Hey guys,
First of all, sorry for russian speaking friends for english and I promise to describe everything simple and clearly. This happened when I was in 9th grade, just began high school!
So here it goes!
After checking out the teacher and student panel for homework and exams, I saw in student to teacher or student to student to student messaging section that it has capability to add HTML code and all default password for students were DDMMYYY for date of birth, I logged in on my SEed kids user, sent HTML redirection and some simple js and as I wasn't good at hacking to bypass browser XSS filters and boom it didn't have any input validation! You didn't need to open the message, as soon you clicked the message button on menu, it redirected!
I sent message to school support team with a similar domain to SaaS service from the provider and they fell with fake session experation and they put their login and from 9th grade till my high school diploma I did not study shit! I stole homeworks and exam answers, only I didn't cheat at my programming class)
I could have maybe did template injection to get RCE but that time I didn't know even the fuck that was!
I don't wanna tell the name of the SaaS provider, as they are still vulnerable)
Red Teamer | Carder | Counterfeiter
First of all, sorry for russian speaking friends for english and I promise to describe everything simple and clearly. This happened when I was in 9th grade, just began high school!
So here it goes!
After checking out the teacher and student panel for homework and exams, I saw in student to teacher or student to student to student messaging section that it has capability to add HTML code and all default password for students were DDMMYYY for date of birth, I logged in on my SEed kids user, sent HTML redirection and some simple js and as I wasn't good at hacking to bypass browser XSS filters and boom it didn't have any input validation! You didn't need to open the message, as soon you clicked the message button on menu, it redirected!
I sent message to school support team with a similar domain to SaaS service from the provider and they fell with fake session experation and they put their login and from 9th grade till my high school diploma I did not study shit! I stole homeworks and exam answers, only I didn't cheat at my programming class)
I could have maybe did template injection to get RCE but that time I didn't know even the fuck that was!
I don't wanna tell the name of the SaaS provider, as they are still vulnerable)
Red Teamer | Carder | Counterfeiter