Microsoft have launched a new bounty program targeting to the Azure DevOps. A new program is always easier for bug hunting. Let’s go for it!
Our target is https://dev.azure.com , which is a git web server implemented by Microsoft. I found a XSS bug in the markdown editor.
When creating a pull request, people can add some comments using markdown. Some feature is not well escaped by the markdown render, which leads to XSS.