Microsoft OAuth interface XSS, affecting user account security-vulnerability warning-the black bar safety net

ID MYHACK58:62201672398
Type myhack58
Reporter 佚名
Modified 2016-03-09T00:00:00


One day, while I was browsing on Twitter information, I found a very interesting article, Wesley Wineberg in the Microsoft OAuth authentication interface found a CSRF vulnerability. This article makes me curious at the same time also provoked I can be in this place and then find a loophole of faith author mystery, like self-confidence, so I intend to in-depth analysis about the authentication interface. First, in our test app using OAuth authentication, we need to first register an app. After searching, I found a link that, when clicked, will come to”the Microsoft Developer Center”, I found here the registration app would ask me to fill in the“application name”and“language”. Any allows the user to input places are likely to be triggeredxssentry point, so I have insertedxssattack vector:’”>. Unfortunately, this application is rejected I submitted the vector, and returns an interesting error message:

! From this error information, we were able to find my attack vector ‘is intercepted, but the’(single quote) or “(double quotes)and is not filtered. I therefore make the following conjecture: if I could find the other page I entered above the content placed in the tag attribute or a script tag, but does not encode it, I will be able to inject JavaScript code. I try to input attack vector “onload=”alert(1),hope my attack vector can be added to support the onload event of the HTML tag. When completing the OAuth authentication to return the address of the redirect_uri after I finished registration, and then got used to in my registration app on OAuth authentication link on Microsoft's OAuth2 authentication, you can find here more content. Open the link, and my surprise found that my conjecture is correct, the authentication interface existsxssvulnerability

! In the page's source code, we can better understand how the application is parsing I submit the data, as in the following figure

! In the first 2 1 2 line, and my attack vector is not encoded, but is put in the alt this attribute, the default alt in the data to the app registration Time 2 0 1 5 1 2 2 7 1 6 1 9 0 5)), the src value is the default value of the app if there is no upload icon, the default use this link to icon, because this picture is sure to exist, so our onload event will be executed, leading toxss. Expanding the war fruit Although now I've got to be able to prove the vulnerability exists in the evidence, but I want to spend more time to study about this vulnerability what can cause much influence, the use ofxssto“steal the cookie”or“fishing”for me it's simply too boring. (smile face)! So I made the following conjecture: since this vulnerability exists in the User Authentication page, the user may be based on their judgment to select Accept, click”Yes”button or reject by clicking on”No”button This application, if I could insert the JavaScript code that automatically perform a click on the”Yes”button, I will be able to mysteriously get the access of the user resource permissions. So I created a new app, and fill in a possible realization, I suspect the attack vector: “onload=”document. getElementById(‘idBtn_Accept’). click()” param=”, the vector in the onload event trigger will automatically simulate clicking Submit”Yes”, give the app authorization to access the user's private resources. Hackers can from the victims access to the most useful resources? Once the attacker access to the user's authorization token, he can access to the user's resources, a hacker can get to the fatal data include the following: [1]Read Outlook account on all the mail via IMAP, or to the identity of the user to send new mail by SMTP [2]Read stored on OneDrive all files [3]Read all of the user's images, video, audio, etc. Here is a poc video: If the rapid spread of this vulnerability? Considering this is a storage typexss, and does not require user interaction, it can be said that as long as the user an access link will be able to triggerxss, the links to social apps Facebook, Twitter, etc., and is endowed with interesting stories illustrate, I believe many people will be caught! But it needs to be noted is to trigger thexss, requires the user to have to login through Microsoft, but this should not be difficult, right? Repair Microsoft has fixed this vulnerability, and now all the characters will be encoded into HTML entities.