Microsoft official website(microsoft.com) vulnerable to XSS

Cross site scripting vulnerability in Microsoft.com

Security Researcher @flexxpoint come with interesting find; Microsoft official website(micrsoft.com) is vulnerable to Cross Site Scripting (XSS).  The vulnerability is in the Products page url. 
http://www.microsoft.com/en-us/together/possibilities.aspx
?hdrFo=mthdr02'"--><svg><script><!>alert('XSS');document.location.replace('http://ehackingnews.com')</script>http://www.microsoft.com/en-us/together/possibilities.aspx
?hdrFo=mthdr02'"--></style></script%<svg><!>3E<script>alert('Simple XSS')</script>

The highlighted code is injected XSS attack code.  The above code first popup alert box that says "XSS", following that it will redirect you to the ehackingnews.com website.

The simplified version of the code:
http://www.microsoft.com/en-us/together/possibilities.aspx?hdrFo=mthdr02'"--><script>alert("XSS")</script> 

Replacing this code with malicious javascript allows an attacker to steal cookies or can be used for phishing attack.  In past, researcher discovered XSS vulnerability in Ubuntu website also.
Category: / / /

Share this with Your friends: