The Road Towards 365 Bugs in Microsoft Office 365

Who Am I?

https://carbon.now.sh

https://twitter.com/soaj1664ashar/status/1274655027781656578

Three P's of Participation in Microsoft's Bug Bounty Program

Pain

Patience

Peso

https://slides.com/mscasharjaved/a-tour-of-office-365-azure-sharepoint-through-the-eyes-of-a-bug-hunter

Office 365 OR Microsoft 365

Finding a bug in Office 365 is a challenging task given ...

Manpower of an in-house Security Professionals

https://azure.microsoft.com/en-us/blog/3-reasons-why-azure-s-infrastructure-is-secure/

Office 365 development follows Microsoft Security Development Life-cycle

Yearly THIRD-PARTY (NCC Group) vulnerability assessment of Office 365

Public Bug Bounty Program i.e., Microsoft Online Services Bounty Program

Feeling of having an impact on million of companies and billion of users ...

MSRC Case 57985

All your Power Apps Portals are belong to us

https://nanopdf.com/download/computer-security-third-edition-dieter-gollmann_pdf

Access Control

Authentication + Authorization

authentication verify a user’s identity while authorization revolves around actions (unauthorized or authorized)

"The user identity is a parameter in access control decisions."

Dieter Gollmann

Insecure Direct Object Reference (IDOR)

Missing Access Control ...

https://www.office.com/apps?auth=2

https://make.powerapps.com

https://make.powerapps.com/environments/Default-dd90afce-820f-4d35-9273-391c9cdcdcc6/home

https://make.powerapps.com/environments/Default-dd90afce-820f-4d35-9273-391c9cdcdcc6/apps

https://docs.microsoft.com/en-us/powerapps/maker/portals/admin/admin-overview

Address *

*.microsoftcrmportals.com
*.powerappsportals.com

https://github.com/OWASP/Amass

portalId or tenantProductid are of our interest ...

How you as an attacker can get the `portalId` or `tenantProductid` of the victim?. The format as you had seen looks

 

00000000-0000-0000-0000-000000000000

The answer you can find by looking at the source code of the PORTAL SITE.

MSRC Case 54728

Cross-tenant privacy leak in Office 365

https://docs.microsoft.com/en-us/skype-sdk/ucwa/unifiedcommunicationswebapi2_0

Context

URL Context

How to attack URL Context ...

Is there a methodology?

... revolves around JavaScript , DATA URI (not useful now a days because tied to null origin) and VBScript (sort of dead now + IE specific + no one pays bounty for IE) given a validation check i.e., URL should starts from http:// or https:// is missing ...

Develop Your Own Methodology

https://jsfiddle.net/h8rdvgun/1/

MSRC Case 57873

MSRC Case 34779

MSRC Case 56250

MSRC Case 52115

MSRC Case 49910

MSRC Case 49797

MSRC Case 49665

MSRC Case 34753

https://account.windowsazure.com/Fisma?returnUrl=javascript:alert(1)

MSRC Case 59032

MSRC Case 56083

MSRC Case 40509

https://haeeautoever.sharepoint.com/sites/communitysite/_layouts/15/routermessage.aspx?FileName=Drawing123&MType=NoRulesMatched&Fnl=javascript:alert(document.domain)&Source=%2Fsites%2Fcommunitysite%2FDropOffLibrary

What if there is a validation check or site is making sure that a URL SHOULD start from http:// or https:// ?

Thanks @soaj1664ashar