Quantcast

Xbox

Ch. Muhammad Osama, an independent vulnerability researcher has discovered a Content Spoofing vulnerability in XBOX Blog news.xbox.com, which can be exploited by an attacker to conduct XSS attacks.

Content Spoofing :-

Content spoofing, also referred to as content injection or virtual defacement, is an attack targeting a user made possible by an injection vulnerability in a web application. When an application does not properly handle user supplied data, an attacker can supply content to a web application, typically via a parameter value, that is reflected back to the user. This presents the user with a modified page under the context of the trusted domain.

This attack is typically used as, or in conjunction with, social engineering because the attack is exploiting a code-based vulnerability and a user’s trust.

Proof of Concept :-

xbox-poc

Conclusion :-

This vulnerability has been confirmed and patched by Microsoft Security Team. I would like to thank them for their quick response to my report.

xbox-hof

Status : Fixed!
Hall of Fame : Yes!
Bounty: No!


Choudhary Muhammad Osama

This is Choudhary Muhammad Osama, a highly accomplished Penetration Tester, Security Analyst and Linux Administration enthusiast, with extensive experience in implementing, maintaining, securing and pentesting web applications and networks.

Leave a Reply

Your email address will not be published. Required fields are marked *