原文始发于Supakiad S. (m3ez)：How I found DOM-Based XSS on Microsoft MSRC and How they fixed it
Microsoft MSRC ฺBlog site: Dom-based XSS Vulnerability
Table of Contents
- Background of DOM-Based XSS
- Finding and Analyzing the Vulnerable Code
- Reporting the Vulnerability to Microsoft
- How MSRC Team Fixing the Vulnerability
- Disclosure Timelines
In this blog post, I am excited to share my experience of discovering a DOM-Based XSS vulnerability on the Microsoft Security Response Center (MSRC) website, and how the Microsoft Security Team quickly and efficiently resolved the issue by fixing the vulnerability.
Background of DOM-Based XSS
For more information, please refer to:
- DOM Based XSS | OWASP Foundation
- What is DOM-based XSS (cross-site scripting)? Tutorial & Examples | Web Security Academy (portswigger.net)
Finding and Analyzing the Vulnerable Code
On February 12th, 2023, I read on the MSRC blog that they had released a new MSRC Blog Site, which started on February 9th, 2023.
The aforementioned blog post announced that the MSRC Blog Site had been refreshed with a new look and improved site performance, search functionality, categories, and tags. That indicates new development functions have been added to the site.
Here is a step-by-step guide that outlines how I found and analyzed the vulnerable code and determined the root cause of the issue.
I started by using the search function and looking at the website’s HTML source code. I discovered that the
search.js file was being loaded and the search query was being added to the URL as a
Then, I started analyzing the
search.js file to find the root cause of the vulnerability.
- At line 2296, the application checks whether a value exists in both the
searchResultsbefore processing user input.
- At line 2297, the application calls the
paramfunction to retrieve the value of the query parameter and stores it in the
- At line 2300, the application passes the
searchQueryparameter to the
- In the
executeSearchfunction, the application calls
paramfunction again and parses it into
As shown in the previous steps, the code retrieves user input from the
param function and directly set it as the
innerHTML of a DOM element without proper input sanitation, allowing potential attackers to inject and execute malicious scripts in the victim’s browser.
Reporting the Vulnerability to Microsoft
To report the vulnerability, I followed the steps outlined on the Microsoft Security Response Center website
I provided them with a detailed report outlining the vulnerability and a proof of concept (PoC) that demonstrated the attack. You can find more information about how to report a vulnerability to Microsoft on my blog
- Microsoft bug reports lead to ranking on Microsoft MSRC Quarterly Leaderboard (Q3 2022) | by Supakiad S. (m3ez)
Summary of Vulnerability
The vulnerability was found in the Microsoft MSRC Blog, specifically in the search functionality at https://msrc.microsoft.com/blog/search/. The vulnerability was caused by the unsanitized user input received from the “query” parameter, which is used to set the innerHTML of a DOM element in the search results. This made it for an attacker to inject malicious scripts and execute them in the victim’s browser, leading to a Dom-based XSS attack.
Microsoft MSRC Blog version: 1.1.02231.103–9e425f97
Example PoC URL:
Proof of Concept (PoC)
I record a below VDO PoC to demonstrate the existence of a DOM-Based XSS vulnerability on the MSRC Blog Site.
How MSRC Team Fixing the Vulnerability
After discovering the vulnerability, I reported it to the MSRC team. They acknowledged the report and began investigating and fixing the issue.
The MSRC team implemented getSearchParamClean to replace the vulnerable param function.
The new function uses a Dompurify library to properly sanitize user input before using it to set the innerHTML of a DOM element. This would prevent any potential XSS attacks by removing any malicious scripts from user input before it is displayed on the page.
Verify fixed vulnerability
Attempting to inject the XSS payload into the search query parameter should result in the payload being sanitized and not executed.
Here are the timelines for the vulnerability disclosure:
- Feb 12, 2023 — Vulnerability Discovered and Reported through MSRC portal.
- Feb 14, 2023 — MSRC ticket was moved to Review/Repro.
- Feb 15, 2023 — MSRC rolled out a patch to fix the vulnerability.
- Feb 23, 2023 — Public release of the security advisory.
I appreciate your feedback and would love to hear your thoughts on my blog. If you have any comments or suggestions, please feel free to reach out to me on:
转载请注明：How I found DOM-Based XSS on Microsoft MSRC and How they fixed it | CTF导航