Microsoft bug reports lead to ranking on Microsoft MSRC Quarterly Leaderboard (Q3 2022)

I rank 44th on the Microsoft MSRC Quarterly Leaderboard from my security bug reports submitted.

— Part 0 — Whoami?
— Part 1 — Selecting a program
— Part 2 — Let the hunt begin!
— Part 3 — Reporting
— Part 4 — Claims the Rewards
— Disclosure Timelines

Hello, I am Supakiad Satuwan, a Security Consultant from Thailand. In this article, I will go through the story of my first valid bug found on Microsoft bug bounty program. This has given me an opportunity to be ranked in MSRC 2022 Q3 Security Researcher Leaderboard. Let’s get started!

What is MSRC?

The Microsoft Security Response Center(MSRC) is part of the microsoft defender community and on the front line of microsoft security response evolution. This platform engaged with security researchers working to protect Microsoft’s customers and the broader ecosystem. For more details: Microsoft Security Response Center

Before starting my bug bounty hunting journey, I navigated to Microsoft Bounty Programs | MSRC for a list of in-scope and ongoing programs. After going through the list, I decided to work on Microsoft Dynamics 365 and Power Platform Program.

Microsoft Dynamics 365 and Power Platform

Analyzing the target

I started the hunt on Power Apps Platform.
While analyzing the Power Apps Platform and the applications on it, I noticed that an application sent requests to https://apps.powerapps.com

It caught my attention. Therefore, I navigated to the following URL:

https://apps.powerapps.com/authflow/authframe?telemetryLocation=global

This page displayed nothing. However, after viewing the HTML code, I noticed that the value of telemetryLocation parameter was reflected to the page.

I modified the value of telemetryLocation parameter from global to m3ez. The result proved that I could control telemetryLocation value.

Exploit start!

After analyzing this page, I performed Cross-site Scripting (XSS) testing by injecting the following JavaScript payload:

</script>

As a result, I discovered that the page reflected the payload without input validation or sanitization mechanism.

I injected the following XSS payload into telemetryLocation parameter:

</script><body/onload=alert(`m3ez`)>

The final URL was

https://apps.powerapps.com/authflow/authframe?telemetryLocation=</script><body/onload=alert(`m3ez`)>

After opening the link, the XSS payload was executed as shown in the image below.

PoC

After discovering and confirming that the target was vulnerable to Cross-site Scripting (XSS), I immediately began the report process through MSRC portal. This consists of the following steps:

Navigated to Report a Vulnerability | MSRC Researcher Portal
Entered vulnerability details, including Impact, PoC, and Evidence. Then, submitted the form.

MSRC Researcher Portal (microsoft.com)

After 4 days, MSRC team replied and confirmed my report. ^_^

Within the same day, Microsoft bounty team replied that they were reviewing a possible bounty award for my vulnerability report.

After a few hours, I received great news from the MSRC team ^_^

Part 4 — Claims the Rewards

After Microsoft bounty team confirming my report eligibility for bounty rewards, they inquired about payment providers selection for bounty awards delivery.

Note: Currently, Microsoft only supports awards delivery through either Bugcrowd or Microsoft Payment Central in order to receive bounty award payments.

A few weeks later, I received an email from Bugcrowd which contains a submission claiming link from Microsoft Bug Bounty Program.

After claiming, I received my first reward from Microsoft Bug Bounty Program.

A few months later, my name has been ranked on 2022 Q3 Leaderboard | MSRC Researcher Portal (microsoft.com)

And I have been recognized on the recent quarterly leaderboard for Microsoft MSRC and will be receiving some MSRC magic swag as a reward for my achievements!

Disclosure Timelines

Sep 23, 2022 — Vulnerability Discovered and Reported through MSRC portal.
Sep 27, 2022 — MSRC team confirmed. MSRC ticket was moved to Review/Repro.
Sep 27, 2022 — MSRC status was changed from Review / Repro to Develop
Dec 1, 2022 — MSRC status was changed to Pre-Release and Complete.
Dec 23, 2022 — Public release of the security advisory.

This is my first bug bounty writeup and a part of my valid bugs found on the Microsoft bounty program. I hope you enjoy the story. Thank you for reading.
Special thanks to Suphitcha Worasing for reviewing the content and grammar.

Any comments and suggestions will be appreciated ^_^