Acknowledged By Microsoft For Reporting Vulnerabilities
Recently, I received an acknowledgement from Microsoft for reporting high risk vulnerabilities to them, I reported the following vulnerabilities to them:
1. Cross Site Scripting
2. HTML INJECTION
3. HTTP Parameter Pollution
4. DOM based CROSS SITE SCRIPTING
The cross site scripting and html injection vulnerabilities were verified by Microsoft and fixed, However HTTP parameter pollution and DOM based cross site scripting vulnerabilities are still being verified by Microsoft. I promised on my facebook page, that i would make the details public for the vulnerabilities when they are fixed, so i recorded a small video that actually demonstrates the attack, However i haven't explained how Non persistent cross site scripting vulnerability can be used to perform variety of different attacks such as phishing, session hijacking etc.
You can find my name listed in Security researchers for the month of August 2012 here.
Proof Of Concept
What's Next?I have decided to go after ebay.com and apple.com as they also have an acknowledgment program as well. I will keep you updated once i find vulnerabilities inside them too. I have already found one in apple and have reported to them and i am waiting for their response.
Great. Keep it up man. and Some hacking tutorials pz:)
ReplyDeletecongrats.. how many $ did you get as reward?
ReplyDeleteI'm right now doing my engineering in I.T. and am very much interested in Hacking. I want to know the logic behind this attack. Please guide me with this. Even I want to become a successful Ethical Hacker and want to find loop holes in the system like you did. Please guide me over here also. Good work by the way.
ReplyDeleteMy friend’s website is also vulnerable to HTML Injection. I did this attack by typing the script in the address bar as his website doesn't contain any search field. Can you tell how to fix this? He is also ready to give me the FTP details.
ReplyDeleteThats Seriously Awesome Good Luck Bro!!
ReplyDelete#Regards
#Gazzaly
#http://www.greenhathacker.blogspot.com
Bohot bohot mubarkaan.... Well done bro keep it up! :)
ReplyDelete@GUPPU BOSS
ReplyDeleteThanks alot buddy.
@Anonymous 2
Microsoft only offers acknowledgement, No rewards.
@Anonymous 3
The logic is simple the application does not filter out the input, due to which we can inject our own codes (Javascript) in to the application, making it vulnerable to high profile attacks.
Anonymous 4
Kindly send an email to rafaybaloch@gmail.com, along with your website, I will analyze it and let you know.
@Gazzaly
Thankyou very much bro, You have supported me from the day 1.
Mirza
Thanks buddy.
Congratulations rafay. Its indeed a a great achievement and having your name listed amongst the Microsoft giants is a clear evidence of your great skills. :)
ReplyDelete@Muahmmad Mustafa
ReplyDeleteThankyou very much brother, I am very pleased to see your comment on my blog, As it rarely happens.