Organizations are adopting digitization and new platform for technology advancement with the aim to keep abreast themselves to the industry changes and new solution. This phase is not only helping organization but it has adverse effect as well. Such platforms are risking the security of servers, data and other channels, which are easy target for hackers.
To protect organization from any kind of cyber-attack, companies buy and migrate to different available security tools and believe their systems are completely secured and protected. But before adopting such solutions we need to analyse the vulnerability of such tools and platform and refraining from being victim of cyber-attack. Even such security solution provider also keep an eye on their security product and run the continuous testing to analyse the efficiency of the product in different scenarios.
With the aim to protect organizations and their products, Microsoft Online Service has run the program called Microsoft Bug Bounty. It is an online program where organizations can submit their web URLS to be tested for vulnerabilities.
The ultimate goal is to secure the Microsoft online services and various other Microsoft based products. By running these kind of bug bounty program, the organization will be able to reduce a cyber-attacks across the globe with minimum investments.
We proudly announce that Mr Krishnaraja Karuppusamy– Application Security Engineer-MicroGenesis, not only participated in the program but also successfully found the security bugs. Therefore The Microsoft Security Response Center (MSRC) has recognized Krishnaraja as the security researcher who have helped make Microsoft online services safer by finding and reporting security vulnerabilities.
Explaining about research findings Krishnaraja described “I decided to test sub domain of Microsoft and I started my research with enumeration of sub domain .Then one of the sub domain got my attention after that I stepped into reconnaissance (Information gathering).During my reconnaissance I found a hidden directory of the sub domain. Then I played with request and responses of that sub domain using burp proxy. Finally I was able to identify Information disclosure vulnerability. This vulnerability disclosed internal path of the Microsoft system. One more sub-domain got my attention which is running WordPress CMS. First keynote is enumeration so I enumerated version of WordPress, hidden directories, and open ports but there were no known vulnerabilities. Then I Played with the hidden directories using Burp Proxy. Finally I found REST API endpoint which is exposing all admin usernames of WordPress.” Responding to the question if any specific qualification required for such testing Krishnaraja informed “Anyone participate in the program, who will be able to identify vulnerabilities but you need to be really strong in Web application security testing.”
MicroGenesis has always been proud of our skilled resources who are our USP. Our experts are always prepared to help our customers to troubleshoot most of their technical challenge. If this vulnerability is exploited/misused by an attacker, it could be useful for them to expand to the attack surface.
We congratulate Krishnaraja for his achievement and saving many organization from such dreadful cyber-attack.
Meet Krishna Raja-Application Security Engineer-MicroGenesis
Read the research: Click Here