Acknowledged By Microsoft For Reporting Vulnerabilities

For past couple of months, I have been doing more of teaching part rather than learning part, Therefore i decided go after the learning part and decided to go after Microsoft as they had an acknowledgement program for the security researchers around the web, who can find vulnerabilities inside their online services and report it to them.

Recently, I received an acknowledgement from Microsoft for reporting high risk vulnerabilities to them, I reported the following vulnerabilities to them:

1. Cross Site Scripting
2. HTML INJECTION
3. HTTP Parameter Pollution
4. DOM based CROSS SITE SCRIPTING

The cross site scripting and html injection vulnerabilities were verified by Microsoft and fixed, However HTTP parameter pollution and DOM based cross site scripting vulnerabilities are still being verified by Microsoft. I promised on my facebook page, that i would make the details public for the vulnerabilities when they are fixed, so i recorded a small video that actually demonstrates the attack, However i haven't explained how Non persistent cross site scripting vulnerability can be used to perform variety of different attacks such as phishing, session hijacking etc.

You can find my name listed in Security researchers for the month of August 2012 here.

Proof Of Concept

What's Next?

I have decided to go after ebay.com and apple.com as they also have an acknowledgment program as well. I will keep you updated once i find vulnerabilities inside them too. I have already found one in apple and have reported to them and i am waiting for their response.