DOM Based XSS In Microsoft
2013-03-20
Rafay Baloch
Lately, i have been researching on DOM based XSS a bit, In my previous post i talked about the DOM based XSS i found inside AVG, DOM based XSS is caused due to lack of input filtering inside client side javascripts, since most of the code is moving towards client side, therefore DOM based xss have been very common now a days, It is predicted by the experts that the DOM based xss mostly occurs in the websites that heavily rely upon javascripts.
I have reported several DOM based XSS inside Microsoft, most of them were due to the lack of input filtering/sanitization inside of the several tracking scripts such as sitecatalyst and riotracking scripts as they often introduce some vulnerable sources and sinks. With that being said, let's take a look at the POC of the attack:
The vulnerability occurs due to lack of filtering being done inside riotracking script (Line 58), There are other microsoft domains that are also using the same tracking script vulnerable to DOM based XSS, see if you can find one?.