$6000 with Microsoft Hall of Fame | Microsoft Firewall Bypass | CRLF to XSS | Microsoft Bug Bounty
Microsoft Firewall Bypass
Hello Hackers, Hope you are doing great. I am Neh Patel also known as THECYBERNEH, I am a Security Researcher from India. Today I am going to share the experience of getting my first 4-digit bounty from our favorite “#Microsoft” and the dream of every bug hunter “#Microsoft Hall of Fame” for P2 vulnerability [ Severity: Important ]
Bug:- CRLF to XSS and further exploitation ( You know what to do with it )
Let’s start the journey
So I was trying for the last 2 or 3 weeks on Microsoft for valid bugs but only got some P4 and P5.
My main methodology is to manually check all subdomains, so I tested all the subdomains and mostly all the functionalities on each subdomain.
After testing 50 to 70 subdomains, I got a kind of different subdomain ( as per my knowledge, this subdomain includes features for premium customers only ).
I thought “let’s focus on this subdomain because it has features that are mostly paid so those are less explored by other security teams”
I mainly checked all features that are not paid ( do not require any premium for the test ) but did not get anything.
After some refreshment, I thought “let’s start with non-functional testing or server-side testing”. I started with the most popular “Host Header Injection” and some other non-functional testing.
After spending some time with the web applications, I was like “Let’s test for the most ignored vulnerability CRLF INJECTION”
What is CRLF?
CRLF refers to the special character elements “CR: Carriage Return” and “LF: Line Feed.” These elements are embedded in HTTP headers to signify an End of Line (EOL) marker.
So whenever the server gets CRLF, it assumes that it is the end of the line which is a feature, not a bug.
What is CRLF Injection ?
CRLF injection occurs when the web server directly renders those special characters without encoding them and passes them to response headers like Location, Set-Cookie, etc.
So basically, when the web application is vulnerable to CRLF injection, we can send those special characters as our payload and the server will parse that as end-of-line,
After that CRLF, if we send any texts, the server will set them as Response headers
set arbitrary headers like we can set a cookie in the victim’s browser, or we can set the “Location:” header to force the victim to redirect to malicious sites and many more.
Back to the story …
So with the intention of CRLF, I fired my first payload as follows
/%0D%0A%20Set-Cookie:whoami=thecybernehso main URL :- https://subDomain.microsoft.com/%0D%0A%20Set-Cookie:whoami=thecyberneh
but I did not get any kind of CRLF injection.
But the response was “400 Bad Request” and the HTML was “HTTP Error 400. The requested URL is invalid.”
Here, I observed something different, mostly when CRLF is not possible or when the server is well protected, the web server should return “404 Not Found” because if the server is well protected and we enter CRLF payload, the server parses that payload as a part of the URL and in that case, the server actually parses “%0D%0A%20Set-Cookie:whoami=thecyberneh” as a path not like payload.
and if there is no path or directory like “%0D%0A%20Set-Cookie:whoami=thecyberneh”, the server should return “404 Not Found” instead of “400 Bad Request”
so I thought that server is not well protected or the firewall is weak.
For confirmation, I tried random URLs like this
https://subDomain.microsoft.com/abcxyzabcxyzand as per the previously expected behavior of the server, the server returned “404 Not Found” with the HTML response “We are sorry, the page you requested cannot be found. The URL may be misspelled or the page you’re looking for is no longer available”
So as per the whole situation
The server was returning “404 Not found” if the path is not there
The Server was returning “400 Bad Request” when I tried with the payload
After this, I was sure that the server is not protected or the firewall is weak. So I have to bypass the firewall or fire the correct payload
I tried with some different payloads like:
%0D%0A%20Set-Cookie:whoami=thecyberneh
%20%0D%0ASet-Cookie:whoami=thecyberneh
%0A%20Set-Cookie:whoami=thecyberneh
%2F%2E%2E%0D%0ASet-Cookie:whoami=thecybernehAfter trying that payload, I was only getting “400 Bad Request” so I thought that I need something different because most firewall blocks normal and basic payloads.
