Thursday, June 13, 2013

Microsoft Pinpoint vulnerable to DOM XSS

Using a third-party web application, Microsoft Pinpoint site was vulnerable to a DOM XSS that could be used by malicious users to launch attacks.
A user could access Ensighten Real-Time Tag Management System by adding the URL parameter "ensightenVT=1" on the This would allow to check a couple of Ensighten options.

Proof of concept #1:

After this point, a reflected DOM XSS it's present on a couple of places and adding the vector on the previous URL:

Proof of concept #2:
#"><img src=x onerror=prompt(1);>

... and navigating on some Ensighten options, the vector would execute successfully and automatically.
This was due to a lack of sanitizing location.hash.

Microsoft Security Response Center replied:
Thank you for reporting this to us.  I want to let you know that we have been able to finish our review of this issue and have fixed this in an online services update.  I would like to provide you with an acknowledgement for working with us on our Online Researcher Acknowledgement page at
After getting my name on Google and eBay, currently I'm also listed on Microsoft: (

19 Mar 2013: Reported to Microsoft
19 Mar 2013: Microsoft reported that will take a look into it
22 Mar 2013: Microsoft reported that this issue is fixed in an online services update
13 Jun 2013: Full disclosure XSS vulnerability

I found that is possible to conduct a XSS attack on career site on by manipulating the URL and injecting Javascript. That way when the user clicked on the link "Apply" - to a job - it will launch the attack.

This could be used to trick innocent users applying to a job on a big company ( customers). When they're clicking on the Apply they could been victims of, for example, redirections to malware sites or drive by downloads.

Proof of concept:';alert("xss by @dsopas");//&rps=186&ep=

Keep in mind that have many important clients like Accenture, KPMG, DHL, ŠKODA AUTO, Telefónica, T-Mobile, BOSCH Group, GE Money, Vodafone, Ernst & Young, SIEMENS, Avast and many others.

I would like to thank the security team for keeping me updated and providing a solution to this issue very fast. It's always glad to see companies that care about security and appreciate help from outsiders.

23 Apr 2013: Reported to
24 Apr 2013: First contact with technical support
25 Apr 2013: Update from security team
13 May 2013: Patched
13 Jun 2013: Full disclosure