Two vulnerabilities makes an Exploit!! (XSS and CSRF in Bing)
This post will be about my 4th and 5th valid bug reports I submitted to Microsoft. Open the Images in a new tab if you find them difficult to view. I took the screenshots in a 1080p screen.
This time I have found a XSS and CSRF vulnerabilities in
Bing images is testing 3 new features called Stream , Favorites , Trending which are still in beta.
So I was going through this and there is this option where you can search and directly add images to your favourites.
It was cool, So I wanted to take a look at how it is implemented.
When you click on the heart symbol after the image search, the image is added to your favourites.
and the request looks like this
It’s URL-Encoded. Once decoded it looks like this
Interesting there is no CSRF token and there is no
X-Requested-With : XMLHttpRequest header.
Which means it is vulnerable to CSRF attacks. Another interesting thing is the webpage is displaying this data in the Favorites tab.
This link is vulnerable to XSS . It is accepting links
So when I click on it. BAMN
Our favourite popup.
So, by sending the user to a single malicious site it is possible to compromise his account.
If I have stopped after the CSRF I would have not found the XSS. So, by successfully combining 2 vulnerabilities we made an exploit to compromise Bing.
I reported this to Microsoft and now it is fixed.
Since, that feature is still in beta-testing they took more than 5 months to fix that in order to make it more secure.
My name will be in the March 2016 Hall Of Fame.
Thank you for reading.
Feel free to comment and give some suggestions.
Originally published at kmskrishna.wordpress.com on June 10, 2016.