XSS Bug in Microsoft.com Payments Page – Microsoft Hall of Fame

I recently found a XSS bug in Microsoft payments page. Initially I thought, it was only a simple URL redirection bug and reported the same. Then I realized that it is a XSS bug.
Below is the URL.

https://controls.cp.microsoft.com/PaymentInstrument/pcssuccess?auth=true&origin=XXXXXXX&piid=abcd

Unfortunately, this URL is not part of Microsoft bug bounty program. But they listed my name in the March month
Microsoft Hall of fame security researchers page.

 

Microsoft Hall of fame

 

I reported the bug on March 12th and it was fixed on April 4th 2016. Watch the below video explains more about the bug.

 

About Author

I am a developer and I maintain the site https://hayageek.com. The best software developers are those who can think like both a developer and a user.
All posts by Ravishanker Kusuma