Awesome MSRC Writeups

🐛 A list of writeups from the MSRC (Microsoft) Bug Bounty program

*writeups: not just writeups

Based off the Awesome Google VRP Writeups repository.

Contributing:

If you know of any writeups/videos not listed in this repository, feel free to open a Pull Request.

To add a new writeup, simply add a new line to writeups.csv:

[YYYY-MM-DD],[bounty],[title],[url],[author-name],[author-url],[type],false,?

If a value is not available, write ?.
The value of type can either be blog or video.
If any of the fields include a ,, please wrap the value in quotes.
Please keep the last two fields set to false and ?. The automation will modify these fields.
If available, set author-url to the author's Twitter URL, so the automation can @mention the author.

Writeups:

2025:

• [Sep 17 - $???] One Token to rule them all - obtaining Global Admin in every Entra ID tenant via Actor tokens* by Dirk-jan Mollema
• [Sep 16 - $20,000] Cross-Tenant Access Exploit in Microsoft Entra ID: Breaking Governance with a simple trick* by Bashir Mohamed (BlackPanther87)
• [Aug 25 - $7,500] Microsoft Partner Leak: Leaking Microsoft Employee PII and 700M+ Partner Records* by Faav
• [Jul 25 - $7,500] How a Simple Endpoint Earned Me a $7500 Bounty from Microsoft* by Gouri Sankar A
• [Jul 19 - $???] How I Found an XSS Vulnerability in a Microsoft subdomain* by Arjun Shetty
• [Jul 18 - $0] Break into any Microsoft building: Leaking PII in Microsoft Guest Check-In* by Faav
• [Jun 29 - $???] Triple Trouble: Bypassing Sanitization to Steal Microsoft Tokens* by Asem Eleraky
• [May 21 - $???] Account takeover vulnerability in Azure’s API Management Developer Portal* by Thomas Stacey
• [May 15 - $???] Unveiling the Secrets: SSRF Adventures in Microsoft’s AI Playground* by elhabtiesoufiane@gmail.com
• [Apr 20 - $???] Escalating Impact: Full Account Takeover in Microsoft via XSS in Login Flow* by Asem Eleraky

2024:

• [Oct 24 - $0] How I Accessed Microsoft’s ServiceNow — Exposing ALL Microsoft Employee emails, Chat Support Transcripts & Attachments* by Moblig
• [Oct 08 - $3,000] From 401 — Unauthorized Access to 3000 $ Bounty from Microsoft.* by Bashir Mohamed (BlackPanther87)
• [Oct 08 - $5,000] How I got a 5000 $ Bounty from Microsoft* by Bashir Mohamed (BlackPanther87)
• [Sep 13 - $???] Escalating from Reader to Contributor in Azure API Management* by Christian Håland
• [Aug 07 - $3,000] Persistent XSS on Microsoft Bing.com by poisoning Bingbot indexing* by Supakiad S. (m3ez)
• [Jul 10 - $???] Dynamics 365 Business Central - A Journey With Ups and Downs* by Frycos
• [Jun 14 - $???] CVE-2024-20693: Windows cached code signature manipulation* by Sector7
• [Jun 03 - $???] These Services Shall Not Pass: Abusing Service Tags to Bypass Azure Firewall Rules (Customer Action Required)* by Liv Matan
• [May 28 - $???] Multiple vulnerabilities in Eclipse ThreadX* by Marco Ivaldi
• [May 11 - $???] My Hunt: Discovering Microsoft Bugs* by c0d3x27
• [May 07 - $???] Lethal Injection: How We Hacked Microsoft's Healthcare Chat Bot* by Yanir Tsarimi
• [Feb 09 - $???] JSON CSRF in Microsoft Bing Maps Collections* by Jayateertha Guruprasad
• [Jan 31 - $???] Azure Devops Zero-Click CI/CD Vulnerability* by Nadav Noy
• [Jan 15 - $???] Unrestricted File Upload Lead to Stored XSS at Microsoft main domain* by Sokol Çavdarbasha

2023:

• [Oct 04 - $???] 2023 Microsoft Office XSS* by adm1nkyj1
• [Jul 31 - $7,500] Knocking on the Front Door (client side desync attack on Azure CDN)* by Jeti
• [Jul 31 - $150,000] How I Hacked Microsoft Teams and got $150,000 in Pwn2Own* by Masato Kinugawa
• [Jun 27 - $???] How I found DOM XSS via postMessage on Bing.com - Microsoft Bug Bounty* by Nam Le
• [Jun 14 - $???] Two XSS Vulnerabilities in Azure with Embedded postMessage IFrames* by Lidor Ben Shitrit
• [Jun 03 - $???] Send email from anyone to any(user outlook Microsoft)* by Abbas.heybati
• [May 04 - $???] Uncovering 3 Azure API Management Vulnerabilities – When Good APIs Go Bad* by Liv Matan
• [Apr 21 - $???] XS-Leak: Deanonymize Microsoft Skype Users by any 3rd-party websites* by Jayateertha Guruprasad
• [Apr 20 - $???] 2 XSS on Microsoft* by Mohammad Nikouei
• [Mar 30 - $???] Super FabriXss: From XSS to an RCE in Azure Service Fabric Explorer by Abusing an Event Tab Cluster Toggle (CVE-2023-23383)* by Lidor Ben Shitrit
• [Mar 29 - $40,000] BingBang: AAD misconfiguration led to Bing.com results manipulation and account takeover* by Hillai Ben-Sasson
• [Mar 23 - $???] Escalating Privileges with Azure Function Apps* by Karl Fosaaen
• [Mar 02 - $???] BlueHat 2023: Catch Me If You Can in the Eyes of Authorization with Cameron Vincent & Sean Hinchee* by Cameron Vincent
• [Feb 22 - $???] How I found DOM-Based XSS on Microsoft MSRC and How they fixed it* by Supakiad S. (m3ez)
• [Feb 18 - $???] Hacking the Search Bar: The Story of Discovering and Reporting an XSS Vulnerability on Bing.com* by Niraj Mahajan
• [Jan 21 - $3,000] Reflected XSS Leads to 3,000$ Bug Bounty Rewards from Microsoft Forms* by Supakiad S. (m3ez)
• [Jan 17 - $???] How Orca Found Server-Side Request Forgery (SSRF) Vulnerabilities in Four Different Azure Services* by Lidor Ben Shitrit

2022:

• [Dec 26 - $???] Stored XSS vulnerability in Microsoft booking* by Mrtechghost
• [Dec 23 - $???] Microsoft bug reports lead to ranking on Microsoft MSRC Quarterly Leaderboard (Q3 2022)* by Supakiad S. (m3ez)
• [Oct 28 - $???] Blind SSRF in Skype (Microsoft)* by Jayateertha Guruprasad
• [Oct 12 - $???] $6000 with Microsoft Hall of Fame | Microsoft Firewall Bypass | CRLF to XSS | Microsoft Bug Bounty* by Neh Patel
• [Sep 08 - $???] New technique 403 bypass lyncdiscover.microsoft.com* by Abbas.heybati
• [Jul 28 - $???] Reading Message from Microsoft’s Private Yammer Group* by Meareg
• [Jul 13 - $6,000] Microsoft Teams — Cross Site Scripting (XSS) Bypass CSP* by numanturle
• [Jun 01 - $20,000] Microsoft Dynamics Container Sandbox RCE via Unauthenticated Docker Remote API 20,000$ Bounty* by Chen Cohen
• [Apr 21 - $???] Microsoft Cloud Security Research – Public Disclosure – Gaining Unlimited access to graph AuditLogs endpoint using complex filters with non-privileged user account* by Joosua Santasalo
• [Mar 18 - $???] Insecure Direct Object Reference Exposes all users of Microsoft Azure Independent Software Vendors* by Meareg
• [Mar 09 - $???] Escalating from Logic App Contributor to Root Owner in Azure* by Josh Magri
• [Mar 07 - $???] AutoWarp: Critical Cross-Account Vulnerability in Microsoft Azure Automation Service* by Yanir Tsarimi
• [Jan 25 - $???] First Valid BUG Finding At Microsoft And I Got the Acknowledgments Page Microsoft* by Aidil Arief

2021:

• [Dec 15 - $???] Improper Authorization could allow access to more than 100,000 Microsoft Dynamics 365 for Partner Users* by Meareg
• [Sep 15 - $???] Microsoft Azure Portal – Persistent Cross-Site Scripting* by Y-Security
• [Sep 13 - $???] Escalating Azure Privileges with the Log Analytics Contributor Role* by Karl Fosaaen
• [Sep 09 - $???] Finding Azurescape – Cross-Account Container Takeover in Azure Container Instances* by Yuval Avrahami
• [Jun 25 - $20,000] How We Are Able To Hack Any Company By Sending Message – $20,000 Bounty [CVE-2021–34506]* by Th3Pr0xyB0y
• [Jun 24 - $???] Microsoft Store free purschase vulnerabilites* by Marlon Fabiano
• [Jun 10 - $???] Active Directory forest trusts part 2 - Trust transitivity and finding a trust bypass* by Dirk-jan Mollema
• [Apr 25 - $???] Reflected XSS on Microsoft* by Choirur Rizal
• [Apr 02 - $50,000] How I Might Have Hacked Any Microsoft Account* by Laxman Muthiyah
• [Feb 15 - $30,000] I Own your Cloud Shell: Taking over “Azure Cloud Shell” Kubernetes Cluster Through Unsecured Kubelet API 30,000$ Bounty* by Chen Cohen
• [Jan 22 - $10,000] $10,000 for automatic email confirmation bug in Microsoft’s Edge browser* by Karan Chaudhary
• [Jan 10 - $2,000] Unauthorized Access to OData Entities + $2K Bounty From Microsoft* by Borna Nematzadeh

2020:

• [Nov 15 - $???] Microsoft Bug Bounty Writeup – Stored XSS Vulnerability* by Pethuraj
• [Jul 05 - $???] Taking Over Files in a chat —IDOR in Microsoft Teams* by Aly Anwar
• [Jul 04 - $???] How I got hall of fame in Microsoft* by Akash basnet
• [Jun 28 - $3,000] Taking over Azure DevOps Accounts with 1 Click* by Sean Yeoh
• [May 27 - $3,000] iOS Outlook Stored XSS Write-Up($3000)* by kminthein
• [May 19 - $???] Reflected XSS on microsoft.com subdomains* by Raimonds Liepins
• [May 14 - $1,000] My Weirdest Bug Bounty — Getting PII from O365.* by Omaid Faizyar
• [May 02 - $???] Reflected XSS on Microsoft.com via Angular Js template injection* by Pratik Dabhi
• [Jan 21 - $???] Cross Site Request Forgery vulnerability Leads to User Profile Change in Microsoft Express Logic* by Adesh Kolte
• [Jan 06 - $???] Saying Goodbye to my Favorite 5 Minute* by Allyson O'Malley

2019:

• [Jul 09 - $???] Discovering an Undisclosed Stack Overflow Vulnerability in Microsoft SQL Server (CVE-2019-1068)* by cem
• [May 09 - $???] Stored XSS on Techprofile Microsoft* by Mohammad Ali Syarief
• [Apr 19 - $???] From http:// domain to res:// domain xss by using IE Adobe’s PDF ActiveX plugin* by heige
• [Apr 14 - $1,000] $1,000 USD, XSS STORED IN OUTLOOK.COM (IOS BROWSERS)* by Omar Espino
• [Feb 06 - $???] Remote Code Execution via Path Traversal in the Device Metadata Authoring Wizard* by Lee Chagolla-Christensen

2018:

• [Oct 12 - $500] Microsoft CSRF Vulnerability* by Adesh Kolte
• [Jul 13 - $???] XSS in Microsoft subdomain* by Sudhanshu Rajbhar
• [May 18 - $???] Xss in Microsoft* by hacker_eth
• [Apr 15 - $1,500] Bypass CSP by Abusing XSS Filter in Edge* by Xiaoyin Liu

2017:

• [Dec 21 - $???] Microsoft SharePoint’s Follow Feature XSS (CVE-2017–8514) -Adesh Kolte* by Adesh Kolte
• [Nov 06 - $???] Get your Microsoft account hijacked by simply clicking connect button -Adesh Kolte* by Adesh Kolte
• [Nov 05 - $???] Non-persistent XSS at Microsoft -Adesh Kolte* by Adesh Kolte
• [Sep 12 - $5,000] Uncovering a Bug I Found in Outlook: How Could an Account Has Been Compromised?* by cem
• [Jun 06 - $???] DOM Based XSS In Microsoft* by Rafay Baloch

2016:

• [Jul 24 - $???] Remote Code Execution (RCE) on Microsoft's 'signout.live.com'* by Peter Adkins
• [Jun 10 - $???] Two vulnerabilities makes an Exploit!! (XSS and CSRF in Bing)* by Sai Krishna Kothapalli
• [May 18 - $???] Microsoft Yammer Clickjacking - Exploiting HTML5 Security Features* by Mohamed A. Baset
• [Apr 03 - $???] Obtaining Login Tokens for an Outlook, Office or Azure Account* by Jack
• [Jan 23 - $???] Broken Access Control in bingmapsportal* by Sai Krishna Kothapalli

2015:

• [Dec 31 - $???] Leaking API keys in Bing Maps Portal* by Sai Krishna Kothapalli