I did little research and got some unique encoding called “GBK encoding”.
Understanding of Encoding and #FirewallBypass
Payload responsible for CRLF injection is :- 嘍嘊so after getting this payload, I crafted a new payload and new URL for CRLF Injection and this time with “Firewall Bypass”
I also used URL encoding to avoid further errors like this
BeforeURL EncodingMain Payload:- 嘍嘊After URL Encoding嘍 :- %E5%98%8D嘊 :- %E5%98%8A
so after URL encoding, I crafted a new payload like this
https://subDomain.microsoft.com/%E5%98%8D%E5%98%8ASet-Cookie:crlfinjection=thecybernehI tried with this URL and Boom!!!
I got a response and the header was: Set-Cookie: crlfinjection=thecyberneh
at that particular time, I was very happy
But I know that I can do many things with this CRLF injection, so I did not report that and tried to chain with some other bugs.
CRLF TO XSS with Firewall Bypass
As you know that there is a blank line at the end of the request and response header like this:- ( line 13 in request and line 20 in response )
So at that time, the server is sending a response like this:- ( by default, as functionality )
Structure of response I got:-
Real Image:-
So now if I want XSS, I have to insert a Javascript payload in the body section of the Response because Javascript can be render in body and for that, I have to force the server to send a response like this
Here,
- #HEADERS means we have to craft the payload which forces the server to send a blank line after our payload ends so that the headers after that payload will parse as garbage or just ignore them
- #PAYLOAD_XSS means our payload for XSS
I was in one of the difficult parts of this because I have to manually force the server to send a malicious response like this,
I inserted a single CRLF payload like “嘍嘊” ( with URL encoding %E5%98%8D%E5%98%8A ), but did not get the single blank line as expected,
So I inserted that payload 2 times and after that, I successfully forced the server to send a single blank line in response.
I immediately crafted a payload ( with firewall bypass ), to get XSS and HTML injection with it.
Structure of response I want:-
Real Image:-
I am sharing that payload with you.
Understanding of new payload with Firewall bypass
I created the following payload to get XSS
Now I encoded the normal payload as follows to bypass the firewall
“<” as 嘼“>” as 嘾
So my payload for CRLF to XSS was:-
Also, I performed URL encoding for avoiding errors and my final payload was:-
#ENCODING“<” --> 嘼 --> %E5%98%BC“>” --> 嘾 --> %E5%98%BEhttps://subDomain.microsoft.com/%E5%98%8D%E5%98%8ASet-Cookie:whoami=thecyberneh%E5%98%8D%E5%98%8A%E5%98%8D%E5%98%8A%E5%98%8D%E5%98%8A%E5%98%BCscript%E5%98%BEalert(1);%E5%98%BC/script%E5%98%BE
After inserting that payload, I got the most beautiful results
I am sharing some beautiful screenshots
I submitted this bug and after that, I create an automation tool with shell script which check CRLF on the list of subdomains,
After running that tool, I got another CRLF in another domain from Microsoft.
Note:- I did not mention further exploitation of CRLF because it is already a long writeup and now it is very easy to chain with some more impactful bug
Impact:-
- Arbitrary Header injection
- Arbitrary Cookie Injection
- Javascript injection ( XSS )
- HTML Injection
- HTTP request splitting
- Bypassing Cookie-Based CSRF Protection
- Application DOS using overly long Cookies
- the attacker can set new headers
I reported both of them and got a response regarding bounty in 3 weeks.
Priority: P2
Severity: Important
And with that, I got a total of $6000 bounty and theMicrosoft Hall of Fame.
A Message for Readers:-
If you like this write-up, you can connect with me on Twitter, Instagram, and Linkedin to get all of my writeups.
Let me know if I missed anything
Let’s Connect…
Twitter :- https://twitter.com/thecyberneh [ thecyberneh ]
Linkedin :- https://www.linkedin.com/in/thecyberneh [ thecyberneh ]
Instagram :- https://www.instagram.com/thecyberneh/ [ thecyberneh ]
Thanks for reading….
