Vulnerability: XSS
HOF:
Vulnerability Type(s): Reflective XSS and Persistent XSS.
App: http://www.bing.com/maps/
Tested on : Firefox 23.0.1
Attack demonstration :
1>Visit http://www.bing.com/maps/ (Make sure that you are logged in with your outlook account)
2>Click “My Places”
3>Click “New list”
4>In the Title field enter the script: “><img src=a onerror=”alert(document.cookie);”>
5>In the Notes field enter the same script: “><img src=a onerror=”alert(document.cookie);”>
6>Click “Save”
7>You will see a popup showing cookie info .
8>Click the “Add a Pushpin” icon below.
9> Click anywhere on the map.
10>Now select the option [“><img src=a onerror=”alert(document.cookie);”>] from the dropdown box.
11>Enter Title as: “><img src=a onerror=”alert(document.cookie);”>
12>Enter Note as: “><img src=a onerror=”alert(document.cookie);”>
13>Click “Save”.
14>Hover the mouse pointer over to the yellow dot with a number on the map, you will notice the XSS popup.
15>Now, hover the pointer over the name: “><img src=a onerror=”alert(document.cookie);”> in “My place editor”. Here too you will see the effect of XSS .
Demo (Snap) with “><img src=a onerror=”alert(1);”> payload:
Update: Apparently it seems that MS has later fixed the vulnerability.