{"id":50,"date":"2021-04-25T00:46:00","date_gmt":"2021-04-24T17:46:00","guid":{"rendered":"https:\/\/n45ht.or.id\/blog\/?p=50"},"modified":"2024-12-14T12:15:55","modified_gmt":"2024-12-14T05:15:55","slug":"reflected-xss-on-microsoft","status":"publish","type":"post","link":"https:\/\/n45ht.or.id\/blog\/reflected-xss-on-microsoft\/","title":{"rendered":"Reflected XSS on Microsoft"},"content":{"rendered":"\n

During my recent bug bounty hunting, I started by gathering information on the Microsoft domain using a simple Google Dork query to locate potentially vulnerable pages. The search query I used was:<\/p>\n\n\n\n

site:*.*.microsoft.com ext:php<\/code><\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
This helped me identify pages on Microsoft’s domain that had the .php<\/code> extension. After reviewing the results, I came across a specific URL that seemed interesting:<\/p>\n\n\n\n
URL:<\/p>\n\n\n\n
https:\/\/msftguestus.partners.extranet.microsoft.com\/guest\/msft_a_guest_register.php?_browser=1<\/code><\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
At this point, I decided to dig deeper into the parameters on the page. To accomplish this, I used a tool called Arjun<\/strong>. Arjun is an effective tool for discovering hidden parameters in web applications, and it helped me identify all the parameters that were being passed in the URL.<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Once I had the parameters, I tested each one by injecting various XSS payloads<\/strong> to check for any Cross-Site Scripting (XSS) vulnerabilities. I started with a simple but effective payload:<\/p>\n\n\n\n
<\/circle><\/circle><\/circle><\/g><\/svg><\/span><\/path><\/path><\/svg><\/span>
"><\/span><<\/span>svg\/onload=alert(1)<\/span>><\/span><\/span><\/code><\/pre><\/div>\n\n\n\n
This payload triggers an alert box when the page is loaded, and after testing it on one of the parameters, the XSS vulnerability successfully triggered, confirming the presence of an XSS flaw.<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
This vulnerability could potentially allow attackers to execute malicious scripts in the context of another user\u2019s session, which could lead to a variety of security risks such as session hijacking or information theft. I\u2019ve reported this issue responsibly, and I hope it gets patched soon.<\/p>\n\n\n\n
#HappyHacking<\/p>\n","protected":false},"excerpt":{"rendered":"
During my recent bug bounty hunting, I started by gathering information on the Microsoft domain using a simple Google Dork query to locate potentially vulnerable pages. The search query I used was: This helped me identify pages on Microsoft’s domain that had the .php extension. After reviewing the results, I came across a specific URL […]<\/p>\n","protected":false},"author":3,"featured_media":51,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[21],"tags":[23,9,8],"class_list":["post-50","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-research","tag-bug-bounty","tag-cross-site-scripting","tag-xss"],"_links":{"self":[{"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/posts\/50","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/comments?post=50"}],"version-history":[{"count":3,"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/posts\/50\/revisions"}],"predecessor-version":[{"id":111,"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/posts\/50\/revisions\/111"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/media\/51"}],"wp:attachment":[{"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/media?parent=50"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/categories?post=50"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/tags?post=50"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}