How i found Reflected XSS at Microsoft ?

Hello Cyber Security World! My name is Göktuğ and i am university student. Im study in Information Technology. My old computer was very bad. Last year that’s why I wasn’t able to research well for Bug Bounty. Just i was earning small cash prizes from small companies. Before I received my first money prize money, I asked my parents for a powerful computer. However, they gave me a negative answer. Because they didn’t believe I could do this job. I became ambitious and started earning cash prizes. I bought a new computer after receiving a few awards. When I bought this computer, I made a promise to myself. “I will find a vulnerability in Microsoft.”

After my computer arrived, I immediately started researching. I was always telling myself this. “Don’t be ridiculous Göktuğ. You won’t find any openings at Microsoft. Even the operating system you use is developed by that company.” However, I didn’t give up. I practiced the new things I learned for days. And finally I said to myself I will find XSS.

I think everyone has an auspicious XSS payload. at least i have! xD I was writing payloads in places no one would think of. And always the same error.

ACCESS DENİED!

One night at 03:47. (I even remember the time because I was so excited.) And finally I said to myself Why don’t you look where everybody knows?

docs.microsoft.com

I entered this domain. After a little research I saw a search box. I started to write my load slowly. Tags were accepted. And I wrote the whole payload.

AND BOOM!! Reflected XSS!!

It took about 2 weeks and I didn’t think to look at the places everyone knows. I smoked a cigarette feeling tired of this and thinking it was stupid. Thanks to this incident, my family stopped thinking that I couldn’t do this job.

I sent a mail to MSRC. And in about 1 month, this vulnerability was fixed. And they added my name to the Acknowledgment list for June 2020.

NEVER GİVE UP!

Twitter