+1 (512) 588 6950
Microsoft Forms Vulnerability: Reflected Cross-site Scripting (XSS)
In this blog post, I will discuss the details of a reflected cross-site scripting (XSS) vulnerability in Microsoft Forms.
Additionally, in my last blog post, I disclosed a vulnerability report on Microsoft Power Apps and dove into the processes of reporting. You can refer to my previous post on: Microsoft bug reports lead to ranking on Microsoft MSRC Quarterly Leaderboard (Q3 2022) for more detailed information on the process of reporting and claiming rewards through MSRC platform.
I followed the MSRC’s guidelines for reporting vulnerabilities and submitted my findings. For more information, please refer to:
Reflected XSS (Cross-Site Scripting) is a type of web vulnerability that allows an attacker to inject malicious code into a website, which is then executed by the victim’s browser. This happens when the website includes untrusted user input in its pages without proper validation or encoding. The attacker crafts a special link or form that, when clicked or submitted by the victim, causes the victim’s browser to execute the malicious code. The victim’s browser is tricked into thinking the code is part of the website, allowing the attacker to steal sensitive information or perform other malicious actions
Here is an example of a proof of concept that demonstrates the vulnerability:
1. Navigated to URL:
2. Injected XSS payload into
id parameter value and added to a vulnerable URL from step 1.
The payload was used:
Example injected Link:
3. Open the URL in step 2.
4. When users open the XSS inject link, the XSS payload will be triggered and executed as shown below.