Acknowledged By Microsoft For Reporting Vulnerabilities

For past couple of months, I have been doing more of teaching part rather than learning part, Therefore i decided go after the learning part and decided to go after Microsoft as they had an acknowledgement program for the security researchers around the web, who can find vulnerabilities inside their online services and report it to them.

Recently, I received an acknowledgement from Microsoft for reporting high risk vulnerabilities to them, I reported the following vulnerabilities to them:

1. Cross Site Scripting
2. HTML INJECTION
3. HTTP Parameter Pollution
4. DOM based CROSS SITE SCRIPTING

The cross site scripting and html injection vulnerabilities were verified by Microsoft and fixed, However HTTP parameter pollution and DOM based cross site scripting vulnerabilities are still being verified by Microsoft. I promised on my facebook page, that i would make the details public for the vulnerabilities when they are fixed, so i recorded a small video that actually demonstrates the attack, However i haven't explained how Non persistent cross site scripting vulnerability can be used to perform variety of different attacks such as phishing, session hijacking etc.

You can find my name listed in Security researchers for the month of August 2012 here.

Proof Of Concept

What's Next?

I have decided to go after ebay.com and apple.com as they also have an acknowledgment program as well. I will keep you updated once i find vulnerabilities inside them too. I have already found one in apple and have reported to them and i am waiting for their response.

Subscribe to our Newsletter and receive updates directly via email - Get Ethical hacking and security tips directly to your inbox. Alternatively you can Join our Hackers Community on Facebook, Google+ and Twitter.

Kindly Bookmark it and Share it with Friends:

9 comments:

Guppu Boss @ InternetDreamz on September 7, 2012 at 11:02 AM said...: Great. Keep it up man. and Some hacking tutorials pz:)
Anonymous said...: congrats.. how many $ did you get as reward?
Anonymous said...: I'm right now doing my engineering in I.T. and am very much interested in Hacking. I want to know the logic behind this attack. Please guide me with this. Even I want to become a successful Ethical Hacker and want to find loop holes in the system like you did. Please guide me over here also. Good work by the way.
Anonymous said...: My friend’s website is also vulnerable to HTML Injection. I did this attack by typing the script in the address bar as his website doesn't contain any search field. Can you tell how to fix this? He is also ready to give me the FTP details.
Gazzaly on September 8, 2012 at 10:05 AM said...: Thats Seriously Awesome Good Luck Bro!!

#Regards
#Gazzaly
#http://www.greenhathacker.blogspot.com
Mirza on September 8, 2012 at 1:28 PM said...: Bohot bohot mubarkaan.... Well done bro keep it up! :)
Rafay Baloch on September 11, 2012 at 1:55 PM said...: @GUPPU BOSS

Thanks alot buddy.

@Anonymous 2
Microsoft only offers acknowledgement, No rewards.

@Anonymous 3

The logic is simple the application does not filter out the input, due to which we can inject our own codes (Javascript) in to the application, making it vulnerable to high profile attacks.

Anonymous 4

Kindly send an email to rafaybaloch@gmail.com, along with your website, I will analyze it and let you know.

@Gazzaly

Thankyou very much bro, You have supported me from the day 1.

Mirza

Thanks buddy.
Mohammad Mustafa Ahmedzai on September 19, 2012 at 12:18 PM said...: Congratulations rafay. Its indeed a a great achievement and having your name listed amongst the Microsoft giants is a clear evidence of your great skills. :)
Rafay Baloch on September 22, 2012 at 4:23 AM said...: @Muahmmad Mustafa

Thankyou very much brother, I am very pleased to see your comment on my blog, As it rarely happens.