Microsoft Azure has a serious vulnerability that could be used to execute cross-site scripting attacks

Microsoft Azure Bastion and Azure Container Registry have disclosed two critical security vulnerabilities that could be exploited to execute cross-site scripting attacks (XSS).

Orca security researcher Lidor Ben Shitrit said in a report that the vulnerabilities allow unauthorized access to a victim's session in an infected Azure service iframe, leading to unauthorized data access, unauthorized modification and outages of the Azure service iframe.

XSS attacks occur when an attacker injects arbitrary code into an otherwise trusted website, which is executed each time an unsuspecting user visits the site.

The two flaws discovered by Orca exploit a vulnerability in the postMessage iframe to enable cross-domain communication between Window objects. This means that the vulnerability could be abused to embed an endpoint into a remote server using an iframe tag and eventually execute malicious JavaScript code that could lead to the destruction of sensitive data.

To exploit these weaknesses, an attacker would have to scout different Azure services to find vulnerable endpoints that may lack the X-Frame-Options header or have a weak content security policy ( CSP ).

Once attackers successfully embed iframes into remote servers, they continue to exploit misconfigured endpoints, Ben Shitrit explained. Attackers focus on postMessage handlers that handle remote events such as postMessages.

As a result, when a victim is lured into accessing an infected endpoint, the malicious postMessage payload is delivered to the embedded iframe, triggering an XSS vulnerability and executing the attacker's code in the victim's context.

A specially crafted postMessage was found to be able to manipulate the Azure Bastion Topology View SVG exporter or Azure Container Registry Quick Start to execute an XSS load in a proof of concept (PoC) for the Orca demonstration. Following the disclosure of these vulnerabilities on April 13, 2023 and May 3, 2023, Microsoft has released security fixes to remediate these vulnerabilities.