How i found Reflected XSS at Microsoft ?
Hello Cyber Security World! My name is Göktuğ and i am university student. Im study in Information Technology. My old computer was very bad. Last year that’s why I wasn’t able to research well for Bug Bounty. Just i was earning small cash prizes from small companies. Before I received my first money prize money, I asked my parents for a powerful computer. However, they gave me a negative answer. Because they didn’t believe I could do this job. I became ambitious and started earning cash prizes. I bought a new computer after receiving a few awards. When I bought this computer, I made a promise to myself. “I will find a vulnerability in Microsoft.”
After my computer arrived, I immediately started researching. I was always telling myself this. “Don’t be ridiculous Göktuğ. You won’t find any openings at Microsoft. Even the operating system you use is developed by that company.” However, I didn’t give up. I practiced the new things I learned for days. And finally I said to myself I will find XSS.
I think everyone has an auspicious XSS payload. at least i have! xD I was writing payloads in places no one would think of. And always the same error.
ACCESS DENİED!
One night at 03:47. (I even remember the time because I was so excited.) And finally I said to myself Why don’t you look where everybody knows?
docs.microsoft.com
I entered this domain. After a little research I saw a search box. I started to write my load slowly. Tags were accepted. And I wrote the whole payload.
AND BOOM!! Reflected XSS!!
It took about 2 weeks and I didn’t think to look at the places everyone knows. I smoked a cigarette feeling tired of this and thinking it was stupid. Thanks to this incident, my family stopped thinking that I couldn’t do this job.
I sent a mail to MSRC. And in about 1 month, this vulnerability was fixed. And they added my name to the Acknowledgment list for June 2020.
