Unveiling Security Vulnerability on a Microsoft Subdomain: Open Redirects to RXSS Exploitation
In this article, I am going to cover another security bug that I found on a Microsoft subdomain. Initially, when I visited https://ads.microsoft.com, I discovered that the “back” button on the user settings page was vulnerable to open redirects[1]. To further investigate, I attempted an XSS [2] payload in order to escalate the vulnerability to RXSS. The attempt proved successful, and upon clicking the back button, the XSS was executed.
As a result, the final URL appeared as follows: https://ads.microsoft.com/cc/Settings/MySettings?rurl=javascript:alert(document.domain)"
Timeline:
◘ 8th March 2023 — Report Submitted through MSRC Portal
◘ 8th March 2023 — MSRC team confirmed and opened a case for this issue
◘ 14th March 2023 — MSRC team changed the status Review / Repro to Develop
◘ 4th May 2023 — MSRC team changed the status Develop to Fix.