In the name of Allah the beneficent the Merciful.
After my B.tech(final years) exams were done i looked into aka.ms/Bugbounty
and choosed sharepoint as a target to test under online services Bug bounty.
To get started with i created test accounts at login.microsoftonline.com
and portal.office.com
Soon after 30 minutes i manged to get XSS popup .
The vulnerability was triggered in *.sharepoint.com group invitation flow.
This vulnerability was in *.sharepoint.com but fun part is that it was triggered due to user input from portal.office.com and outlook.office.com .
[First name] , [Last name] user input was taken from portal.office.com
and [groupname] was taken from outlook.office.com
Here are the Reproduction Steps :
1) From administrator account portal.office.com i created a new user A
(https://portal.office.com/
and then entered first name , last name as xss payload ("><img src=x
onerror=prompt(1)>" , "><img src=x onerror=prompt(2)>" ) respectively.
2) Then i went to https://outlook.office.com and created a new group and
entered group name as xss payload
("><img src=x onerror=prompt(1)>")
3) Now from attacker(user A here) account i went to the newly created group site
(https://testss87.sharepoint.
and asked to request access to the site.
Once requested an access to the site an email was generated to admin in his outlook.com inbox .
4) Then from admin account (owner of the group) i went to the email and
clicked on accept or decline
(https://testss87.sharepoint.
5) Then XSS popup triggered in *.sharepoint.com because of [firstname],
[lastname] user input from portal.office.com and [groupname] from outlook.office.com .
Soon after 30 minutes i manged to get XSS popup .
The vulnerability was triggered in *.sharepoint.com group invitation flow.
This vulnerability was in *.sharepoint.com but fun part is that it was triggered due to user input from portal.office.com and outlook.office.com .
[First name] , [Last name] user input was taken from portal.office.com
and [groupname] was taken from outlook.office.com
Here are the Reproduction Steps :
1) From administrator account portal.office.com i created a new user A
(https://portal.office.com/
and then entered first name , last name as xss payload ("><img src=x
onerror=prompt(1)>" , "><img src=x onerror=prompt(2)>" ) respectively.
2) Then i went to https://outlook.office.com and created a new group and
entered group name as xss payload
("><img src=x onerror=prompt(1)>")
3) Now from attacker(user A here) account i went to the newly created group site
(https://testss87.sharepoint.
and asked to request access to the site.
Once requested an access to the site an email was generated to admin in his outlook.com inbox .
4) Then from admin account (owner of the group) i went to the email and
clicked on accept or decline
(https://testss87.sharepoint.
5) Then XSS popup triggered in *.sharepoint.com because of [firstname],
[lastname] user input from portal.office.com and [groupname] from outlook.office.com .
There was no user input sanitization/encoding for first name , last
name and group name when the page was rendered in *.sharepoint.com group invitation flow. Everytime user clicks on the link or goes to manage group requests the payload (stored payload) would get triggered.
Here is video POC :
https://www.youtube.com/watch?v=YkCLzLCO6QA
Microsoft MSRC (@msftsecresponse) was very quick in response.
The bug was fixed in 2 days of reporting to them. Now they htmlencode here userinput ( < with < and > with >) .
And they rewarded me $2000 USD for this bug.
I would like to Thanks MSRC for running bug bounty program and Akila for encouraging to submit more bugs in Nullcon 2017 .
Timeline :
May 25 , 2017 : Bug reported.
May 26 , 2017 : MSRC opened case (manager Pamela )
May 29 , 2017 : Verified that vulnerability no longer exists.
June 22, 2017 : Fix validated by Engineering team .
July 8 , 2017 : Bounty awarded ($2000 USD).
https://www.youtube.com/watch?v=YkCLzLCO6QA
Microsoft MSRC (@msftsecresponse) was very quick in response.
The bug was fixed in 2 days of reporting to them. Now they htmlencode here userinput ( < with < and > with >) .
And they rewarded me $2000 USD for this bug.
I would like to Thanks MSRC for running bug bounty program and Akila for encouraging to submit more bugs in Nullcon 2017 .
Timeline :
May 25 , 2017 : Bug reported.
May 26 , 2017 : MSRC opened case (manager Pamela )
May 29 , 2017 : Verified that vulnerability no longer exists.
June 22, 2017 : Fix validated by Engineering team .
July 8 , 2017 : Bounty awarded ($2000 USD).
Thanks for Reading
Jai Hind :)
Contact info :
Twitter : @mohdhaji24
Linkedin : linkedin.com/in/mohd-haji-490960a0
Facebook : facebook.com/haji.mohd871
Linkedin : linkedin.com/in/mohd-haji-490960a0
Facebook : facebook.com/haji.mohd871
ReplyDeleteI was scrolling through a binary option group ,then i saw a post by Harry Brown about Forex and binary trading and how i could earn much more than i can imagine, i got in touch with him and he made every step clear to me and how his strategy would work magic. and it really did!! i got $7080 my first week after i invested just $300 if you are having difficulties in trading, she can also manage your broker account,which you will also have your ACCESS LOGIN so as to enable you to check your trade records and balance DAILY contact MR HARRY BROWN through Email: (loomstocks7@gmail.com)
Hey Guys !
