Chaining Stored XSS


So this is the poc of a stored cross site scripting vulnerability i have found on edmodo. I had to do a bit of context breaking but it was easy 🙂

Domain :

Endpoint :

Payload : “><img src=x onerror=prompt(1)>

screen shot 1

Got Reflection.

screen shot 2

After some minutes i got a mail that i have receive a notification on my dashboard. When i checked the dashboard notification panel i found something like this.

screen shot 3

But their was no reflection. After a bit of struggle i came up with a payload.

Payload : </noscript>;;></x><y/></z><img/src=` onerror=prompt“>

Got Reflection 🙂

screen shot 4

Hope you like it,

Follow me on twitter @spidersec

Related posts

Leave a Comment

19 + seventeen =