Pentera Labs discovered a reflected XSS vulnerability in Microsoft Azure Functions, caused by unsanitized handling of the “url” parameter in requests to functions.azure.com. By embedding malicious HTML, researchers executed JavaScript within the Azure domain, bypassing SOP by switching the content type to x-www-form-urlencoded. This enabled full XSS exploitation, including phishing scenarios where fake login forms could be displayed under Microsoft’s domain. The flaw demonstrated how attackers could steal cookies or credentials. Microsoft patched the issue in Q1 2022, underscoring the need for strict input validation in cloud services.

Join for free to read