The Road Towards 365 Bugs in Microsoft Office 365
Who Am I?
Three P's of Participation in Microsoft's Bug Bounty Program
Pain
Patience
Peso
Office 365 OR Microsoft 365
Finding a bug in Office 365 is a challenging task given ...
Manpower of an in-house Security Professionals
Office 365 development follows Microsoft Security Development Life-cycle
Yearly THIRD-PARTY (NCC Group) vulnerability assessment of Office 365
Public Bug Bounty Program i.e., Microsoft Online Services Bounty Program
Feeling of having an impact on million of companies and billion of users ...
MSRC Case 57985
All your Power Apps Portals are belong to us
Access Control
Authentication + Authorization
authentication verify a user’s identity while authorization revolves around actions (unauthorized or authorized)
"The user identity is a parameter in access control decisions."
Dieter Gollmann
Insecure Direct Object Reference (IDOR)
Missing Access Control ...
Address *
*.microsoftcrmportals.com
*.powerappsportals.com
portalId or tenantProductid are of our interest ...
How you as an attacker can get the `portalId` or `tenantProductid` of the victim?. The format as you had seen looks
00000000-0000-0000-0000-000000000000
The answer you can find by looking at the source code of the PORTAL SITE.
MSRC Case 54728
Cross-tenant privacy leak in Office 365
Context
URL Context
How to attack URL Context ...
Is there a methodology?
... revolves around JavaScript , DATA URI (not useful now a days because tied to null origin) and VBScript (sort of dead now + IE specific + no one pays bounty for IE) given a validation check i.e., URL should starts from http:// or https:// is missing ...
Develop Your Own Methodology
MSRC Case 57873
MSRC Case 34779
MSRC Case 56250
MSRC Case 52115
MSRC Case 49910
MSRC Case 49797
MSRC Case 49665
MSRC Case 34753
https://account.windowsazure.com/Fisma?returnUrl=javascript:alert(1)
MSRC Case 59032
MSRC Case 56083
MSRC Case 40509
https://haeeautoever.sharepoint.com/sites/communitysite/_layouts/15/routermessage.aspx?FileName=Drawing123&MType=NoRulesMatched&Fnl=javascript:alert(document.domain)&Source=%2Fsites%2Fcommunitysite%2FDropOffLibrary
What if there is a validation check or site is making sure that a URL SHOULD start from http:// or https:// ?
Thanks @soaj1664ashar
The Road Towards 365 Bugs in Microsoft Office 365
By Ashar Javed
The Road Towards 365 Bugs in Microsoft Office 365
- 3,757