Microsoft 365 is used by over a million of companies and billions of users worldwide. According to Microsoft, Office 365 i.e., the world’s productivity cloud is a security-hardened service and follows the Microsoft Security Development Life-cycle. In this presentation, I will share the stories of my journey towards 365 valid bugs in Microsoft Office 365 umbrella applications. The talk will highlight the lessons learned during Office 365 bug hunting. The bounty award winning bugs that will be discussed during the presentation are ….
– Cross-tenant privacy leak in Office 365
– All your Power Apps Portals are belong to us
– SQLi, CSRF(s) and SSRF in Dynamics 365
– Privilege Escalation issues in SharePoint Online
– Dozens of XSS(es) in Outlook
– Some rate limiting issues
In addition, the talk reveals XSS issues in Microsoft 365 Admin Centre, OneDrive, Word, Excel, PowerPoint, OneNote, Yammer, Microsoft Forms, Kaizala, Dynamics 365, SharePoint Online, Stream, Video 365, Azure, Security & Compliance services of Office 365.
Last but not the least, we will share tips and tricks as far as how one can stay at the top to test the new and upcoming features of Office 365.
Ashar Javed is a security engineer at Hyundai AutoEver Europe GmbH with over 5 years of experience. Before that he has spent three years as a security researcher for Ruhr-Universität Bochum, Germany. Ashar holds a PhD degree from Ruhr-Universität Bochum and MSc from Technische Universität Hamburg-Harburg, Germany. His research interests include web application vulnerabilities and in particular Cross-Site Scripting.
Ashar delivered talks at main security events like Black Hat Europe 2014, HITB KL 2013, OWASP Spain (2014, 2015 & 2016), SAP Product Security Conference 2015, International PHP Conference 2015, ISACA Ireland 2014, RSA Europe (OWASP Seminar) 2013, DeepSec, Austria (2013, 2014, 2015 and 2018), and GISEC, Dubai 2016. In his free time, he likes to participate in bug bounty programs. Microsoft has recognised Ashar as No. 1 security researcher in Microsoft’s Security Response Center (#MSRC) Top 100 security researchers list of 2018 and at No. 4 spot in the 2019 and 2020 Most Valuable Security Researcher list. He blogs at “Respect XSS” and tweets at @soaj1664ashar.