ReplyDeleteUSA Fresh & Verified SSN Leads with DL Number AVAILABLE with 99.9% connectivity
All Leads have genuine & valid information
**HEADERS IN LEADS**
First Name | Last Name | SSN | Dob | DL Number | Address | City | State | Zip | Phone Number | Account Number | Bank Name | Employee Details | IP Address
*Price for SSN lead $2
*You can ask for sample before any deal
*If anyone buy in bulk, we can negotiate
*Sampling is just for serious buyers
==>ACTIVE, FRESH CC & CVV FULLZ AVAILABLE<==
->$5 PER EACH
->Hope for the long term deal
->Interested buyers will be welcome
**Contact 24/7**
Whatsapp > +923172721122
Email > leads.sellers1212@gmail.com
Telegram > @leadsupplier
ICQ > 752822040
Selling USA FRESH SSN Leads/Fullz, along with Driving License/ID Number with good connectivity.
ReplyDelete**PRICE FOR ONE LEAD/FULLZ 2$**
All SSN's are Tested & Verified. Fresh spammed data.
**DETAILS IN LEADS/FULLZ**
->FULL NAME
->SSN
->DATE OF BIRTH
->DRIVING LICENSE NUMBER
->ADDRESS WITH ZIP
->PHONE NUMBER, EMAIL
->EMPLOYEE DETAILS
->Bulk order negotiable
->Minimum buy 25 to 30 leads/fullz
->Hope for the long term business
->You can asked for specific states too
**Contact 24/7**
Whatsapp > +923172721122
Email > leads.sellers1212@gmail.com
Telegram > @leadsupplier
ICQ > 752822040
Hi Guy's
ReplyDeleteFresh & valid spammed USA SSN+Dob Leads with DL available in bulk.
>>1$ each SSN+DOB
>>2$ each with SSN+DOB+DL
>>5$ each for premium (also included relative info)
Prices are negotiable in bulk order
Serious buyer contact me no time wasters please
Bulk order will be preferable
CONTACT
Telegram > @leadsupplier
ICQ > 752822040
Email > leads.sellers1212@gmail.com
OTHER STUFF YOU CAN GET
SSN+DOB Fullz
CC's with CVV's (vbv & non-vbv)
USA Photo ID'S (Front & back)
All type of tutorials available
(Carding, spamming, hacking, scam page, Cash outs, dumps cash outs)
SMTP Linux Root
DUMPS with pins track 1 and 2
Socks, rdp's, vpn's
Server I.P's
HQ Emails with passwords
Looking for long term business
For trust full vendor, feel free to contact
CONTACT
Telegram > @leadsupplier
ICQ > 752822040
Email > leads.sellers1212@gmail.com
LEGIT FULLZ & TOOLS STORE
ReplyDeleteHello to All !
We are offering all types of tools & Fullz on discounted price.
If you are in search of anything regarding fullz, tools, tutorials, Hack Pack, etc
Feel Free to contact
***CONTACT 24/7***
**Telegram > @leadsupplier
**ICQ > 752822040
**Skype > Peeterhacks
**Wicker me > peeterhacks
"SSN LEADS/FULLZ AVAILABLE"
"TOOLS & TUTORIALS AVAILABLE FOR HACKING, SPAMMING,
CARDING, CASHOUT, CLONING, SCRIPTING ETC"
**************************************
"Fresh Spammed SSN Fullz info included"
>>SSN FULLZ with complete info
>>CC With CVV (vbv & non vbv) Fullz USA
>>FULLZ FOR SBA, PUA & TAX RETURN FILLING
>>USA I.D Photos Front & Back
>>High Credit Score fullz (700+ Scores)
>>DL number, Employee Details, Bank Details Included
>>Complete Premium Info with Relative Info
***************************************
COMPLETE GUIDE FOR TUTORIALS & TOOLS
"SPAMMING" "HACKING" "CARDING" "CASH OUT"
"KALI LINUX" "BLOCKCHAIN BLUE PRINTS" "SCRIPTING"
"FRAUD BIBLE"
"TOOLS & TUTORIALS LIST"
=>Ethical Hacking Ebooks, Tools & Tutorials
=>Bitcoin Hacking
=>Kali Linux
=>Fraud Bible
=>RAT
=>Keylogger & Keystroke Logger
=>WhatsApp Hacking & Hacked Version of WhatsApp
=>Facebook & Google Hacking
=>Bitcoin Flasher
=>SQL Injector
=>Premium Logs (PayPal/Amazon/Coinbase/Netflix/FedEx/Banks)
=>Bitcoin Cracker
=>SMTP Linux Root
=>Shell Scripting
=>DUMPS with pins track 1 and 2 with & without pin
=>SMTP's, Safe Socks, Rdp's brute
=>PHP mailer
=>SMS Sender & Email Blaster
=>Cpanel
=>Server I.P's & Proxies
=>Viruses & VPN's
=>HQ Email Combo (Gmail, Yahoo, Hotmail, MSN, AOL, etc.)
*Serious buyers will always welcome
*Price will be reduce in bulk order
*Discount offers will give to serious buyers
*Hope we do a great business together
===>Contact 24/7<===
==>Telegram > @leadsupplier
==>ICQ > 752822040
==>Skype > Peeterhacks
==>Wicker me > peeterhacks
What's Up Everyone
ReplyDeleteFresh Databases available
CC's CVV's SSN
Pros High Credit Scores 700+
Fullz/Leads with SSN+DOB+DL
Dumps
EIN Leads
Bulk HQ Emails
Office365 Emails & Logs
>>>WA/Telegram +92 317 272 1122
>>>ICQ 752822040
>>>Skype/Wickr @peeterhacks
>>>Email exploit dot tools4u at gmail dot com
Quality Tools & Tutorials available for
HACKING|SPAMMING|CARDING|SPYING|CLONING|CASH-OUTS|TRANSFERS
Legit Fullz/Pros/Leads will be provided
Bulk quantity also
Invalid stuff will be replaced/No refund
BTC & USDT payments mode
Available 24/7
Feel Free to contact Guy's