Unveiling Security Vulnerability on a Microsoft Subdomain: Open Redirects to RXSS Exploitation

Sawrav Chowdhury
1 min readMay 18, 2023

In this article, I am going to cover another security bug that I found on a Microsoft subdomain. Initially, when I visited https://ads.microsoft.com, I discovered that the “back” button on the user settings page was vulnerable to open redirects[1]. To further investigate, I attempted an XSS [2] payload in order to escalate the vulnerability to RXSS. The attempt proved successful, and upon clicking the back button, the XSS was executed.

As a result, the final URL appeared as follows: https://ads.microsoft.com/cc/Settings/MySettings?rurl=javascript:alert(document.domain)"

Timeline:

◘ 8th March 2023Report Submitted through MSRC Portal

◘ 8th March 2023 — MSRC team confirmed and opened a case for this issue

◘ 14th March 2023 — MSRC team changed the status Review / Repro to Develop

◘ 4th May 2023 — MSRC team changed the status Develop to Fix.

--

--