Office Stored XSS
Microsoft Office XSS
I've been wanting to share my findings on this vulnerability for a while now, however have only just gotten the chance; after 9 months of waiting to share the results.
I thought I'd blog about it as it was quite an interesting find.
I reported this vulnerability to Microsoft last year. After going through several case managers; they have now confirmed it to be patched.
Vulnerability: Cross-site scripting (Stored) Affected: office.com Vulnerable endpoint: office.com/1/search Time to response: 6 days Time to resolution: approx. 9 months
I was added to the Microsoft Hall of fame for January 2018, the initial report was submitted on 19/04/2017.
So, let's dive into the technical issues behind this discovery.
I was just browsing my girlfriend's EDU Office 365 account when I noticed there was a "shared with me" section where you could see files sent to you.
Each file received also had a subject and snippet section; this looked a lot like e-mail data. In a similar fashion to the below image.
Fuzzing & attack
I did a bit of testing to find out that one of the entry points for these "shared documents" actually originated from e-mail's. They would only be displayed when an Office-related file (.docx, .xlsx, etc) were attached to the received e-mail.
So, I sent an empty .docx (Word) file to my girlfriend's Office 365 account from my own e-mail. I set the e-mail "subject" as a simple payload.
Payload: <h1>XSS<img src=...>
And behold, it was not only received in the "shared files" area but it executed my script on her web-page; ultimately rendering it as being a unique "stored" XSS vector.
I think this vulnerability is an example of why we can't just automate fuzzing of "all the things", there must be the human element too.
When reviewing the impact, we should think - what if the Word file was named something generic, e.g. "Assignment" or "Brief" and was forwarded to all students? We'd essentially have affected a lot of people with the stored XSS.
Sanitise ALL foreign input, even if it's not directly inputted on the site; it can still be tampered with and you can't always validate that. That includes API data, and e-mail data.
Thanks for reading.