Anatomy of a Reflected XSS: My Discovery on a Microsoft’s Subdomain

A few days ago, while browsing the website visualstudio.microsoft.com[1], I performed some tests on that Microsoft’s subdomain to check for any potential vulnerabilities. After multiple attempts, I was unable to find any security flaws, except for a Self XSS issue on their second search bar on the download page. To explore further, I fetched the website’s archived links using Archivefinder[2], and discovered another search parameter(q). I tested this parameter using different payloads and various encodings, but all the payloads were sanitized. Continuing my investigation, I tested some payloads on the same parameter on one of their regional sites using different encodings, but all attempts failed. Finally, I tried a double URL-encoded payload on that regional website, which successfully executed a Reflected Cross-Site Scripting (RXSS)[3].

Below are some steps which I have tried for finding this vulnerability:

POC Video:

Timeline:

◘ 2nd March 2023 — Report Submitted through MSRC Portal

◘ 2nd March 2023 — MSRC team confirmed and opened a case for this issue

◘ 10th March 2023 — MSRC team changed the status Review / Repro to Develop

◘ 15th March 2023 — MSRC team changed the status Develop to Fix.

References:

1. https://visualstudio.microsoft.com/
2. https://bit.ly/archivefinder
3. https://portswigger.net/web-security/cross-site-scripting/reflected

I always love to find security issues manually because I believe that finding a security bug is like creating a work of art. Scanning for vulnerabilities using publicly available tools is only useful for a limited time period and in specific circumstances on the other hand manual finding helps researchers to increase their knowledge on different areas.

My Social Handles

Twitter: https://twitter.com/sawravchy

LinkedIn: https://www.linkedin.com/in/sawrav-chowdhury