Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Bing Maps is similar to Google Maps. When using the dev center portal, they noticed a parameter with an embedded URL. By using this endpoint, it was possible to include maps from an arbitrary location on Bing. They call this a CORS vulnerability, which is somewhat confusing to me though.

With the ability to add configuration files to another person's account, we have opened the door for a larger attack surface. The configuration file can be hosted from any location and can also link to a KML file used for styling the map. These map files render within the context of maps Bing but have a strict blacklist.

Notice how it's a denylist and not an allowlist. The denylist appears to be just a regex with some extra logic on top of that. The denylist didn't account for mixed case characters. So, it's possible to add an href with jAvAsCriPt:(confirm)(1337) as the content. Of course, clicking on this link will now lead to XSS on the page.

The XSS takes place on bing.com, which is crazy. Using this, an attacker could have read through many Microsoft web apps because they allow requests from Bing.

The author claims this is wormable, but I tend to disagree with that. To me, if it's wormable, it should be 0 or 1 click. The user first needs to click on the page and then click on the specific link. Two clicks isn't wormable to me. Regardless, I enjoyed the vulnerabilities that were found in order to find this super impactful XSS!