Edmodo’s Logical flaw.

What’s up folks,

Few days back I had been testing couple of websites which gives swags and Edmodo was in my target list. So I was wondering that how to test Edmodo for bugs, though many researchers had reported the common vulnerabilities like XSS, SQLI, CSRF and other famous vulnerabilities. I had decided to test for logical bugs or bypassing any protection.

So in the starting I always do create accounts on my target platform. Firstly I had created an account for testing for csrf, xss, sqli, and¬†arbitrary file upload. Unfortunately I got nothing there so I created an other account for testing for IDOR vulnerability while creating a new student’s account I noticed that there is an input field asking for group code then I thought why not testing to bypass this group code so I opened up the Burp suite and I entered an invalid group code like 123456 and intercepted the request there was parameter named “group-code=” and the invalid value 12345 was there looks like “group-code=123456” so I removed the whole group code parameter and forwarded the request and yeah it worked.

I’ll attach the Video POC for better understanding.