Microsoft Open Redirect

dpa-fwl.microsoft.com suffers from an open redirection vulnerability.


MD5 | 9a992791db71dab2fd3cb6f1e0559793

# Exploit Title: [ Open Redirect at Microsoft ]

# Date: [ 28.05.2018 ]

# Exploit Author: [ Ismail Tasdelen ]

# Vendor Homepage: [ https://www.microsoft.com/ ]

# Software : [ Microsoft Service Website ]

# Software Version : [ 1.0.0 ]

# Vulnerability : Open Redirect

# CWE : CWE-601: URL Redirection to Untrusted Site ('Open Redirect')

# Referenes : https://cwe.mitre.org/data/definitions/601.html

# Open Redirect Payload : redirect.html?referrerID=&src=msn&rurl=http://ismailtasdelen.me

# Type: Webapps

# PoC Video : https://www.youtube.com/watch?v=qKJZWrD6kyE

# Test on : Kali Linux / Windows 10 - Google Chrome / Mozilla FireFox -- Last Version

# Report Information : aMSRC Case 45689aCRM:0461050327

# HTTP REQUEST HEADER :

Request URL: https://dpa-fwl.microsoft.com/
Request Method: GET
Status Code: 404 Not Found
Remote Address: 23.206.41.151:443
Referrer Policy: no-referrer-when-downgrade
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate, br
Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
Cache-Control: max-age=0
Connection: keep-alive
Cookie: MUID=1108A71E7DDC60711EE8ACE37C7761DD; MC1=GUID=7411899aa2f5459d92a2e06820293a50&HASH=7411&LV=201805&V=4&LU=1527484623502; MS0=d0c78c48ac1b42e38cb009509aeed269; AMCVS_EA76ADE95776D2EC7F000101%40AdobeOrg=1; AMCV_EA76ADE95776D2EC7F000101%40AdobeOrg=-894706358%7CMCIDTS%7C17680%7CMCMID%7C71837383169482853811344079266943525630%7CMCAAMLH-1528089421%7C6%7CMCAAMB-1528089421%7C6G1ynYcLPuiQxYZrsz_pkqfLG9yMXBpb2zX5dvJdYQJzPXImdj0y%7CMCCIDH%7C-467936784%7CMCOPTOUT-1527491821s%7CNONE%7CMCSYNCSOP%7C411-17687%7CvVersion%7C2.3.0; AAMC_mscom_0=AMSYNCSOP%7C411-17687
Host: dpa-fwl.microsoft.com
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Linux; Android 5.0; SM-G900P Build/LRX21T) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Mobile Safari/537.36

# HTTP RESPONSE HEADER :

Connection: keep-alive
Content-Length: 223
Content-Type: application/xml
Date: Mon, 28 May 2018 05:18:04 GMT
Server: Blob Service Version 1.0 Microsoft-HTTPAPI/2.0
x-ms-request-id: 35d526a9-201e-0076-1343-f68622000000

# Bug Bounty Time Line :

Report Date : 5-28-2018
Triage Date : 5-28-2018
Fixed Date : 5-06-2018

# You want to follow my activity ?

https://www.linkedin.com/in/ismailtasdelen
https://github.com/ismailtasdelen
https://twitter.com/ismailtsdln
https://packetstormsecurity.com/user/ismailtasdelen/

Related Posts