A Tour of Office 365, Azure & SharePoint, through the Eyes of a Bug Hunter

Presented at DeepSec 2018 „I like to mov &6974,%bx“, Unknown date/time (Unknown duration).

Cross-Site Scripting (XSS) outbreak has started almost twenty years ago and since then it has been infecting web applications at a concerning pace. It is feared that the influx of programs and bug hunters arriving at bug bounty platforms will worsen the situation given more disclosed cases of bug(s) or public citing and viewing. According to #FakeNews Media, the outbreak engulfed One Microsoft Way in Redmond. This is where a contagious tour starts. The tour guide will convoy you thru 50 award winning shattered windows in Office 365, Azure and SharePoint. All reported XSS findings spawned great riches and ended up in The Honor Roll or made their way to a simple acknowledgement entry or several CVE-plated thanks. The goal of this walking tour: an intimate look at Microsoft online or cloud services (Office 365 and Azure) bug bounty programs through the eyes of a bug hunter. This briefing will conclude on: classical XSS is here to stay while Redmond's outbreak "... was like a storm. But storms, they can come back. Can't they? The question is, if they come back, is it the same storm, or has something changed?" *** ***

Presenters:

  • Dr.-Ing Ashar Javed - Hyundai AutoEver Europe GmbH
    Ashar Javed currently works on penetration testing, source code review and mobile application vulnerability assessments at Hyundai AutoEver Europe GmbH (an IT service company for Hyundai & KIA Motors). He works alongside developers and external third-party application vendors in order to eliminate web vulnerabilities. He has spent three years as a security researcher for Ruhr-Universität Bochum, Germany. Ashar holds a PhD degree from Ruhr-Universität Bochum and MSc from Technische Universität Hamburg-Harburg, Germany. His research interests include web application vulnerabilities and in particular Cross-Site Scripting. He has a passion for XSS and lives and breathes in XSS. Ashar delivered talks at main security events like Black Hat Europe 2014, Hack in the Box Kuala Lumpur 2013, OWASP Spain (2014, 2015 & 2016), SAP Product Security Conference 2015, International PHP Conference 2015, ISACA Ireland 2014, RSA Europe (OWASP Seminar) 2013, DeepSec, Austria (2013, 2014 & 2015), and GISEC, Dubai 2016. In his free time, he likes to participate in bug bounty programs. He has been listed 30 times on Microsoft's acknowledgement page for online services and has achieved a #22nd rank among Microsoft's Top 100 researchers of 2017, while other acknowledgements in hall of fames include Google, Twitter/Paypal/Ebay/GitHub/Adobe/Etsy/Netflix/AT&T Security Pages & Facebook White Hat. Ashar is at #1 among Top 5 bug bounty hunters recognized by Microsoft for Q1 and Q2 of 2018. Ashar also does security consulting including consulting for a media tycoon. He bloggs at "Respect XSS" and tweets at @soaj1664ashar.

Links:

Similar Presentations: