Clicking on the link, the URL was translated to http://help.ask.com/ics/support/default.asp?deptID=30018&_referrer= , I started testing the parameter “_referrer” to see if it was vulnerable to open redirects.
I found that the value of the parameter gets reflected inside a function inside a , so I quitted testing for open redirects and started looking for a way to trigger an XSS, see the following picture:
The developers did not sanitize the value of “_referrer” properly, double quotes, alert() and similar functions, and tags were all allowed. So all I needed at this stage was some help from my friend and teacher, Brute Logic. He noticed that the function exitSupport() was never called on the page, so all he needed to do was to break out of it.
The following two screenshots show the code after the injection of the payload and the alert box:
After we successfully triggered the alert box, Brute suggested that I should look deeper into the bug, saying “don’t stop there, try to figure out where the rabbit hole really goes”.
He then told me to look for websites containing the same code inside the script tag. He advised me to use nerdydata.com, so I went to the mentioned website and started searching for the function exitSupport(). And there was the surprise, I found dozens of websites using the flawed piece of software. See the picture below:
Going further into the research, Brute quickly identified the origin of the flawed script using whatweb.net , the following screenshot shows the name of the flawed service:
We only realized that the product was owned and developed by Microsoft after we visited Parature’s official website, parature.com :
The following is an excerpt from parature.com :
“Parature is a cloud-based customer service solution that empowers brands and organizations to deliver consistent care anytime, anywhere through a powerful combination of knowledge management, self-service and multi-channel engagement. Quick to deploy, scalable and flexible, and mobile-responsive, discover the customer support software solution that many of the world’s leading brands are using to deliver productive, proactive and personalized customer care.”.
Then, we decided to look for other websites being affected by the flaw, and we found some big names, below is a GIF containing some of these names:
- 17-11-2015 Initial report, Microsoft replied that they couldn’t reproduce the issue, further explanation of the issue is sent
- 18-11-2015 Microsoft replied that they opened a case for the bug
- 30-11-2015 I sent an email asking if the bug has been fixed
- 02-12-2015 Microsoft replied that the issue is fixed and asked for our names for the Hall of Fame
- 19-01-2015 The Hall of Fame for the month of December is released