Recently, I received an acknowledgement from Microsoft for reporting high risk vulnerabilities to them, I reported the following vulnerabilities to them:
1. Cross Site Scripting
2. HTML INJECTION
3. HTTP Parameter Pollution
4. DOM based CROSS SITE SCRIPTING
The cross site scripting and html injection vulnerabilities were verified by Microsoft and fixed, However HTTP parameter pollution and DOM based cross site scripting vulnerabilities are still being verified by Microsoft. I promised on my facebook page, that i would make the details public for the vulnerabilities when they are fixed, so i recorded a small video that actually demonstrates the attack, However i haven't explained how Non persistent cross site scripting vulnerability can be used to perform variety of different attacks such as phishing, session hijacking etc.
You can find my name listed in Security researchers for the month of August 2012 here.
Proof Of ConceptWhat's Next?
I have decided to go after ebay.com and apple.com as they also have an acknowledgment program as well. I will keep you updated once i find vulnerabilities inside them too. I have already found one in apple and have reported to them and i am waiting for their response.
Kindly Bookmark it and Share it with Friends: