Hacker, Researcher and Author.

Acknowledged By Microsoft For Reporting Vulnerabilities

Microsoft Hacked
For past couple of months, I have been doing more of teaching part rather than learning part, Therefore i decided go after the learning part and decided to go after Microsoft as they had an acknowledgement program for the security researchers around the web, who can find vulnerabilities inside their online services and report it to them.

Recently, I received an acknowledgement from Microsoft for reporting high risk vulnerabilities to them, I reported the following vulnerabilities to them:

1. Cross Site Scripting
3. HTTP Parameter Pollution

The cross site scripting and html injection vulnerabilities were verified by Microsoft and fixed, However HTTP parameter pollution and DOM based cross site scripting vulnerabilities are still being verified by Microsoft. I promised on my facebook page, that i would make the details public for the vulnerabilities when they are fixed, so i recorded a small video that actually demonstrates the attack, However i haven't explained how Non persistent cross site scripting vulnerability can be used to perform variety of different attacks such as phishing, session hijacking etc.

You can find my name listed in Security researchers for the month of August 2012 here.

Microsoft Hacked

Proof Of Concept

What's Next?

I have decided to go after ebay.com and apple.com as they also have an acknowledgment program as well. I will keep you updated once i find vulnerabilities inside them too. I have already found one in apple and have reported to them and i am waiting for their response.


  1. Great. Keep it up man. and Some hacking tutorials pz:)

  2. congrats.. how many $ did you get as reward?

  3. I'm right now doing my engineering in I.T. and am very much interested in Hacking. I want to know the logic behind this attack. Please guide me with this. Even I want to become a successful Ethical Hacker and want to find loop holes in the system like you did. Please guide me over here also. Good work by the way.

  4. My friend’s website is also vulnerable to HTML Injection. I did this attack by typing the script in the address bar as his website doesn't contain any search field. Can you tell how to fix this? He is also ready to give me the FTP details.

  5. Thats Seriously Awesome Good Luck Bro!!


  6. Bohot bohot mubarkaan.... Well done bro keep it up! :)


    Thanks alot buddy.

    @Anonymous 2
    Microsoft only offers acknowledgement, No rewards.

    @Anonymous 3

    The logic is simple the application does not filter out the input, due to which we can inject our own codes (Javascript) in to the application, making it vulnerable to high profile attacks.

    Anonymous 4

    Kindly send an email to rafaybaloch@gmail.com, along with your website, I will analyze it and let you know.


    Thankyou very much bro, You have supported me from the day 1.


    Thanks buddy.

  8. Congratulations rafay. Its indeed a a great achievement and having your name listed amongst the Microsoft giants is a clear evidence of your great skills. :)

  9. @Muahmmad Mustafa

    Thankyou very much brother, I am very pleased to see your comment on my blog, As it rarely happens.


© 2016 All Rights Reserved by RHA Info Sec. Top

Contact Form


Email *

Message *

Powered by Blogger.