XSS Vulnerabilities in Azure Services Let Attackers Execute Malicious Scripts

Two severe vulnerabilities in Azure services, Azure Bastion and Azure Container Registry—that allow Cross-Site Scripting (XSS) by leveraging a flaw in the postMessage iframe have been discovered.

Cross-site scripting (XSS) is malicious scripts being unintentionally executed by users’ browsers after being injected by a threat actor into a reliable website.

Threat actors may acquire unauthorized access, compromise network systems, or even steal data when that happens.

Orca Security notified the Microsoft Security Response Centre (MSRC) to fix and validate the vulnerabilities; MSRC could reproduce the problems after being made aware of them.

According to reports, both vulnerabilities have been validated and addressed, necessitating no more action from Azure customers.

XSS Attack Flow With Embedded postMessage IFrames

Applications communicate messages from one window to another using postMessages. PostMessages have many security implications, too, and if they’re not done properly, they might constitute a significant security risk.

“The postMessage iframe vulnerability that we discovered in Azure Bastion and the Azure Container Registry allowed attackers to embed endpoints within remote servers using the iframe tag,” researchers said.

The cyber security team learned that by using this flaw in conjunction with improper postMessage origin validation, attackers might have possibly compromised sensitive data by executing malicious javascript code.

Additionally, a threat actor would need to undertake reconnaissance on several Azure services to identify vulnerable endpoints embedded inside the Azure portal that could be missing X-Frame-Options headers or have poor Content Security Policies (CSPs).

Azure XSS Attack Flow

The adversary might then create the necessary payloads by embedding the weak iframe in an actor-controlled server (like ngrok) and developing a postMessage handler that sends the malicious payload after analyzing the valid postMessages delivered to the iframe from portal.azure[.]com.

“As the victim accesses the page, the malicious postMessage payload is delivered to the embedded iframe, triggering the XSS vulnerability and executing the attacker’s code within the victim’s context,” researchers said.

Major consequences may result from this, such as unauthorized access to data, loss of administrative rights, data theft, unauthorized modifications, or interruption of Azure services.

The Azure Bastion Topology View SVG exporter or the Azure Container Registry Quick Start were found to be vulnerable to manipulation by a specifically constructed postMessage in a proof-of-concept (PoC) presented by Orca. This allowed the payload of an XSS to be executed.

Looking For an All-in-One Multi-OS Patch Management Platform – 

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.