Hi everyone It’s been a while from my last post but I’m back, I want to tell you a short story about Microsof bug bounty program and why you can always check the basic payloads because you will surprise that some times will work:
SPOILER ALERT: I highly recommend Miscrosoft Bug Bounty Program, in my experience their program is much better compared with another big companies programs
Title: XSS Stored on outlook.com (iOS) via doc file.
Product / URL: outlook.com iOS browser (Google chrome)
Report sent via email@example.com
Hi Microsoft Security team.
I’ve found a XSS stored in outlook.live.com in iOS browsers via msoffice (ppt) file.
2.- Login in to outlook.live.com (outlook email), upload to msoffice ppt file and send the file via email.
3.- Login into outlook.live.com (outlook email) in Google chrome iOS browser, open the email with the special crafted document, click the attachment and then click download, after that the document ppt will render in Google chrome , then click the hyperlink and see the XSS (shows up the document.cookie).
Something important to highlight is: At this time you have a “magic” link that points directly to the ppt special crafted document.
4 .- Open the link directly in Chrome iOS browser , click the hyperlink and see the XSS(shows up again the document.cookie) , if you open the link in any iOS browser like Safari, Firefox, Chrome, Opera the XSS works, you just need to be logged in your outllook account, only works in iOS).
Stored XSS allows an attacker to embed a malicious and arbitraries scripts into a vulnerable page, which is then executed when a victim views the page.
iPhone 6 – iOS v11.2.5.
Safari Lastest version
Google Chrome Lastest version
My personal email account and all testing was seding emails to myself.
Microsoft HOF (November 2018):
21 Feb 2018: Sent the report to firstname.lastname@example.org
21 Feb 2018: Got confirmation from Microsoft team and team begin the investigation
23 Mar 2018: Microsft team ask for some details
23 Mar 2018: Sent details to Microsoft team
26 Jul 2018: Update from the team that the investingation was still in progress
07 Nov 2018: Update from the team that saying that it appears that the submission qualifies for Bounty
26 Nov 2018: Microsoft Reward paid through their payment system – [Profit]
04 March 2019: Ask for disclose permission
14 March 2019: Disclose permission granted from Microsoft team
well that’s it, share your thoughts, what do you think about how they handle that security issue? if you have any doubt, comment or sugestion just drop me a line here or in twitter @omespino, read you later.