Quantcast

Xbox

Ch. Muhammad Osama, an independent vulnerability researcher has discovered a Content Spoofing vulnerability in XBOX Blog news.xbox.com, which can be exploited by an attacker to conduct XSS attacks.

Content Spoofing :-

Content spoofing, also referred to as content injection or virtual defacement, is an attack targeting a user made possible by an injection vulnerability in a web application. When an application does not properly handle user supplied data, an attacker can supply content to a web application, typically via a parameter value, that is reflected back to the user. This presents the user with a modified page under the context of the trusted domain.

This attack is typically used as, or in conjunction with, social engineering because the attack is exploiting a code-based vulnerability and a user’s trust.

Proof of Concept :-

xbox-poc

Conclusion :-

This vulnerability has been confirmed and patched by Microsoft Security Team. I would like to thank them for their quick response to my report.

xbox-hof

Status : Fixed!
Hall of Fame : Yes!
Bounty: No!


Choudhary Muhammad Osama

This is Choudhary Muhammad Osama, a highly accomplished Penetration Tester, Security Analyst and Linux Administration enthusiast, with extensive experience in implementing, maintaining, securing and pentesting web applications and networks.

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts

POC

HTTP Response Smuggling in Dropcam

Ch. Muhammad Osama, an independent vulnerability researcher has discovered a HTTP Response Smuggling vulnerability in Dropcam website www.dropcam.com. HTTP Response Smuggling :- Data enters a web application through an untrusted source, most frequently an HTTP request. The data Read more…

POC

Cross Site Scripting (XSS) Found in DNSimple

Ch. Muhammad Osama, an independent vulnerability researcher has discovered a Cross-Site Scripting (XSS) vulnerability in DNSimple website www.dnsimple.com, which can be exploited by an attacker to conduct XSS attacks. Cross-Site Scripting :- Cross-Site Scripting (XSS) attacks are Read more…

POC

DNS Misconfiguration Found in IRCCloud

Ch. Muhammad Osama, an independent vulnerability researcher has discovered a Cross-Site Scripting (XSS) vulnerability in IRCCloud website www.irccloud.com, which can be exploited by an attacker to conduct Same-Site Scripting attacks. Reference :- http://www.securityfocus.com/archive/1/486606/30/0/threaded Same-Site Scripting :- It’s a common Read more…