DeepSec 2018 Talk: A Tour of Office 365, Azure & SharePoint, through the Eyes of a Bug Hunter – Dr.-Ing Ashar Javed

Sanna/ October 5, 2018/ Conference, Security

Cross-Site Scripting (XSS) outbreak has started almost twenty years ago and since then it has been infecting web applications at a concerning pace. It is feared that the influx of programs and bug hunters arriving at bug bounty platforms will worsen the situation given more disclosed cases of bug(s) or public citing and viewing. According to #FakeNews Media, the outbreak engulfed One Microsoft Way in Redmond. This is where a contagious tour starts.

The tour guide will convoy you through 50 award winning shattered windows in Office 365, Azure and SharePoint. All reported XSS findings spawned great riches and ended up in The Honor Roll or made their way to a simple acknowledgement entry or several CVE-plated thanks. The goal of this walking tour: an intimate look at Microsoft online or cloud services (Office 365 and Azure) bug bounty programs through the eyes of a bug hunter.

This briefing will conclude on: classical XSS is here to stay while Redmond’s outbreak “… was like a storm. But storms, they can come back. Can’t they? The question is, if they come back, is it the same storm, or has something changed?”

Please tell us the top 5 facts about your talk.

  1. Share my experience of participation in Microsoft’s bug bounty program. As a bug hunter, what was my expectation from a company like Microsoft, and, at the end of day, what did I actually get…
  2. This talk will show simple Cross-Site Scripting (XSS) vulnerabilities in Microsoft’s flag-ship product i.e, Office 365. But wait …. what’s “simple”? Is it even possible that simple XSS issues are lurking there still, even though they had a red, blue and dedicated team of pentesters? One more thing, please don’t forget that customized automation vulnerabilities finding tools are also at Microsoft’s disposal.
  3. Why is it real hard to fix XSS in Office 365? We will try to figure out the answer in our talk.
  4. To be precise, as of now 118 bounty qualified submissions.
  5. XSS is here to stay…

How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?

The rough idea was to end up somewhere on the list of Top 100 security researchers published by Microsoft every year. Currently I am at #1 on the list of Microsoft’s Top 100 security researchers of 2018. Needless to say that one aspect I had in my mind was definitively financial gain.

Why do you think this is an important topic?

Bug bounties and the discussions around them are always interesting and spark further debate.

Is there something you want everybody to know – some good advice for our readers maybe?

Come and meet the number one security researcher on the list of Microsoft’s Top 100 security researchers of 2018.

A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?

The team behind secure@microsoft.com will receive more reports in particular regarding the Office 365. I believe that hundreds of Cross-Site Scripting issues are still not “unearthed” in Office 365. It may be your turn to find the needle.

 

Ashar Javed currently works on penetration testing, source code review and mobile application vulnerability assessments at Hyundai AutoEver Europe GmbH (an IT service company for Hyundai & KIA Motors). He works alongside developers and external third-party application vendors in order to eliminate web vulnerabilities. He has spent three years as a security researcher for Ruhr-Universität Bochum, Germany. Ashar holds a PhD degree from Ruhr-Universität Bochum and MSc from Technische Universität Hamburg-Harburg, Germany. His research interests include web application vulnerabilities and in particular Cross-Site Scripting. He has a passion for XSS and lives and breathes in XSS. Last but not the least, thanks to XSS, Ashar is at #1 spot in Microsoft’s Security Response Center (#MSRC) Top 100 Security Researchers List of 2018. 

Share this Post