XSS Vulnerabilities in Azure Services Let Attackers Execute Malicious Scripts

Two severe vulnerabilities in Azure services, Azure Bastion and Azure Container Registry—that allow Cross-Site Scripting (XSS) by leveraging a flaw in the postMessage iframe have been discovered.

Cross-site scripting (XSS) is malicious scripts being unintentionally executed by users’ browsers after being injected by a threat actor into a reliable website.

Threat actors may acquire unauthorized access, compromise network systems, or even steal data when that happens.

Orca Security notified the Microsoft Security Response Centre (MSRC) to fix and validate the vulnerabilities; MSRC could reproduce the problems after being made aware of them.

According to reports, both vulnerabilities have been validated and addressed, necessitating no more action from Azure customers.

XSS Attack Flow With Embedded postMessage IFrames

Applications communicate messages from one window to another using postMessages. PostMessages have many security implications, too, and if they’re not done properly, they might constitute a significant security risk.

“The postMessage iframe vulnerability that we discovered in Azure Bastion and the Azure Container Registry allowed attackers to embed endpoints within remote servers using the iframe tag,” researchers said.

The cyber security team learned that by using this flaw in conjunction with improper postMessage origin validation, attackers might have possibly compromised sensitive data by executing malicious javascript code.

Additionally, a threat actor would need to undertake reconnaissance on several Azure services to identify vulnerable endpoints embedded inside the Azure portal that could be missing X-Frame-Options headers or have poor Content Security Policies (CSPs).

Azure XSS Attack Flow

The adversary might then create the necessary payloads by embedding the weak iframe in an actor-controlled server (like ngrok) and developing a postMessage handler that sends the malicious payload after analyzing the valid postMessages delivered to the iframe from[.]com.

“As the victim accesses the page, the malicious postMessage payload is delivered to the embedded iframe, triggering the XSS vulnerability and executing the attacker’s code within the victim’s context,” researchers said.

Major consequences may result from this, such as unauthorized access to data, loss of administrative rights, data theft, unauthorized modifications, or interruption of Azure services.

The Azure Bastion Topology View SVG exporter or the Azure Container Registry Quick Start were found to be vulnerable to manipulation by a specifically constructed postMessage in a proof-of-concept (PoC) presented by Orca. This allowed the payload of an XSS to be executed.

Looking For an All-in-One Multi-OS Patch Management Platform – Try Patch Manager Plus


Gurubaran is a Security Consultant, Security Editor & Co-Founder of Cyber Security News & GBHackers On Security.

Recent Posts

SSNDOB Marketplace Admin Jailed for Selling millions of Americans Data

In a resounding triumph for justice, U.S. District Judge Kathryn Kimball Mizelle has sentenced Vitalii…

10 hours ago

Is Your Online Store Hacked in a Carding Attack? Here’s an Action Plan to Protect

Hackers are plotting to benefit from the generosity of Halloween, Thanksgiving, and Christmas shoppers using…

14 hours ago

Google Researchers Find Out How ChatGPT Queries Can Collect Personal Data

The LLMs (Large Language Models) are evolving rapidly with continuous advancements in their research and…

14 hours ago

New Android Malware Employs Various Tactics to Deceive Malware Analyst

In the dynamic realm of mobile application security, cybercriminals employ ever more sophisticated forms of…

16 hours ago

DJvu Ransomware Mimic as Cracked Software to Compromise Computers

A recent campaign has been observed to be delivering DJvu ransomware through a loader that…

17 hours ago

Okta Hack: Threat Actors Downloaded all Customer Support System Users’ Data

In a pivotal update to the Okta security incident divulged in October 2023, Okta Security…

18 hours ago