Full Report
Bing Maps is similar to Google Maps. When using the dev center portal, they noticed a parameter with an embedded URL. By using this endpoint, it was possible to include maps from an arbitrary location on Bing. They call this a CORS vulnerability, which is somewhat confusing to me though. With the ability to add configuration files to another person's account, we have opened the door for a larger attack surface. The configuration file can be hosted from any location and can also link to a KML file used for styling the map. These map files render within the context of maps Bing but have a strict blacklist. Notice how it's a denylist and not an allowlist. The denylist appears to be just a regex with some extra logic on top of that. The denylist didn't account for mixed case characters. So, it's possible to add an href with jAvAsCriPt:(confirm)(1337) as the content. Of course, clicking on this link will now lead to XSS on the page. The XSS takes place on bing.com, which is crazy. Using this, an attacker could have read through many Microsoft web apps because they allow requests from Bing. The author claims this is wormable, but I tend to disagree with that. To me, if it's wormable, it should be 0 or 1 click. The user first needs to click on the page and then click on the specific link. Two clicks isn't wormable to me. Regardless, I enjoyed the vulnerabilities that were found in order to find this super impactful XSS!
Analysis Summary
Based on the provided context, here is the structured summary of the vulnerability, noting that specific CVE, CVSS, and patch information are **not present** in the source material, so those fields will be marked as "N/A."
# Vulnerability: Bing Maps Arbitrary Configuration File Inclusion Leading to Stored XSS
## CVE Details
- CVE ID: N/A (Not specified in the context)
- CVSS Score: N/A (Not specified in the context)
- CWE: CWE-79 (Improper Neutralization of Input During Web Page Generation (XSS)) - *Inferred*
## Affected Systems
- Products: Bing Maps Dev Center Portal functionality (Specific component related to embedding maps).
- Versions: Not specified in the context.
- Configurations: Use of an endpoint that allowed embedding maps with user-supplied configuration files.
## Vulnerability Description
The vulnerability resides in the Bing Maps dev center portal, where a parameter allowed embedding maps using an arbitrary URL to configuration files. These configuration files could reference external KML files used for styling. The protection mechanism implemented—a denylist (blacklist) for restricted protocols/content within the configuration mapping—was flawed. This denylist failed to account for mixed-case characters, allowing an attacker to bypass the filtering using protocols like `jAvAsCriPt:`. Injecting a malicious link, such as `jAvAsCriPt:(confirm)(1337)`, into the configuration results in Cross-Site Scripting (XSS) when the crafted map is rendered under the `bing.com` domain context. This allowed an attacker to execute arbitrary JavaScript in the context of the victim's browsing session on a highly trusted Microsoft domain.
## Exploitation
- Status: PoC available (The author demonstrated the input `jAvAsCriPt:(confirm)(1337)`.)
- Complexity: Medium (Requires two clicks: one to trigger the page load/render, and a second click specifically on the malicious link embedded in the map configuration.)
- Attack Vector: Network (Remote)
## Impact
- Confidentiality: High (Execution of XSS on `bing.com` could allow session hijacking or data exfiltration from other Microsoft web applications that trust requests originating from `bing.com`).
- Integrity: High (Ability to modify the rendered page content and user actions).
- Availability: Low (The primary impact is related to session and data integrity, not system downtime).
## Remediation
### Patches
- [Specific patch details are unavailable in the context. Organization responsible for Bing should have issued a fix addressing the denylist inadequacy.]
### Workarounds
- Implement strict allow-listing (whitelist) for allowed protocols (e.g., only `https:` or specific domains) instead of relying on a denylist.
- Rigorous validation of input strings to ensure case-insensitivity checking against restricted characters/protocols.
## Detection
- [Indicators of Compromise]: Web traffic logs showing injection attempts containing non-standard casing for known dangerous protocols (e.g., `javascript:`, `data:`).
- [Detection Methods and Tools]: Web Application Firewalls (WAFs) configured to monitor for XSS payloads, especially those involving mixed-case protocols, within configuration management or embedding endpoints. Monitoring the payload execution environments (`bing.com`) for unexpected script execution.
## References
- [Vendor Advisories]: N/A (Not specified in the context)
- [Relevant Links - Defanged]: N/A (Not specified in the context)