In the name of Allah the beneficent the Merciful.
After my B.tech(final years) exams were done i looked into aka.ms/Bugbounty
and choosed sharepoint as a target to test under online services Bug bounty.
To get started with i created test accounts at login.microsoftonline.com
and portal.office.com
Soon after 30 minutes i manged to get XSS popup .
The vulnerability was triggered in *.sharepoint.com group invitation flow.
This vulnerability was in *.sharepoint.com but fun part is that it was triggered due to user input from portal.office.com and outlook.office.com .
[First name] , [Last name] user input was taken from portal.office.com
and [groupname] was taken from outlook.office.com
Here are the Reproduction Steps :
1) From administrator account portal.office.com i created a new user A
(https://portal.office.com/
and then entered first name , last name as xss payload ("><img src=x
onerror=prompt(1)>" , "><img src=x onerror=prompt(2)>" ) respectively.
2) Then i went to https://outlook.office.com and created a new group and
entered group name as xss payload
("><img src=x onerror=prompt(1)>")
3) Now from attacker(user A here) account i went to the newly created group site
(https://testss87.sharepoint.
and asked to request access to the site.
Once requested an access to the site an email was generated to admin in his outlook.com inbox .
4) Then from admin account (owner of the group) i went to the email and
clicked on accept or decline
(https://testss87.sharepoint.
5) Then XSS popup triggered in *.sharepoint.com because of [firstname],
[lastname] user input from portal.office.com and [groupname] from outlook.office.com .
Soon after 30 minutes i manged to get XSS popup .
The vulnerability was triggered in *.sharepoint.com group invitation flow.
This vulnerability was in *.sharepoint.com but fun part is that it was triggered due to user input from portal.office.com and outlook.office.com .
[First name] , [Last name] user input was taken from portal.office.com
and [groupname] was taken from outlook.office.com
Here are the Reproduction Steps :
1) From administrator account portal.office.com i created a new user A
(https://portal.office.com/
and then entered first name , last name as xss payload ("><img src=x
onerror=prompt(1)>" , "><img src=x onerror=prompt(2)>" ) respectively.
2) Then i went to https://outlook.office.com and created a new group and
entered group name as xss payload
("><img src=x onerror=prompt(1)>")
3) Now from attacker(user A here) account i went to the newly created group site
(https://testss87.sharepoint.
and asked to request access to the site.
Once requested an access to the site an email was generated to admin in his outlook.com inbox .
4) Then from admin account (owner of the group) i went to the email and
clicked on accept or decline
(https://testss87.sharepoint.
5) Then XSS popup triggered in *.sharepoint.com because of [firstname],
[lastname] user input from portal.office.com and [groupname] from outlook.office.com .
There was no user input sanitization/encoding for first name , last
name and group name when the page was rendered in *.sharepoint.com group invitation flow. Everytime user clicks on the link or goes to manage group requests the payload (stored payload) would get triggered.
Here is video POC :
https://www.youtube.com/watch?v=YkCLzLCO6QA
Microsoft MSRC (@msftsecresponse) was very quick in response.
The bug was fixed in 2 days of reporting to them. Now they htmlencode here userinput ( < with < and > with >) .
And they rewarded me $2000 USD for this bug.
I would like to Thanks MSRC for running bug bounty program and Akila for encouraging to submit more bugs in Nullcon 2017 .
Timeline :
May 25 , 2017 : Bug reported.
May 26 , 2017 : MSRC opened case (manager Pamela )
May 29 , 2017 : Verified that vulnerability no longer exists.
June 22, 2017 : Fix validated by Engineering team .
July 8 , 2017 : Bounty awarded ($2000 USD).
https://www.youtube.com/watch?v=YkCLzLCO6QA
Microsoft MSRC (@msftsecresponse) was very quick in response.
The bug was fixed in 2 days of reporting to them. Now they htmlencode here userinput ( < with < and > with >) .
And they rewarded me $2000 USD for this bug.
I would like to Thanks MSRC for running bug bounty program and Akila for encouraging to submit more bugs in Nullcon 2017 .
Timeline :
May 25 , 2017 : Bug reported.
May 26 , 2017 : MSRC opened case (manager Pamela )
May 29 , 2017 : Verified that vulnerability no longer exists.
June 22, 2017 : Fix validated by Engineering team .
July 8 , 2017 : Bounty awarded ($2000 USD).
Thanks for Reading
Jai Hind :)
Contact info :
Twitter : @mohdhaji24
Linkedin : linkedin.com/in/mohd-haji-490960a0
Facebook : facebook.com/haji.mohd871
Linkedin : linkedin.com/in/mohd-haji-490960a0
Facebook : facebook.com/haji.mohd871
