Just 5 minute to get my 2nd stored XSS on Edmodo.com

1 cool T-shirt + 1 shaker + 10 badges + 3 i love edmodo magnets

How I Got the Bug?

My overall experience with edmodo is good. They give quick response + cool swag + lots of input fields to test. This time it was not planned. I was trying on many programs. Suddenly I opened edmodo and this time it redirected to new.edmodo.com. I posted my xss polyglot (as described on my first write up) on created school. This time I posted payloads on poll. Then I clicked on my dp to open my profile and it redirected me to www.edmodo.com/*. On this domain, there was some notification. When, I clicked notification and boom. It’s there. Notification is not sanitized. Got another swag.

PoC Video

https://www.youtube.com/embed/qsRTDMfzD24

Twitter Status

Twitter Status

Timeline:

Reported on 31st January, 2019
Rewarded on 4th February, 2019
Swag received on 13th February, 2019

Read my methodology on my edmodo first writeup

Author: Zishan Ahamed Thandar