Stored XSS on Techprofile Microsoft

Details to Reproduce

Stored XSS occurs when a web application gathers input from a user which might be malicious, and then stores that input in a data store for later use. The input that is stored is not correctly filtered.

** Introduction

Profile on Microsoft Learn Introducing a new approach to learning. The skills required to advance your career and earn your spot at the top do not come easily. Now there’s a more rewarding approach to hands-on learning that helps you achieve your goals faster. Earn points, levels, and achieve more!

** The bug

Vulnerability: XSS Stored (Stored Cross site scripting)
Severity: High
Owasp rank: (OTG-INPVAL-002)

Stored XSS occurs when a web application gathers input from a user which might be malicious, and then stores that input in a data store for later use. The input that is stored is not correctly filtered.

Vulnerable Link on Profil : https://techprofile.microsoft.com/en-us/[profile]

** Scenario POC

1. Attacker Edit Profil on https://techprofile.microsoft.com/en-us/edit
2. Set Payload XSS 
3. Victim see Profil Attacker 
4. Cookie send To Attacker Server

** Impact

Users can execute arbitrary JavaScript code in the context of other users. This is critical when targeted users have high privileges. Attackers are then able to grant themselves the administrator privileges and even takeover the ownership of the New Relic account.

The hacker selected the Cross-site Scripting (XSS) — Stored weakness. This vulnerability type requires contextual information from the hacker.

** Remediation

To protect against stored XSS attacks, make sure any dynamic content coming from the data store cannot be used to inject JavaScript on a page.

Referensi :

https://www.owasp.org/index.php/Testing_for_Stored_Cross_site_scripting_(OTG-INPVAL-002)

28/04/2019 ~ Report Vulnerability
30/04/2019 ~ Open Case.
08/05/2019 ~ -Patched / Fixed