Discovering Critical Security Vulnerabilities: My Journey into Microsoft’s Power Apps Portal

xss0r
3 min readJun 14, 2024

--

I found myself exploring the Microsoft Power Apps portal, specifically targeting the subdomain: https://powerusers.microsoft.com. Driven by curiosity and a passion for cybersecurity, I embarked on a journey that would soon reveal significant security vulnerabilities.

The Exploration

Navigating to the Power Users Forum

I began my adventure by navigating to the Power Users forum. Here’s a detailed account of my discovery process:

  1. Login:

2. Accessing the File Upload Section:

3. Uploading the Payload:

I prepared a file with the following payload in its name:

“><img src=x onerror=prompt(document.domain);>.pdf

  • Uploaded the file…

The Discovery

Stored XSS and HTML Injection

Upon uploading the file, I discovered that the file upload functionality was vulnerable to stored Cross-Site Scripting (XSS) and HTML Injection.

Vulnerability Details:

# Stored XSS:

  • Location: File upload field on powerusers.microsoft.com.
  • Description: This vulnerability allows an attacker to execute arbitrary JavaScript code via the file upload functionality. When a user uploads a file whose file name includes XSS payload code, the script is executed when the file content is read by the page.
  • Impact: This vulnerability can be exploited to perform actions on behalf of users, steal session tokens, or redirect users to malicious websites and social engineering attacks.

# HTML Injection:

  • Location: Same as above.
  • Description: This vulnerability allows an attacker to inject arbitrary HTML code into the page via the file content. This HTML is rendered when the file is viewed, allowing for modification of the page content.
  • Impact: This could be used to alter the appearance of the website, phish for user credentials, or insert malicious content.

Potential Exploitation Scenarios

  1. Session Hijacking: Attackers could exploit the vulnerabilities to steal users’ session cookies, gaining unauthorized access to their accounts.
  2. Phishing Attacks: Malicious actors could replace legitimate content with phishing pages, tricking users into divulging sensitive information or downloading malicious files.
  3. Content Manipulation: Attackers could modify entire web pages to distribute malware or propagate their malicious agenda, posing significant risks to user trust and security.

Impact:

  • Stored XSS
  • HTML Injection
  • Phishing Pages
  • Downloading Malicious Files
  • Stealing Cookies

Note: All file extensions are vulnerable, not just .pdf.

By addressing these issues promptly, Microsoft can enhance the security of its applications, protect its users, and maintain trust in its brand. For further clarity, I have attached images and videos illustrating the exploitation of these vulnerabilities. If you have any questions or require additional information, feel free to contact me on my Linkedin profile:

https://www.linkedin.com/in/ibrahim-husi%C4%87-101430102/

Proof of Concept:

#xss0r #ibrahimXSS #@ibrahimxss0r #ibrahimxss0r #xsstool

--

--

xss0r

Deploying an alert box in a web app is like having a tiny pop-up comedian shout 'Surprise!' whenever you least expect it! https://ibrahimxss.store/