Wednesday, 12 July 2017

Stored XSS in Microsoft Sharepoint (*.sharepoint.com)

In the name of Allah the beneficent the Merciful.

After my B.tech(final years) exams were done i looked into aka.ms/Bugbounty
and choosed sharepoint as a target to test under online services Bug bounty.

To get started with i created test accounts at login.microsoftonline.com
and portal.office.com

Soon after 30 minutes i manged to get XSS popup .
The vulnerability was triggered in *.sharepoint.com group invitation flow.
This vulnerability was in *.sharepoint.com but fun part is that it was triggered due to user input from portal.office.com and outlook.office.com .
[First name] , [Last name] user input was taken from portal.office.com
and [groupname] was taken from outlook.office.com

Here are the Reproduction Steps :

1) From administrator account portal.office.com i created a new user A
(https://portal.office.com/adminportal/home#/homepage)
and then entered first name , last name as xss payload ("><img src=x
onerror=prompt(1)>" , "><img src=x onerror=prompt(2)>" ) respectively.
2) Then i went to https://outlook.office.com and created a new group and
entered group name  as xss payload
("><img src=x onerror=prompt(1)>")
3) Now from attacker(user A here) account i went to the newly created group site
(https://testss87.sharepoint.com/sites/imgsrc=xonerror=prompt1259)
and asked  to request access to the site.
Once requested an access to the site an email was generated to admin in his outlook.com  inbox .

4) Then from admin account (owner of the group) i went to the email and
clicked on accept or decline
(https://testss87.sharepoint.com/sites/imgsrc=xonerror=prompt1259/Access%20Requests/pendingreq.aspx?ApproveAccessRequest=true&AccessRequestID=%7BFA7F9EsadfsdsC0%2D4sdD%2D9D2E%2sdafdsasd%7D)

5) Then XSS popup triggered in *.sharepoint.com because of [firstname],
[lastname] user input from portal.office.com and [groupname] from outlook.office.com .




There was no user input sanitization/encoding for first name , last
name and group name when the page was rendered in *.sharepoint.com group invitation flow. Everytime user clicks on the link or goes to manage group requests the payload (stored payload) would get triggered.




Here is video POC :

https://www.youtube.com/watch?v=YkCLzLCO6QA

Microsoft MSRC (@msftsecresponse) was very quick in response.
The bug was fixed in 2 days of reporting to them. Now they htmlencode here userinput ( < with &lt and > with &gt) .
And they rewarded me $2000 USD for this bug.
I would like to Thanks MSRC for running bug bounty program and Akila for encouraging to submit more bugs in Nullcon 2017 . 


Timeline :
May 25 , 2017 : Bug reported.
May 26 , 2017 : MSRC opened case (manager Pamela )
May 29 , 2017 : Verified that vulnerability no longer exists.
June 22, 2017 : Fix validated by Engineering team .
July 8 , 2017 : Bounty awarded ($2000 USD).



Thanks for Reading
Jai Hind  :) 
Contact  info :
Twitter : @mohdhaji24
Linkedin :  linkedin.com/in/mohd-haji-490960a0 
Facebook : facebook.com/haji.mohd871

 

8 comments:


  1. I was scrolling through a binary option group ,then i saw a post by Harry Brown about Forex and binary trading and how i could earn much more than i can imagine, i got in touch with him and he made every step clear to me and how his strategy would work magic. and it really did!! i got $7080 my first week after i invested just $300 if you are having difficulties in trading, she can also manage your broker account,which you will also have your ACCESS LOGIN so as to enable you to check your trade records and balance DAILY contact MR HARRY BROWN through Email: (loomstocks7@gmail.com)

    ReplyDelete
  2. Hey Guys !

    USA Fresh & Verified SSN Leads with DL Number AVAILABLE with 99.9% connectivity
    All Leads have genuine & valid information

    **HEADERS IN LEADS**
    First Name | Last Name | SSN | Dob | DL Number | Address | City | State | Zip | Phone Number | Account Number | Bank Name | Employee Details | IP Address

    *Price for SSN lead $2
    *You can ask for sample before any deal
    *If anyone buy in bulk, we can negotiate
    *Sampling is just for serious buyers

    ==>ACTIVE, FRESH CC & CVV FULLZ AVAILABLE<==
    ->$5 PER EACH

    ->Hope for the long term deal
    ->Interested buyers will be welcome

    **Contact 24/7**
    Whatsapp > +923172721122
    Email > leads.sellers1212@gmail.com
    Telegram > @leadsupplier
    ICQ > 752822040

    ReplyDelete
  3. Selling USA FRESH SSN Leads/Fullz, along with Driving License/ID Number with good connectivity.

    **PRICE FOR ONE LEAD/FULLZ 2$**

    All SSN's are Tested & Verified. Fresh spammed data.

    **DETAILS IN LEADS/FULLZ**

    ->FULL NAME
    ->SSN
    ->DATE OF BIRTH
    ->DRIVING LICENSE NUMBER
    ->ADDRESS WITH ZIP
    ->PHONE NUMBER, EMAIL
    ->EMPLOYEE DETAILS

    ->Bulk order negotiable
    ->Minimum buy 25 to 30 leads/fullz
    ->Hope for the long term business
    ->You can asked for specific states too

    **Contact 24/7**

    Whatsapp > +923172721122

    Email > leads.sellers1212@gmail.com

    Telegram > @leadsupplier

    ICQ > 752822040

    ReplyDelete
  4. Hi Guy's

    Fresh & valid spammed USA SSN+Dob Leads with DL available in bulk.

