Zer0Byte

Geekiest Techno News

XSS In Microsoft AdCenter Service Website

 

Pentesters @ : www.vulnerability-lab.com

managed to Find XSS on Microsoft Website

Microsoft adCenter (formerly MSN adCenter), is the division of the Microsoft Network (MSN) responsible for MSN s

advertising services. Microsoft adCenter provides pay per click advertisements. This is a service aimed at people who want to

advertise a product. Microsoft also has a (still in beta) service for webmasters who want to monetize on their site: Microsoft pubCenter.

Search and display advertising solutions for small businesses and large advertisers and agencies on Bing and Yahoo! Search,

MSN, Windows Live, Xbox & Co.

(Copy of the Vendor Website: http://advertising.microsoft.com/home)

Abstract:

=========

The Vulnerability-Lab Team discovered multiple non-persistent cross site scripting vulnerabilities on Microsofts AdCenter website application.

A non persistent cross site scripting vulnerability is detected on on Microsofts AdCenter website application.

The vulnerability allows an remote attacker with required user inter action to hijack customer sessions via cross site scripting.

Successful exploitation can result in account steal, client side phishing or session hijacking.

 Vulnerbale Module(s):

[+] austra123; media brands; tv

Picture(s):

../1.png

../2.png

../3.png

Proof of Concept:

=================

The vulnerabilites can be exploited by remote attackers with high required user inter action. For demonstration or reproduce …

Try These One By One :p

  • advertising.microsoft.com/austra123%27;alert%28document.cookie%29;a=%27
  • advertising.microsoft.com/media-brands’;alert(document.cookie);a=’
  • advertising.microsoft.com/tv’;alert(document.cookie);a=’

 Reference(s):

advertising.microsoft.com/austra123

advertising.microsoft.com/media-brands

advertising.microsoft.com/tv

 Risk:

=====

The security risk of the non persistent cross site scripting vulnerabilities are estimated as low(+).

Credits:

========

Vulnerability Research Laboratory – Ucha Gobejishvili (longrifle0x)

 


Categories: Awareness, InfoSec, TOP NEWS