Hunting for Web application (zero Day) on Microsoft
Hello All Bluekaizen Members , Today I will tell you my story with Microsoft
1- why I got acknowledged by microsoft ?
2- How did I found the vulnerability and by which tools ?
3- How did I bypass the WAF (Web application Firewall ) on the vulnerable server ?
1 – Why I got acknowledged by Microsoft?
I got acknowledged by Microsoft several times for several vulnerabilities but I will tell you the XSS (Cross Site Scripting) story. So, I got acknowledged for finding and reporting XSS vulnerability in one Microsoft domains.
2- How did I found the vulnerability on Microsoft ?
Well, first of all let me make sure that everyone here knows what the XSS is. If you don’t know what XSS is. please follow below link.
Now we all know what XSS is? Ok good. You will need these tools to start hunting for XSS:
Live http headers (Firefox Plug-in)
TamperData (Firefox Plug-in)
Firebug (Firefox Plug-in)
XSSME (Firefox Plug-in)
Fiddler or Burp-suite
2- What for?
All above tools but “XSSME” will give you the ability to intercept and edit the requests, but every tool has a different benefit so you will have to try them all to find the benefits yourself. So, using those tools you can intercept the requests sent through the browser and you can edit the GET/ POST requests.
Also you will be able to see what’s happening in the background when you visit a web page (Cookies, GET/POST data and loaded files and more). The best way to find a XSS is to search inside page forms, this forms could be search form or login form etc.
While searching in some of Microsoft sub-domains I found a potentially vulnerable search form. After testing the normal XSS payloads such as <script>alert(‘Zigo’)</script> The WAF detected the payload and filtered my exploitation attempt.
3- How did I bypass the WAF on the vulnerable server?
Well, you can’t attack something that you don’t know about!
To know how the WAF’s working and what are the filtered words, you have to test payload words separately. e.g. http:/ /do mai n. m icrosoft. com /folder/search . aspx?q=alert e.g. http: //domain.microsoft.com /folder/search . aspx?q=<> After testing words like: alert prompt. and tags <>, </> etc
I found that the WAF is filtering: alert and all tagsll So I can’t use any payloads with tags!
Ok fine, now we have to move to another payload that doesn’t use tags such as: onmouseover and onclick etc, it’s all about Java-script and how to execute a java-script codes without tags.
# to know which symbol is filtered and what is allowed you can simply run the XSSME plug-in # which will test several symbols like <>, ‘, </> etc and will generate a report to let you know what is filtered and what is allowed. So in my case and after the checks.
I used this payload:
http: / /domain micros oft. com /folder/sea rch . aspx? q =” onmouseover=prompt(13375) bad=” Which mean. when you move with the mouse over the search form it will prompt (13375) Bingo, the vulnerability found and the WAF successfully bypassed.
You can simply report security vulnerabilities to Microsoft using. [email protected],, You have to explain the vulnerability in your email using- the vulnerable domain. the vulnerability link and if GET or POST, the payload you used to exploit the vulnerability and you have to attach a proof of concept for the vulnerability (image for example).
1. Do not ever give up: it took 3 months for me to find the first vulnerability in Microsoft. After that I was able to find the vulnerability within S days max!!
2. Do not share the vulnerability you found to any one before it get patched and you get acknowledged.
3. Don’t depend mainly on automated tools, but depend mainly on manual stuff like plug-ins + your brain. now tell me how will it go if you are trying to scan a site with automated tool but the server is using an IPS that prevent automated tools from scanning the web site? Will you give up then?
4. Use this site to know more details about XSS filtration bypassing techniques: html5sec.org Note: /’ve escaped some technical details in the attic/e. So for any questions, Please contact me: e.hagazygstar-ware.com.
About The Author
EbrahimHegazy, Senior Systems Security Engineer at Energy Sector.