SSD Advisory – Skype For Business XSS

Vulnerability Summary
The following advisory describes an XSS vulnerability found in Skype for Business.
Credit
An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.
Vendor response
The vendor has released patches to address this vulnerability and has only provided these details in response to our query on the status: “implemented some changes in the latest version to sanitize HTML input”

Vulnerability Details
One of Skype For Business features is the ability to send HTML code via chat and Skype For Business will render the HTML code.
The vulnerability allows an attacker to send malicious HTML code that will render and once the victim will click on the rendered picture he will redirect to a website of your choice.
Proof of Concept
You can use the following steps to recreate the vulnerability:
1. Copy and run the following massage in “jsfiddle.net“:

<xht:acronym style="font:7604% serif; font-family:roman; background-color:#FF0000;"><a href="//evil.com">X</a></xht:acronym>

2. Copy the executed HTML code (view screenshot jsfiddle.jpg)

3. Paste directly into the chat window of the victim, press enter.
4. The HTML code submitted has been executed correctly.

Interested in Cross Site Scripting? You may be interested in these:

Looking to submit a Cross Site Scripting vulnerability?

Talk to us!