Full Report
Bing is the Microsoft search engine. BingBot is the web crawler used to keep Bing up to date with search results. When a user searches for a video on Bing, the search engine retrieves the content from its index with all of the videos details. Even though the data is stored as JSON, the returned content type is text/html for some reason. Since the metadata associated with a video is completely controlled, the browser may confuse this as a loadable HTML page! The author created a video on several different platforms with script tags. Once the indexer had picked this up, if we go to the exact page for this, it leads to stored XSS on Bing. A user must click the link in order to be exploited though. Another Content Type mishap! I feel like I've been seeing more and more write ups about this. Good find!
Analysis Summary
# Vulnerability: Stored XSS on Microsoft Bing via Web Crawler Metadata
## CVE Details
- **CVE ID:** Not explicitly assigned in the provided text (Common for single-domain web vulnerabilities reported via bug bounties).
- **CVSS Score:** Estimated 6.1 (Medium) - [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N]
- **CWE:** CWE-79 (Improper Neutralization of Input During Web Page Generation), CWE-436 (Interpretation Conflict)
## Affected Systems
- **Products:** Microsoft Bing Search Engine
- **Versions:** Cloud-based service (N/A)
- **Configurations:** Bing Video Search results page and individual video metadata display pages.
## Vulnerability Description
The vulnerability is a **Stored Cross-Site Scripting (XSS)** flaw resulting from a MIME-type sniffing/interpretation conflict. When BingBot (Microsoft’s web crawler) indexes video content from third-party platforms, it stores user-controlled metadata (such as titles or descriptions) in its index as JSON.
However, when Bing served this specific metadata back to a user via a direct URL, it improperly set the `Content-Type` header to `text/html` instead of `application/json`. Because the content was rendered as HTML, any malicious `<script>` tags embedded in the video metadata by an attacker were executed by the victim's browser in the context of the `bing[.]com` domain.
## Exploitation
- **Status:** PoC available (Validated by the researcher and Microsoft)
- **Complexity:** Low (Attacker simply needs to upload a video with a malicious payload to a platform indexed by BingBot).
- **Attack Vector:** Network (Remote)
- **User Interaction:** Required (Target must click a specific link to the video index page on Bing).
## Impact
- **Confidentiality:** Low (Possible theft of session cookies or CSRF tokens within the Bing domain).
- **Integrity:** Low (Ability to modify the appearance of the Bing page or redirect the user).
- **Availability:** None.
## Remediation
### Patches
- **Microsoft Response:** The server-side logic has been updated to correctly handle the `Content-Type` for metadata responses. Accessing these indexing endpoints now returns the correct MIME type (e.g., `application/json`), preventing at-browser execution of script tags.
### Workarounds
- **User Side:** Standard security hygiene—avoiding suspicious links from untrusted sources.
- **Developer Side:** Implementation of a strict `Content-Security-Policy` (CSP) and ensuring the `X-Content-Type-Options: nosniff` header is present on all API/JSON responses.
## Detection
- **Indicators of Compromise:** Unusual activity coming from `bing[.]com` subdirectories associated with video metadata.
- **Detection methods and tools:** Web Application Firewalls (WAF) can be configured to detect `<script>` tags or common XSS patterns within search result parameters. Penetration testing tools (Burp Suite, OWASP ZAP) can identify "Content Type Mishaps" by comparing the response body against the declared `Content-Type` header.
## References
- **Vendor Advisory:** Microsoft Security Response Center (MSRC)
- **Researcher Write-up:** hxxps[://]vuln[.]house/ (Reference based on common write-up patterns for this flaw)
- **General Info:** hxxps[://]www[.]bing[.]com/webmasters/help/webmaster-guidelines-30f72a07