Ahmad Halabi

Published On: 11 Apr 2020

Reflected XSS in Microsoft Social Forums

XSS
Microsoft | Web
---
LOW VALID
Description

Reflected XSS due to missing server side validation in input `Name`.

Impact

Malicious user is able to execute Javascript code on the target website.




Reproduction Steps

Step
1

Navigate to https://social.microsoft.com/Forums/en-US/home and click on Ask a question.

Step
2

In display Name input, type any valid name, click agree to legal terms and click Continue and intercept its request.

Step
3

Modify parameter displayName in burp and type xss payload instead of the name value.

Step
4

Forward the request, and the payload is executed.

Videos

Timeline
.
Ahmad 07 Mar 2020

Initial Report

.
Microsoft 10 Mar 2020

Needs More Info

.
Ahmad 11 Mar 2020

Sent More Info

.
Microsoft 11 Apr 2020

Triaged and Sent it to the appropriate team

.
Microsoft 11 Apr 2020

Approved to disclose

VALID






Show All Images