Comment by thecatapps

13 hours ago

I remember when I was in high school (2016? 2017?), I found a super simple XSS in the assignment submission form and told the programming teacher. Canvas then proceeded to lock my account and got me my first (only?) detention. Good times.

2 comments

thecatapps

somebudyelse 10 hours ago

Somewhat similar vein, the school's blocking software would block YouTube and embeds unless they came from Canvas. They were smart enough to disable the HTML editor for posting discussion comments, but forgot that since it was a rich text editor, you could just copy-paste in an embed by putting the code in data:text/html, then copying the element as formatted html.

I also ran the entire DOMPurify sample XSS and managed to find one way to download custom content onto someone's computer.

frollogaston 12 hours ago

Uh, did you tell the teacher by exploiting the vuln?