Cross Site Scripting - XSS Vulnerability on Microsoft.com

XSS Vulnerability on Microsoft.com

XSS Vulnerability on Microsoft.com

Well, this is my first finding on Microsoft. Actually this is a pretty old vulnerability, I found it in March 2014 but I was very lazy or what I don’t know, in writing the write-up for it. But finally made a mindset to share about it as soon as possible.

Directly coming to the point, it was a Cross Site Scripting vulnerability in one of Microsoft’s sub domain i.e. social.technet.microsoft.com

Well, finding this vulnerability just came in mind while I was searching for a solution on their Forums for ‘Installing Visual Studio’. At last, I didn’t find a solution to my query but even didn’t end up empty handed. In fact, I ended up with this XSS vulnerability.

When I ended searching for solution in the Forums, I thought of getting my hands dirty on Bug Hunting. Below are the following steps I followed -
  1. I opened http://social.technet.microsoft.com/Search/en-US and in the search box, I entered the payload .
  2. Then the resulting URL was http://social.technet.microsoft.com/Search/en-US?query=&ac=4.
  3. Then after crafting it, it was http://social.technet.microsoft.com/Search/en-US?payload"> and opened it.
  4. Once again I came up with a search box, now I entered the payload and pressed Enter.
  5. Now this time I ended with a search result. So thought of trying it some other way. So I clicked on ‘Forums’ tab on the top of the page to start hunting again.
But Boom!! I got a pop-up.

Then after a few days of reporting it, I was just trying to check whether it’s patched or not. I tried the same procedure on my cell phone with ‘Symbian OS’. And it did show me the pop-up.

PoC:
XSS Vulnerability on Microsoft.com
Timeline
*. Found : 11 March 2014 (12:20 am)
*. Reported : 11 March 2014 (2:35 am)
*. Fixed : 19 March 2014

Reward : Hall of Fame
nishant nichani Hall of Fame on Microsoft.com
Thanks for reading
Previous
Next Post »

Subscribe to our mailing list

* indicates required
Select your Interested Topics.