Unveiling Security Vulnerability on a Microsoft Subdomain: Open Redirects to RXSS Exploitation

In this article, I am going to cover another security bug that I found on a Microsoft subdomain. Initially, when I visited https://ads.microsoft.com, I discovered that the “back” button on the user settings page was vulnerable to open redirects[1]. To further investigate, I attempted an XSS [2] payload in order to escalate the vulnerability to RXSS. The attempt proved successful, and upon clicking the back button, the XSS was executed.

As a result, the final URL appeared as follows: https://ads.microsoft.com/cc/Settings/MySettings?rurl=javascript:alert(document.domain)"

Timeline:

◘ 8th March 2023 — Report Submitted through MSRC Portal

◘ 8th March 2023 — MSRC team confirmed and opened a case for this issue

◘ 14th March 2023 — MSRC team changed the status Review / Repro to Develop

◘ 4th May 2023 — MSRC team changed the status Develop to Fix.

POC Video:

My Social Handles

Twitter: https://twitter.com/sawravchy

References:

1. https://portswigger.net/kb/issues/00500100_open-redirection-reflected
2. https://portswigger.net/web-security/cross-site-scripting