    >>1$ each SSN+DOB
    >>2$ each with SSN+DOB+DL
    >>5$ each for premium (also included relative info)

    Prices are negotiable in bulk order
    Serious buyer contact me no time wasters please
    Bulk order will be preferable

    CONTACT
    Telegram > @leadsupplier
    ICQ > 752822040
    Email > leads.sellers1212@gmail.com

    OTHER STUFF YOU CAN GET

    SSN+DOB Fullz
    CC's with CVV's (vbv & non-vbv)
    USA Photo ID'S (Front & back)

    All type of tutorials available
    (Carding, spamming, hacking, scam page, Cash outs, dumps cash outs)

    SMTP Linux Root
    DUMPS with pins track 1 and 2
    Socks, rdp's, vpn's
    Server I.P's
    HQ Emails with passwords

    Looking for long term business
    For trust full vendor, feel free to contact

    CONTACT
    Telegram > @leadsupplier
    ICQ > 752822040
    Email > leads.sellers1212@gmail.com

    ReplyDelete
  5. LEGIT FULLZ & TOOLS STORE

    Hello to All !

    We are offering all types of tools & Fullz on discounted price.
    If you are in search of anything regarding fullz, tools, tutorials, Hack Pack, etc
    Feel Free to contact

    ***CONTACT 24/7***
    **Telegram > @leadsupplier
    **ICQ > 752822040
    **Skype > Peeterhacks
    **Wicker me > peeterhacks

    "SSN LEADS/FULLZ AVAILABLE"
    "TOOLS & TUTORIALS AVAILABLE FOR HACKING, SPAMMING,
    CARDING, CASHOUT, CLONING, SCRIPTING ETC"

    **************************************
    "Fresh Spammed SSN Fullz info included"
    >>SSN FULLZ with complete info
    >>CC With CVV (vbv & non vbv) Fullz USA
    >>FULLZ FOR SBA, PUA & TAX RETURN FILLING
    >>USA I.D Photos Front & Back
    >>High Credit Score fullz (700+ Scores)
    >>DL number, Employee Details, Bank Details Included
    >>Complete Premium Info with Relative Info

    ***************************************
    COMPLETE GUIDE FOR TUTORIALS & TOOLS

    "SPAMMING" "HACKING" "CARDING" "CASH OUT"
    "KALI LINUX" "BLOCKCHAIN BLUE PRINTS" "SCRIPTING"
    "FRAUD BIBLE"

    "TOOLS & TUTORIALS LIST"
    =>Ethical Hacking Ebooks, Tools & Tutorials
    =>Bitcoin Hacking
    =>Kali Linux
    =>Fraud Bible
    =>RAT
    =>Keylogger & Keystroke Logger
    =>WhatsApp Hacking & Hacked Version of WhatsApp
    =>Facebook & Google Hacking
    =>Bitcoin Flasher
    =>SQL Injector
    =>Premium Logs (PayPal/Amazon/Coinbase/Netflix/FedEx/Banks)
    =>Bitcoin Cracker
    =>SMTP Linux Root
    =>Shell Scripting
    =>DUMPS with pins track 1 and 2 with & without pin
    =>SMTP's, Safe Socks, Rdp's brute
    =>PHP mailer
    =>SMS Sender & Email Blaster
    =>Cpanel
    =>Server I.P's & Proxies
    =>Viruses & VPN's
    =>HQ Email Combo (Gmail, Yahoo, Hotmail, MSN, AOL, etc.)

    *Serious buyers will always welcome
    *Price will be reduce in bulk order
    *Discount offers will give to serious buyers
    *Hope we do a great business together

    ===>Contact 24/7<===
    ==>Telegram > @leadsupplier
    ==>ICQ > 752822040
    ==>Skype > Peeterhacks
    ==>Wicker me > peeterhacks

    ReplyDelete
  6. What's Up Everyone

    Fresh Databases available

    CC's CVV's SSN
    Pros High Credit Scores 700+
    Fullz/Leads with SSN+DOB+DL
    Dumps
    EIN Leads
    Bulk HQ Emails
    Office365 Emails & Logs

    >>>WA/Telegram +92 317 272 1122
    >>>ICQ 752822040
    >>>Skype/Wickr @peeterhacks
    >>>Email exploit dot tools4u at gmail dot com

    Quality Tools & Tutorials available for
    HACKING|SPAMMING|CARDING|SPYING|CLONING|CASH-OUTS|TRANSFERS

    Legit Fullz/Pros/Leads will be provided
    Bulk quantity also
    Invalid stuff will be replaced/No refund
    BTC & USDT payments mode
    Available 24/7

    Feel Free to contact Guy's

    ReplyDelete
  7. It's impressive to see how quickly Microsoft responded to your bug report and took action to fix the vulnerability. Your meticulous testing and identification of the XSS vulnerability in Microsoft SharePoint demonstrates the importance of thorough security testing in online services. Have you ever considered reciting Surah Al-Waqiah https://surah-al-waqiah.com/ before embarking on such bug bounty endeavors? Its verses are believed to bring blessings and protection, enhancing the success of your efforts. Congratulations on your well-deserved bounty reward, and thank you for contributing to the security of online platforms. Keep up the great work!

    ReplyDelete
  8. It's impressive how swiftly Microsoft addressed your bug report and acted to resolve the vulnerability. Your thorough testing and identification of the XSS vulnerability in Microsoft SharePoint highlight the critical role of robust security testing in online services. Have you thought about Read surah yaseen before diving into bug bounty projects? Its verses are believed to provide blessings and protection, potentially enhancing your success. Congratulations on your well-earned bounty reward, and thank you for your contributions to online security. Keep up the fantastic work.

    ReplyDelete