Thursday, June 13, 2013

Microsoft Pinpoint vulnerable to DOM XSS

Using a third-party web application, Microsoft Pinpoint site was vulnerable to a DOM XSS that could be used by malicious users to launch attacks.
A user could access Ensighten Real-Time Tag Management System by adding the URL parameter "ensightenVT=1" on the This would allow to check a couple of Ensighten options.

Proof of concept #1:

After this point, a reflected DOM XSS it's present on a couple of places and adding the vector on the previous URL:

Proof of concept #2:
#"><img src=x onerror=prompt(1);>

... and navigating on some Ensighten options, the vector would execute successfully and automatically.
This was due to a lack of sanitizing location.hash.

Microsoft Security Response Center replied:
Thank you for reporting this to us.  I want to let you know that we have been able to finish our review of this issue and have fixed this in an online services update.  I would like to provide you with an acknowledgement for working with us on our Online Researcher Acknowledgement page at
After getting my name on Google and eBay, currently I'm also listed on Microsoft: (

19 Mar 2013: Reported to Microsoft
19 Mar 2013: Microsoft reported that will take a look into it
22 Mar 2013: Microsoft reported that this issue is fixed in an online services update
13 Jun 2013: Full disclosure

No comments:

Post a Comment