ab8c
So, I decided to start finding bugs on edmodo subdomains. I used a tool named sublist3r (coded by Ahmed Aboul-ela) to find subdomains.
Link to the tool: https://github.com/aboul3la/Sublist3r
Then? then I just opened beta.edmodo.com and boom XSS popped. I started to find the injection point and it’s on the status post.
May be people are thinking, even some people already asked me about the payload I used.. It’s not mine. I used an XSS polyglot crafted by XSS King Ashar Javed. Here is the payload,">><marquee><img src=x onerror=confirm(1)></marquee>" ></plaintext\></|\><plaintext/onmouseover=prompt(1) ><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/) type=submit>'-->" ></script><script>alert(1)</script>"><img/id="confirm( 1)"/alt="/"src="/"onerror=eval(id&%23x29;>'"><img src="http: //i.imgur.com/P8mL8.jpg"> I used this payload initially then removed unnecessary parts while making PoC video.
https://twitter.com/ZishanAdThandar/status/1045959846535856128
Note: This is my first medium post. So, feel free to comment to give advice about this write up and correct me (even grammar mistakes). btw, the bug was found long time ago, so I described methodology from my memory.
Edmodo is very secure platform and very serious about security. I have great experience with edmodo. There response is quick and communication is clear. Thanks edmodo (Specially Chip Benson).https://www.youtube.com/embed/izeXqGpYEx8
XSS Reported on 16 September, 2018Triaged and rewarded on 17 September, 2018
Swag received on 29 September, 2018
Read my 2nd XSS on edmodo writeup.
Author: Zishan Ahamed Thandar