Microsoft Bing XSS Vulnerability Identified in Recent Research
/ 3 min read
Quick take - Recent research has uncovered a cross-site scripting (XSS) vulnerability in Microsoft’s Bing search engine that could allow attackers to exploit interconnected Microsoft applications by executing arbitrary JavaScript through malicious links.
Fast Facts
- A recent study uncovered a cross-site scripting (XSS) vulnerability in Microsoft’s Bing, allowing potential exploitation to send requests from compromised domains to other Microsoft applications.
- The research focused on identifying optimal targets by analyzing allowed domains and potential API attack surfaces on Bing’s main domain.
- A malicious link exploiting the XSS vulnerability could execute arbitrary JavaScript on Bing, potentially affecting millions of users and triggering sensitive actions on interconnected Microsoft services.
- The investigation revealed flaws in the XSS/HTML blacklist, enabling attackers to bypass security measures and execute malicious scripts via custom maps.
- The findings emphasize the need for continuous security assessments to address vulnerabilities in widely used applications like Bing, classified as “Severity: Important” by the Microsoft Security Response Center.
Microsoft Bing XSS Vulnerability Identified
Recent research has identified a cross-site scripting (XSS) vulnerability within a Microsoft web product, specifically targeting the Microsoft Search Engine, Bing.
Research Objectives and Findings
The primary objective of the research was to exploit this vulnerability to send requests from a compromised domain to other Microsoft applications that recognize this domain as an allowed origin. The research included a cross-referenced analysis of allowed domains and sub-domains across various Microsoft applications to identify optimal targets. The examination specifically targeted potential API attack surfaces on Bing’s main domain, www.bing.com.
Users logging into their Microsoft accounts automatically gain access to a suite of interconnected services, including Bing, Outlook, Copilot, and OneDrive. Successfully executing code on www.bing.com could potentially allow for the creation of malicious requests that affect these interconnected applications.
Exploit Strategy
The exploit strategy involved creating a malicious link that would exploit the XSS vulnerability found on the main Bing domain. This link was designed to execute arbitrary JavaScript on the main/root domain rather than a sub-domain. This approach could potentially reach millions of users familiar with Bing’s features without being detected. The execution of malicious JavaScript on www.bing.com could trigger sensitive actions on other Microsoft applications.
During the investigation of the Bing Maps Dev Center Portal, a URL with query parameters was identified for testing potential Cross-Origin Resource Sharing (CORS) vulnerabilities. The API endpoint /maps/configurable loads a custom configuration JSON file using the ?config= query parameter. This JSON file contains a field, addLayerFromURL, which allows for the loading of a KML file that could be exploited for further attack vectors.
A proof-of-concept demonstration revealed that an attacker could set up a server hosting a configuration map JSON file and a KML file. This setup allows for the styling of maps using properties from the KML file, including the insertion of balloons and text descriptions.
Security Implications and Disclosure
The research identified a flaw in the XSS/HTML blacklist, which allowed mixed upper and lower case characters to bypass security measures. This flaw enabled the execution of arbitrary JavaScript via a custom map. The attacker could also activate or deactivate malicious hosts containing the compromised configuration map. Multiple endpoints could be set up to scale the attack.
Victims could be exploited through the identified XSS vulnerability on www.bing.com and potentially other Microsoft web applications. A disclosure timeline was established with the Microsoft Security Response Center (MSRC). The communications regarding the security issue were classified as “Severity: Important” for bounty assessment under the M365 bounty program.
This research underscores the critical need for ongoing security assessments and highlights the importance of addressing vulnerabilities in widely used applications like Bing to protect users and interconnected services.
Original Source: Read the Full Article Here
