I am Adesh Nandkishor Kolte an Independent Security Resercher From India
and also working with SecureLayer7 as a Security Consultant
Talking about Microsoft bug bounty first point they only accept submission which is high impact. Big `NO` to low hanging fruits and big `NO` if you can not exploit the bug. I was testing one of Microsoft domain — Service Trust Portal (STP).
During the testing, I came across below feature in their portal where you can add Portal users and Portal admin. The Add User feature caught my attention, generally speaking while checking out the application I always try to correlate application work flow with respect to different attack vector which I can execute , so that time straight away I though about CSRF.
GET /onboarding/AddUserRole/1110?role=User HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:44.0) Gecko/20100101 Firefox/44.0
Accept-Encoding: gzip, deflate, br
From above HTTP Request we conclude that there is no CSRF token present.
This way by using this loophole I was able to Add User roles on behalf of admin user.
<input type=”hidden” name=”role” value=”User” />
<input type=”submit” value=”Submit request” />
So I was able to add any user in their Cloud Service Trust Portal by using CSRF Attack.
They listed me in their Hall Of Fame and Rewarded me with the bounty.
Aug 14, 2017 : Reported to Microsoft Security Response Center.
Aug 20, 2017 : Received initial reply from Microsoft Team. Report Triaged
Aug 25, 2017 : Microsoft Security Team successfully reproduced the bug.
Sep 16, 2017 : Microsoft Security Team Fixed the reported bug.
Oct 01, 2017 : Bounty Awarded of $500 by Microsoft