14 DAY TRIAL // Security expert Rafay Baloch has identified a DOM-based cross-site scripting vulnerability on the official Canadian website of Microsoft Dynamics. Since Microsoft has addressed the issue, the researcher has published its details on his blog.
“The vulnerability occurs due to lack of filtering being done inside riotracking script,” the expert noted.
“I have reported several DOM based XSS inside Microsoft, most of them were due to the lack of input filtering/sanitization inside of the several tracking scripts such as sitecatalyst and riotracking scripts as they often introduce some vulnerable sources and sinks,” Baloch explained.
He says he has found other Microsoft domains using the same tracking script that’s vulnerable to DOM-based XSS attacks.
The details of other similar vulnerabilities reported by the expert to the Redmond company can be found here and here.